Cisco ASA DMZ configuration…

0 pts.
Tags:
Cisco
DMZ
Firewalls
Forensics
Incident response
Intrusion management
Network security
Networking
VPN
Wireless
I am in the process of setting up a DMZ in order to host a Web Server and an Exchange Server. I have been doing a great deal of research and have a few questions. This is my setup: Internet====>ASA====>Inside Network (Cisco Switches) I want to use an additional switch and attach it to the ASA as a DMZ. I am getting mixed opinions on how to configure the ASA/DMZ. I found Cisco documentation online that states I need to create address pools for both the external and DMZ interface. The documentation said I needed these pools - at least to my understating - in order to mask the IP addresses of the internal workstations. A friend of mine said I do not need the address pools and I could use PAT. Any ideas? I would like to understand my options. Thanks for the help.
ASKED: March 27, 2007  12:56 PM
UPDATED: April 3, 2008  3:49 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

If you didn’t have any public servers, then you could use dynamic PAT, but then what would you have a DMZ for? If you have some public servers as indicated, then you will have to map the addresses of these to public IPs with static NAT or just give them real addresses and let the outside through to the DMZ. If none of them use the same port, (e.g. SMTP, HTTP, DNS, …), you should be able to use port forwarding to do all of this with one external IP. This all depends on how you arrange the design.
Please tell me you are NOT going to put the exchange server in the DMZ so the outside world can reach it. Put it on the internal net and use some kind of SMTP relay in the DMZ.
rt

Discuss This Question: 9  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Skepticals
    astronomer, I think I jumped the gun with the DMZ question. After more reading, I believe I have a clear picture on how to configure the network. I was looking into putting the Exchange server on the internal network with a relay. Do you have any documentation on how to set this up? Is the relay another computer? Thanks for your help.
    0 pointsBadges:
    report
  • Astronomer
    A relay is an SMTP server with basically no users. Before we decided to use the barracuda antispam appliance as our DMZ email presence, I was looking at setting up a linux system running postfix in the DMZ to relay emails to/from the outside. The barracuda is rejecting four of every five incoming emails as spam. You can do a variety of things to enhance security with this arrangement. For example, we don't accept emails claiming to be from our domain unless they come from our exchange server. Also, the barracuda won't accept internal emails from any other source, regardless of the source domain. Our network, which uses public addresses, only allows SMTP to go out through the exchange server then through the barracuda. Before I set this up, we had a fair number of spam servers appearing in student labs. This is why I am so adamant about email. If this was still going on, we could easily end up on a spammer blacklist. rt
    15 pointsBadges:
    report
  • Skepticals
    Are you happy with the barracuda? Would you suggest I look into getting one? Currently, I do not have a spam filter or a anti virus program. Do you have any suggestions? Thanks again.
    0 pointsBadges:
    report
  • Astronomer
    Overall, we have been very pleased with the barracuda. Before we purchased it we used a mcafee appliance and I was constantly having problems and being told it couldn't do what I needed. I checked with the other state colleges and asked about their experiences with barracuda. The response from all of the colleges using it was positive. The quality of barracuda support has declined somewhat from when we first purchased it but it's still much better than our previous experience. It has proved capable of everything I asked for that the mcafee box couldn't do. The price is significantly lower. No device in this category will be perfect but this one has done all we expected and a little more. With that said, you need to consider if you are willing to spend the kind of money and time required to manage a device like this. Does your company have the kind of email volume to justify this investment? Only you can make that decision. rt
    15 pointsBadges:
    report
  • Skepticals
    Our company will not have a great deal of traffic. We would probably only have around 50 email users. I just know how much they complain about spam with our current email system (not in my control). We are bringing the email in house and I am looking for various solutions. Would you suggest this device for my situation or is there a better approach?
    0 pointsBadges:
    report
  • Astronomer
    I would check out their smallest system. It will handle up to 500 users. They have a free evaluation period. Also, check out their competitors and look for magazine evaluations. No doubt things have changed since we bought ours two years ago. Like I said, only you and your management can decide if it's worth the expense. We have ~500 users currently and will ramp that to ~1500 when the students get email so your experience will be different from ours. Regardless, you will need to do something to filter spam or your users will be overwhelmed as soon as their new email addresses get out. Thanks for nudging me into checking out the specs. We have a model 300 and it looks like we are going to have to upgrade when we add the student accounts. This adds another expense to the project no-one had thought about. rt
    15 pointsBadges:
    report
  • Skepticals
    astronomer, I'm glad that my question has helped you. I really appreciate your time. I also search the internet and read a great deal of reviews, tutorials, and books; however, I like to get first-hand opinions from people in the field. I looked into the system and it seems a little pricey. I was put on to a system called aasp: http://assp.sourceforge.net/ Have you ever heard of it?
    0 pointsBadges:
    report
  • Astronomer
    I hadn't heard of them before but it looks like they do a lot of the things the barracuda does. Expect to put more time into this than we put into the barracuda but this may be a good solution for you. It does some of the things our mcafee system couldn't. I had investigated spam assassin before we chose the barracuda. I believe if you are willing to put in the effort, these open software packages can work as well as any commercial package. rt
    15 pointsBadges:
    report
  • Skepticals
    I agree, given the time, the open source solutions can work just as well. I'm not sure if we have the budget for a commercial product, but I would prefer one. I will look into both of the options and go from there. Thanks for the insight. J
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following