Wednesday, September 18, 2013

FIREWALL Implementation with DMZ and two inside ZONES

CISCO ASA Firewall DMZ/2_inside ZONES configuration


With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with next-generation firewall capabilities.

I have a lab with a small scenario using the ASA Firewall, that I will demonstrate. In this scenario I will introduce a Security Firewall with four security zones and the config scripts. Two internal zones will be implemented on one interface with vlans and subinterface connection to the switch. The routers inside those zone have routing disabled, so they are acting as hosts. The DMZ zone will host a web server, again a router with ip routing disabled that will simulate a WEB server. We will focus only on the ASA configuration. There will be some restrictions for the inside zones. One zone will be denied some traffic and the other will have full access to all the outside traffic. 
Now, let us take a look at the diagram of this small scenario.

First we should define the interfaces and then other NAT/PAT configurations on the ASA firewall.

interface GigabitEthernet0/0 
description CONNECTION TO OUTSIDE INTERNET 
speed 100 
duplex full 
nameif outside 
security-level 0 
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1 >> this interface will be used to subinterfaces for VLANs 10,20
no nameif 
no security-level 
no ip address 
interface GigabitEthernet0/1.10 
description CONNECTION TO INSIDE 1 
vlan 10 
nameif 
inside1 security-level 80 
ip address 192.168.1.1 255.255.255.0 
interface GigabitEthernet0/1.20 
description CONNECTION TO INSIDE 2 
vlan 20 
nameif inside2 
security-level 90 
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2 
description CONNECTION TO DMZ 
nameif DMZ 
security-level 50 
ip address 10.0.0.1 255.255.255.0

Let us now define a object group for the interesanting ports.

object-group service WEB-PORTS tcp port-object eq 80 port-object eq 443

Now we should define the traffic to be NAT-ed and filtered. We use the access lists.

access-list OUTSIDE_IN extended permit tcp any host 100.1.1.2 object-group WEB-PORTS  << Internet->webserver.

access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq http  << Zone1 access to web and email
access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq https 
access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp 
access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq pop3 
access-list INSIDE1_IN extended permit udp 192.168.1.0 255.255.255.0 any eq dns

access-list INSIDE2_IN extended permit ip 192.168.2.0 255.255.255.0 any   << allow all access ZONE2

As we have the traffic defined we can configur the Port Translation.

global (outside) 1 interface 
global (DMZ) 1 interface 
nat (inside1) 1 192.168.1.0 255.255.255.0 
nat (inside2) 1 192.168.2.0 255.255.255.0

As we have the outside access to the DMZ servers, we should create a static NAT entries for them.

static (DMZ,outside) 100.1.1.2 10.0.0.2 netmask 255.255.255.255

Next thing is to apply the access lists to aproppriate interfaces inside the firewall.

access-group OUTSIDE_IN in interface outside 
access-group INSIDE1_IN in interface inside1 
access-group INSIDE2_IN in interface inside2

For the clients to have a understating for the global networks we must setup a default route.

route outside 0.0.0.0 0.0.0.0 100.1.1.10 1

The last config script we should implement on ASA is to enable managament from one of the zones.

ssh 192.168.1.0 255.255.255.0 inside1 
ssh timeout 20 
ssh version 2

That is all to it for now.

Feel free to comment.


No comments:

Post a Comment