Skip Links

Cisco subnet: An independent Cisco community

Lab 10: Setting Up a DMZ

Cisco Press

By David Hucaby, Network World
October 22, 2008 03:09 PM ET

 

This Cisco Firewall Video Mentor lab shows you how to add a demilitarized zone (DMZ) interface to a firewall, whereas previous labs dealt with only inside and outside interfaces.

The objectives of this lab are to configure address translation and access lists as security policies for the following scenarios:

  • Connections initiated from a higher security level interface toward a lower one

  • Connections initiated from a lower security level interface toward a higher one

 

Scenario

This lab contains several scenarios, presented in the following steps:

Step 1.

Consider connections initiated from the inside interface toward the DMZ, and configure the firewall accordingly.

Step 2.

Consider connections initiated from the DMZ interface toward the outside, and configure the firewall accordingly.

Step 3.

Consider connections initiated from the outside interface toward the DMZ, and configure the firewall accordingly.

Step 4.

Consider connections initiated from the DMZ interface toward the inside, and configure the firewall accordingly.

Step 5.

Double-check the DMZ access list for conflicting entries.

 

Initial Configurations

The firewall begins with a simple configuration used in previous labs. Although the lab configurations take place on the "context-a" security context, they could just as easily be configured on a firewall running in single context mode.

The firewall is configured with an inside and outside interface, with address translation and access lists configured for inside-to-outside connections, as well as outside-to-inside connections. The initial configuration commands for the firewall are shown in Example 10-1.

Example 10-1 Initial Firewall Configuration

hostname context-a!interface intf0 nameif outside security-level 0 ip address 192.168.100.10 255.255.255.0 standby 192.168.100.11!interface intf1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2!nat (inside) 1 192.168.2.0 255.255.255.0global (outside) 1 interface outsideaccess-list acl_inside extended permit ip 192.168.2.0 255.255.255.0 anyaccess-group acl_inside in interface inside!static (inside,outside) 192.168.100.100 192.168.2.100 netmask 255.255.255.255access-list acl_outside extended permit tcp any host 192.168.100.100 eq wwwaccess-list acl_outside extended permit tcp any host 192.168.100.100 eq httpsaccess-group acl_outside in interface outside
 

Video Presentation Reference

Refer to the following descriptions of each step in Lab 10. A DMZ interface is added according to the network diagram shown in Figure 10-1, with the configuration shown in Example 10-2.

Figure 10-1
Adding a DMZ Interface to a Firewall

Example 10-2 Initial DMZ Interface Configuration

interface intf2 nameif dmz security-level 50 ip address 192.168.99.1 255.255.255.0 no shutdown
 

Step 1: Consider Connections from the Inside Toward the DMZ

In this step, address translation is configured across the inside and DMZ interfaces. Because the access list acl_inside was previously configured to permit all traffic from the inside subnet toward any destination address, no changes need to be made for traffic destined for the DMZ.

Example 10-3 shows the configuration command that is entered. The firewall's initial configuration includes a definition for nat (inside) 3, so only the corresponding global command is needed.

Example 10-3 Configuring Security Policies for Inside-to-DMZ Connections

Firewall(config)# global (dmz) 3 interface dmz

 

Step 2: Consider Connections from the DMZ Toward the Outside

In this step, address translation is configured across the DMZ and outside interfaces. A series of global commands are already present in the firewall's initial configuration, requiring only a corresponding nat command to be added.

The access list acl_dmz is created to permit any IP traffic from the DMZ subnet 192.168.99.0/24 to any destination address on the outside. Example 10-4 shows the configuration commands that are entered in this step.

Example 10-4 Configuring Security Policies for DMZ-to-Outside Connections

Firewall(config)# nat (dmz) 3 192.168.99.0 255.255.255.0Firewall(config)# access-list acl_dmz extended permit ip 192.168.99.0 255.255.255.0 anyFirewall(config)# access-group acl_dmz in interface dmz
 

Step 3: Consider Connections from the Outside Toward the DMZ

In this step, address translation is configured across the outside and DMZ interfaces with a static command. DMZ address 192.168.99.10 is mapped to outside address 192.168.100.110.

In addition, the access list acl_outside is amended to include rules that permit inbound connections from any outside address to the mapped address 192.168.100.110 with destination ports TCP 80 and 443. Example 10-5 shows the configuration commands that are entered.

Example 10-5 Configuring Security Policies for Outside-to-DMZ Connections

Firewall(config)# static (dmz,outside) 192.168.100.110 192.168.99.10 netmask 255.255.255.255!Firewall(config)# access-list acl_outside extended permit tcp any host 192.168.100.110 eq wwwFirewall(config)# access-list acl_outside extended permit tcp any host 192.168.100.110 eq https
 

Step 4: Consider Connections from the DMZ Toward the Inside

This step shows you how to configure address translation across the DMZ and inside interfaces using a static command. Inside server address 192.168.2.99 is mapped to DMZ address 192.168.99.99.

Rules are added to the acl_dmz access list to permit inbound connections from DMZ server 192.168.99.10 to the mapped address 192.168.99.99. Only connections to destination ports TCP 1433 and FTP are permitted.

The commands shown in Example 10-6 are entered during the configuration.

Example 10-6 Configuring Security Policies for DMZ-to-Inside Connections

Firewall(config)# static (dmz,inside) 192.168.2.99 192.168.99.99 netmask 255.255.255.255!Firewall(config)# access-list acl_dmz extended permit tcp host 192.168.99.10 host 192.168.99.99 eq 1433Firewall(config)# access-list acl_dmz extended permit tcp host 192.168.99.10 host 192.168.99.99 eq ftp

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News