This Cisco Firewall Video Mentor lab shows you how to add a demilitarized zone (DMZ) interface to a firewall, whereas previous labs dealt with only inside and outside interfaces.
The objectives of this lab are to configure address translation and access lists as security policies for the following scenarios:
Connections initiated from a higher security level interface toward a lower one
Connections initiated from a lower security level interface toward a higher one
This lab contains several scenarios, presented in the following steps:
Consider connections initiated from the inside interface toward the DMZ, and configure the firewall accordingly.
Consider connections initiated from the DMZ interface toward the outside, and configure the firewall accordingly.
Consider connections initiated from the outside interface toward the DMZ, and configure the firewall accordingly.
Consider connections initiated from the DMZ interface toward the inside, and configure the firewall accordingly.
Double-check the DMZ access list for conflicting entries.
The firewall begins with a simple configuration used in previous labs. Although the lab configurations take place on the "context-a" security context, they could just as easily be configured on a firewall running in single context mode.
The firewall is configured with an inside and outside interface, with address translation and access lists configured for inside-to-outside connections, as well as outside-to-inside connections. The initial configuration commands for the firewall are shown in Example 10-1.
Example 10-1 Initial Firewall Configuration
hostname context-a!interface intf0 nameif outside security-level 0 ip address 192.168.100.10 255.255.255.0 standby 192.168.100.11!interface intf1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2!nat (inside) 1 192.168.2.0 255.255.255.0global (outside) 1 interface outsideaccess-list acl_inside extended permit ip 192.168.2.0 255.255.255.0 anyaccess-group acl_inside in interface inside!static (inside,outside) 192.168.100.100 192.168.2.100 netmask 255.255.255.255access-list acl_outside extended permit tcp any host 192.168.100.100 eq wwwaccess-list acl_outside extended permit tcp any host 192.168.100.100 eq httpsaccess-group acl_outside in interface outside
Video Presentation Reference
Refer to the following descriptions of each step in Lab 10. A DMZ interface is added according to the network diagram shown in Figure 10-1, with the configuration shown in Example 10-2.
Adding a DMZ Interface to a Firewall
Example 10-2 Initial DMZ Interface Configuration
interface intf2 nameif dmz security-level 50 ip address 192.168.99.1 255.255.255.0 no shutdown
Step 1: Consider Connections from the Inside Toward the DMZ
In this step, address translation is configured across the inside and DMZ interfaces. Because the access list acl_inside was previously configured to permit all traffic from the inside subnet toward any destination address, no changes need to be made for traffic destined for the DMZ.
Example 10-3 shows the configuration command that is entered. The firewall's initial configuration includes a definition for nat (inside) 3, so only the corresponding global command is needed.
Example 10-3 Configuring Security Policies for Inside-to-DMZ Connections
Firewall(config)# global (dmz) 3 interface dmz
Step 2: Consider Connections from the DMZ Toward the Outside
In this step, address translation is configured across the DMZ and outside interfaces. A series of global commands are already present in the firewall's initial configuration, requiring only a corresponding nat command to be added.
The access list acl_dmz is created to permit any IP traffic from the DMZ subnet 192.168.99.0/24 to any destination address on the outside. Example 10-4 shows the configuration commands that are entered in this step.
Example 10-4 Configuring Security Policies for DMZ-to-Outside Connections
Firewall(config)# nat (dmz) 3 192.168.99.0 255.255.255.0Firewall(config)# access-list acl_dmz extended permit ip 192.168.99.0 255.255.255.0 anyFirewall(config)# access-group acl_dmz in interface dmz
Step 3: Consider Connections from the Outside Toward the DMZ
In this step, address translation is configured across the outside and DMZ interfaces with a static command. DMZ address 192.168.99.10 is mapped to outside address 192.168.100.110.
In addition, the access list acl_outside is amended to include rules that permit inbound connections from any outside address to the mapped address 192.168.100.110 with destination ports TCP 80 and 443. Example 10-5 shows the configuration commands that are entered.
Example 10-5 Configuring Security Policies for Outside-to-DMZ Connections
Firewall(config)# static (dmz,outside) 192.168.100.110 192.168.99.10 netmask 255.255.255.255!Firewall(config)# access-list acl_outside extended permit tcp any host 192.168.100.110 eq wwwFirewall(config)# access-list acl_outside extended permit tcp any host 192.168.100.110 eq https
Step 4: Consider Connections from the DMZ Toward the Inside
This step shows you how to configure address translation across the DMZ and inside interfaces using a static command. Inside server address 192.168.2.99 is mapped to DMZ address 192.168.99.99.
Rules are added to the acl_dmz access list to permit inbound connections from DMZ server 192.168.99.10 to the mapped address 192.168.99.99. Only connections to destination ports TCP 1433 and FTP are permitted.
The commands shown in Example 10-6 are entered during the configuration.
Example 10-6 Configuring Security Policies for DMZ-to-Inside Connections
Firewall(config)# static (dmz,inside) 192.168.2.99 192.168.99.99 netmask 255.255.255.255!Firewall(config)# access-list acl_dmz extended permit tcp host 192.168.99.10 host 192.168.99.99 eq 1433Firewall(config)# access-list acl_dmz extended permit tcp host 192.168.99.10 host 192.168.99.99 eq ftp