Home > IT Answers > Networking > Cisco ASA DMZ configuration...
Help

Question

  Asked: Mar 27 2007   12:56 AM GMT
  Asked by: skepticals

Cisco ASA DMZ configuration...


Networking, Cisco, Network security, Firewalls, VPN, Intrusion management, Incident response, Forensics, Wireless, DMZ

I am in the process of setting up a DMZ in order to host a Web Server and an Exchange Server. I have been doing a great deal of research and have a few questions.

This is my setup:

Internet====>ASA====>Inside Network (Cisco Switches)

I want to use an additional switch and attach it to the ASA as a DMZ.

I am getting mixed opinions on how to configure the ASA/DMZ. I found Cisco documentation online that states I need to create address pools for both the external and DMZ interface. The documentation said I needed these pools - at least to my understating - in order to mask the IP addresses of the internal workstations. A friend of mine said I do not need the address pools and I could use PAT.

Any ideas? I would like to understand my options. Thanks for the help.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
+1
Click to Vote:
  •   1
  •  0
Last Answered: Mar 27 2007  4:25 PM GMT  by astronomer




If you didn't have any public servers, then you could use dynamic PAT, but then what would you have a DMZ for? If you have some public servers as indicated, then you will have to map the addresses of these to public IPs with static NAT or just give them real addresses and let the outside through to the DMZ. If none of them use the same port, (e.g. SMTP, HTTP, DNS, ...), you should be able to use port forwarding to do all of this with one external IP. This all depends on how you arrange the design.
Please tell me you are NOT going to put the exchange server in the DMZ so the outside world can reach it. Put it on the internal net and use some kind of SMTP relay in the DMZ.
rt
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Networking and Security.

Looking for relevant Networking Whitepapers? Visit the SearchNetworking.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

skepticals  |   Mar 27 2007  5:39PM GMT

astronomer,

I think I jumped the gun with the DMZ question. After more reading, I believe I have a clear picture on how to configure the network.

I was looking into putting the Exchange server on the internal network with a relay. Do you have any documentation on how to set this up? Is the relay another computer?

Thanks for your help.

 

astronomer  |   Mar 27 2007  6:25PM GMT

A relay is an SMTP server with basically no users. Before we decided to use the barracuda antispam appliance as our DMZ email presence, I was looking at setting up a linux system running postfix in the DMZ to relay emails to/from the outside.
The barracuda is rejecting four of every five incoming emails as spam. You can do a variety of things to enhance security with this arrangement. For example, we don’t accept emails claiming to be from our domain unless they come from our exchange server. Also, the barracuda won’t accept internal emails from any other source, regardless of the source domain. Our network, which uses public addresses, only allows SMTP to go out through the exchange server then through the barracuda. Before I set this up, we had a fair number of spam servers appearing in student labs. This is why I am so adamant about email. If this was still going on, we could easily end up on a spammer blacklist.
rt

 

skepticals  |   Mar 27 2007  7:45PM GMT

Are you happy with the barracuda? Would you suggest I look into getting one? Currently, I do not have a spam filter or a anti virus program. Do you have any suggestions?

Thanks again.

 

astronomer  |   Mar 28 2007  12:23PM GMT

Overall, we have been very pleased with the barracuda. Before we purchased it we used a mcafee appliance and I was constantly having problems and being told it couldn’t do what I needed. I checked with the other state colleges and asked about their experiences with barracuda. The response from all of the colleges using it was positive.
The quality of barracuda support has declined somewhat from when we first purchased it but it’s still much better than our previous experience. It has proved capable of everything I asked for that the mcafee box couldn’t do. The price is significantly lower. No device in this category will be perfect but this one has done all we expected and a little more.
With that said, you need to consider if you are willing to spend the kind of money and time required to manage a device like this. Does your company have the kind of email volume to justify this investment? Only you can make that decision.
rt

 

skepticals  |   Mar 28 2007  4:35PM GMT

Our company will not have a great deal of traffic. We would probably only have around 50 email users. I just know how much they complain about spam with our current email system (not in my control). We are bringing the email in house and I am looking for various solutions. Would you suggest this device for my situation or is there a better approach?

 

astronomer  |   Mar 29 2007  7:08PM GMT

I would check out their smallest system. It will handle up to 500 users. They have a free evaluation period. Also, check out their competitors and look for magazine evaluations. No doubt things have changed since we bought ours two years ago.

Like I said, only you and your management can decide if it’s worth the expense. We have ~500 users currently and will ramp that to ~1500 when the students get email so your experience will be different from ours. Regardless, you will need to do something to filter spam or your users will be overwhelmed as soon as their new email addresses get out.

Thanks for nudging me into checking out the specs. We have a model 300 and it looks like we are going to have to upgrade when we add the student accounts. This adds another expense to the project no-one had thought about.
rt

 

skepticals  |   Mar 29 2007  10:16PM GMT

astronomer,

I’m glad that my question has helped you. I really appreciate your time. I also search the internet and read a great deal of reviews, tutorials, and books; however, I like to get first-hand opinions from people in the field.

I looked into the system and it seems a little pricey. I was put on to a system called aasp: <a href="http://assp.sourceforge.net/" rel="nofollow">http://assp.sourceforge.net/</a>

Have you ever heard of it?

 

astronomer  |   Mar 30 2007  12:07PM GMT

I hadn’t heard of them before but it looks like they do a lot of the things the barracuda does. Expect to put more time into this than we put into the barracuda but this may be a good solution for you. It does some of the things our mcafee system couldn’t. I had investigated spam assassin before we chose the barracuda. I believe if you are willing to put in the effort, these open software packages can work as well as any commercial package.
rt

 

skepticals  |   Mar 30 2007  1:38PM GMT

I agree, given the time, the open source solutions can work just as well. I’m not sure if we have the budget for a commercial product, but I would prefer one. I will look into both of the options and go from there. Thanks for the insight.

J