DMZ Ports in ASA5512-X

Dear Team,
There is no information on the number of DMZ's that can be created on the Cisco NGN Firewalls. By default, there are 6GE Ports on the Firewall and I need to know how many DMZ's can be made on them.
Another question is what if I purchase ASA-IC-6GE-CU-A= module, how many DMZ's can I made additionally.
If there is a comparison chart on the Cisco Website, please provide me that link supporting number of DMZ's.
Regards,
Farhan.

Hi,
I don't think the ASA really has a concept of DMZ ports/interfaces other than on ASA5505 and maybe some special model of ASA. Maybe it was ASA V1000.
In the normal ASA5500 Series and ASA5500-X Series the only limitation you have is either the amount of physical ports of if you use Trunk interface then the maximum supported Vlan ID amount. The amount of DMZs you configure is only limited by those.
There is no configuration on the ASA that would define the port as some sort of DMZ port. Generally you would just configure the interfaces ACL so that connections could not be initiated from behind this interface to the internal network.
If you want to check the supported Vlan ID amount of the ASA you have you can check this document
http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/at_a_glance_c45-701635.pdf
Seems your ASA model supports 50 Vlan IDs. As an extreme example it would seem to me that you could configure a single Trunk interface with 50 subinterfaces and also use the remaining 5 physical interfaces for some purpose. Though that probably would not be the ideal setup but just an example.
- Jouni

Similar Messages

Connecting the Xserve to DMZ port

Hi all,
As a security need I need to connect my web server to a DMZ port on our Firewall router. I was wondering if connecting one 1G port to our internal switch and one to the DMZ port is secure enough or do I have to buy an extra server to service our web hosting?
Thanks,
Ziv

There's not enough information in your post to be able to answer your question.
What is it you're trying to achieve?
What is your definition of 'secure'?
No one can tell you whether you are 'secure enough' until they have some idea of what you're trying to do.
If it's a matter of trying to setup the server to handle requests from external clients on the DMZ net while also serving trusted clients on the internal net, then that's what the two ports are designed to do. However, without knowing what services you're running it's impossible to tell what extra steps (if any) you need to take to secure the system.

RV320 VOIP in DMZ-port

Hi all
I have set my WAN2-port as a DMZ-port and want to put my voip-adapter SPA112 in the DMZ-port
How do i configure my RV320 so the voip traffic goes from WAN1 to the DMZ port?

From the RV320 admin guide.
DMZ Enable
A DMZ is a subnetwork that is open to the public but behind the firewall. A DMZ
allows you to redirect packets coming into your WAN port to a specific IP address
in your LAN. You can configure firewall rules to allow access to specific services
and ports in the DMZ from both the LAN or WAN. In the event of an attack on any of
the DMZ nodes, the LAN is not necessarily vulnerable. We recommended that you
place hosts that must be exposed to the WAN (such as web or e-mail servers) in
the DMZ network.
To configure DMZ:
STEP 1 Choose Setup > Network and check Enable DMZ. A message appears.
STEP 2 Click Yes to accept the change.
STEP 3 Select the DMZ interface in the DMZ Settings table and click Edit. The Edit DMZ
Connection window appears.
STEP 4 Select Subnet to identify a subnetwork for DMZ services and enter the DMZ IP
Address and Subnet Mask. Or select Range to reserve a group of IP addresses
on the same subnetwork for DMZ services and enter the IP address range.
STEP 5 Click Save.

DA server within a DMZ - ports needed for internal network

Hi,
I'm planning on adding a domain joined DA server in my DMZ. The DA server will have 2 NICs, one for the internal network and the other for the external. I'll be using two consecutive public IPv4 addresses.
On my external firewall I'll be opening the following ports for my DA server:
- Port 443 inbound and outbound
- UDP 3544 inbound and outbound.
On my Juniper firewall between the internal network and DMZ I'll be opening the following bi directional ports between my DC and DA server:
- IP Protocol 41 inbound and outbound.
TCP/UDP 53, 88, 3389, 389, 443, 445, 636, 3268, 3269
Am I right in thinking that in order for my DA clients to reach file shares (for example) I need to ensure that the required protocol and ports are open between my DA server and my file share (i.e. 443)? Doesn't this open a whole load of security holes?
Thanks
IT Support/Everything

Hi there - in a similar scenario on many customer sites i have done the following configurations on the Internal Firewalls
Internal IP of the DA Server ---> allow all traffic to selected VLAN's
The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure.
john davies

DMZ Ports to Communicate with SCCM Primary Server

Hello,
I have searched and came to know that on firewall, following ports should be open for DMZ to communicate with SCCM primary server
HTTP 80 and 443
8530
TCP 10123
TCP 135TCP 445
We are planning to implement a software on DMZ server which should communicate with SCCM primary server.
Do the above ports work for communication from DMZ to Primary or if there are more ports required for it?
Is it possible to achieve this without the SCCM client installed on the DMZ server as i would like the software to communicate via its own methods but the required ports should be open.

Could you please provide the WMI and SQL ports which would be required.
If we talk about generically, Are below ports enough for a DMZ server to communicate with the primary site server ?
HTTP 80 and 443
8530
TCP 10123
TCP 135TCP
445

ACE: load balancing servers using DMZ ports on FWSM

devices; (2 core with the ff config)
6500
fwsm
idsm
msfc
SETUP;
Servers are connected to the dmzs on the core
REQUIREMENT;
to load balance the servers
QUESTION;
Using the ACE module, is it possibe to load balance the servers which are connected to the port which is configured as DMZ?
Thanks

does not matter where the servers are connected.
However, be aware that the flows from client to server needs to go through the loadbalancer BUT also the flows server to client.
So, you should be careful where you attach the ACE module.
The easier would be to attach to the DMZ as well between the FW and the servers.
Gilles.

WRT54G. DMZ/port forwarding no longer works?

I have a computer hosting an IIS web site / other services (to the internet) that had been working for a long time. Now, no matter what I do, I can not get it to work anymore, it's driving me crazy. I can access the services on my local network using 192.168.1.x, just not from the internet IP. The computer's IP is configured as the DMZ, I also tried specifically port forwarding instead. Windows firewall has exceptions for the ports, and I even tried turning it off temporarily, no luck. I am running out of ideas. Can anyone help? Any ideas?

I've also got this problem. Though I swore it used to work with 4.21.1 initially. Regardless, this is weak & annoying so hopefully I can get my hands on 4.20.7 & downgrade.
Also, in the last several months I've had to reflash & reprogram the device from scratch to "unbrick" it ... basically it would stop forwarding packets between the inside & outside interfaces. Meaning I could ping/manage it from the internet but not the LAN or vice versa. I assumed the issue was a corrupt configuration sine each time I had to rebuild my configuration from scratch after reflashing the firmware. Just restoring the configuration from a backup left things in the same unusable state as before.
Hopefully Linksco will address these issues and get rid of this wonky firmware version in favor of a stable one.

ASA 5515x Multiple DMZ ports

I have to propose a solution where I have a 5515x firewall with 6 GE interfaces. I need to make 4 physically separated port DMZ on this firewall. Each DMZ will be completely isolated from the other DMZ.
So this means out of the 6 ports available, 1 port will be for inside interface, 1 port for outside interface and 4 ports for DMZ.
Is this solution possible ? What are the pros and cons for this solution

Please post it in the the security community.

RV082 Port Forwarding or DMZ Configuration Assistance

Greetings Community,
I have an RV082 V2 with 2.0.2.01-tm and I am having trouble with getting my Sprint Airvana to connect properly to the mobile service. Many suggestions I've read on the Sprint forums indicate putting the Airvana in the DMZ generally allows the device to work properly; however, none have the RV series routers for tips on how to do this appropriately. This device used to work fine behind the RV082, but I reset it one day and it no longer works.
The Airvana is a femtocell/router device with a WAN port and 3 LAN ports. If I connect the Airvana directly to my cable modem, I get the appropriate connection and can then make calls through the device instead of through the Sprint connection; I live in a basement unit and get crappy signal without the device. This proves the device works and that my ISP is not blocking the ports. Sprint indicates the device uses UDP 53, 67, 68, 500 and 4500. Their support sucks and they insist I put the Airvana before my router. I absolutely do not want to use the Airvana as the router. There are almost no configuration options in the router interface and it needs to be rebooted somewhat regularly, which would drop internet access throughout the house for 10-15 minutes while it reboots and finally establishes an internet connection.
As soon as put the Airvana behind the RV082, I no longer get the appropriate connection. I can, however, plug my computer into one of the LAN ports on the Airvana and connect to the internet in general. I have the router assign a static IP to the Airvana, and tried forwarding the required UDP ports to the IP. This did not fix the problem.
I can certainly troubleshoot the port forwarding issues, but I would also like to look into putting the device into the DMZ, if possible. I've not worked much in this area, so I am unsure how to appropriately configure the router to allow this to happen. Is it possible to have the Airvana in the router DMZ without having a public IP for the device itself? It seems this is something that can be done, but I could be mistaken. If so, how is that done?
Please feel free to ask any clarifying questions and I thank you in advance for any assistance you may provide.

I apologize in the delay in getting back to this post; however, it dropped to the bottom of my priority list for a while. As a workaround, I used the Airvana device as my router temporarily; however, I have the time again and would like to get it setup behind the RV082 again.
It does not appear the device supports UPnP. I had that enabled for some other applications already.
According to http://tinyurl.com/AirvanaPorts I need the following UDP ports open: 53, 67, 68, 500, 4500. Another suggestion from a Sprint rep was to also open/forward TCP 5060 and 5061. I have the ports forwarded to the device as shown below and have confirmed the device has the correct IP address. The device gets a valid internet connection (verified by plugging a computer into one of the LAN ports on the Airvana device; however, it still does not connect to the Sprint service like it should. I am guessing there is another port and/or the Sprint article has incorrect information.
To check this, I'm thinking I need to set the device up in the DMZ, but I'm not sure exactly what I need to do for proper configuration. Is it as easy as enabling the DMZ port and plugging the device in, or are there other settings needed? Is there anything else I may be missing for the Port Forwarding?

Asa5512-x dmz issues

Hi,
i have a new asa 5512-x with interfaces configured. i did static nat for the dmz private address to translate to one of the addresses from my ISP. but i notice the following:
1. i cannot reach that server on the public ip address 197.211.36.36
2. with dynamic translation, my inside hosts can access the server in the dmz through its private IP 192.168.88.1
attached is the running config.

Hi,
I don't think the ASA really has a concept of DMZ ports/interfaces other than on ASA5505 and maybe some special model of ASA. Maybe it was ASA V1000.
In the normal ASA5500 Series and ASA5500-X Series the only limitation you have is either the amount of physical ports of if you use Trunk interface then the maximum supported Vlan ID amount. The amount of DMZs you configure is only limited by those.
There is no configuration on the ASA that would define the port as some sort of DMZ port. Generally you would just configure the interfaces ACL so that connections could not be initiated from behind this interface to the internal network.
If you want to check the supported Vlan ID amount of the ASA you have you can check this document
http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/at_a_glance_c45-701635.pdf
Seems your ASA model supports 50 Vlan IDs. As an extreme example it would seem to me that you could configure a single Trunk interface with 50 subinterfaces and also use the remaining 5 physical interfaces for some purpose. Though that probably would not be the ideal setup but just an example.
- Jouni

ASA 5505 (8.3.1) DMZ to Outside access problem

We have a hub and spoke VPN setup and at one location used the DMZ port/vlan subnet to access the hub. We have since changed and want the DMZ to only access the outside interface (have base license that can only access one interface). We have taken out all the configs that allow access to inside/VPN but can not get the DMZ to access Outside/internet. I also do not see any debug info in the logs. We have read a ton but it seems that there are changes in 8.3 that are not documented well enough for us to get this going. Does anybody see what we are missing?
Full Config:
ASA Version 8.3(1)
hostname Rye5505
domain-name thedavid
enable password encrypted
passwd encrypted
names
name 192.168.72.0 Sixpines description VPN
interface Vlan1
nameif inside
security-level 100
ip address 192.168.73.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.15.200.138 255.255.255.252
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 5
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name thedavid
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
subnet 192.168.72.0 255.255.255.0
description Sixpines
object network NETWORK_OBJ_192.168.73.0_24
subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
subnet 192.168.73.0 255.255.255.0
object network Sixpines
subnet 192.168.72.0 255.255.255.0
object network DMZ
subnet 192.168.1.0 255.255.255.0
object-group network SixpinesInternalNetwork
network-object Sixpines 255.255.255.0
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip object DMZ object obj_any inactive
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines
access-list dmz extended permit ip object obj_any object DMZ
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (dmz,outside) source static DMZ DMZ
object network obj_any
nat (inside,outside) dynamic interface
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.73.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 dmz
http Sixpines 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.73.101-192.168.73.132 inside
dhcpd dns 192.168.72.14 8.8.8.8 interface inside
dhcpd domain thedavidlawfirm interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
pre-shared-key
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
OUTPUT of log.....
6      Sep 29 2008      19:31:32      302015      8.8.8.8      53      192.168.1.110      59468      Built outbound UDP connection 2298 for outside:8.8.8.8/53 (8.8.8.8/53) to dmz:192.168.1.110/59468 (192.168.1.110/59468)
6      Sep 29 2008      19:31:30      302016      8.8.8.8      53      192.168.1.110      62740      Teardown UDP connection 2234 for outside:8.8.8.8/53 to dmz:192.168.1.110/62740 duration 0:02:08 bytes 110
THANKS!!!!

Hello –
I know that it has been a while since you’ve posted this question. I just recently ran into the very same situation; trying to get my DMZ to access the internet.
You think that because the internet in a lower security interface, that traffic automatically flows downhill. If you have ANY ACL’s in your DMZ, then this default feature disappears.
If you want to secure your inside from the DMZ, and still get internet, you must do the following:
Second to last ACL :
Action: Deny
Source: any
Destination: inside
Service: IP
Last ACL:
Action: Permit
Source: any
Destination: any
Service: IP
ACL’s read from top to bottom, so in this case, traffic would try to find a match. If traffic was not trying to go into the inside interface, the only other available would be outside.
Thanks,
Michael

ASA 5505 Site-to-Site VPN to remote dmz access

I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.
I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.
Lets call:
Site 1 LAN: 192.168.1.0
Site 2 LAN: 192.168.2.0
Site 2 DMZ: 172.16.2.0
Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).
Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.
I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.
Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?
I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.
Thanks,
Garrick

Here's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.
ASA Version 8.4(1)
no names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address -OMITTED- 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.21.1 255.255.255.0
interface Ethernet0/0
description Outside WAN1 port
switchport access vlan 2
interface Ethernet0/1
description Inside LAN port
interface Ethernet0/2
description Inside LAN port
interface Ethernet0/3
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/4
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/5
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/6
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/7
description Outside DMZ port
switchport access vlan 3
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name -OMITTED-
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net_SITE1_lan
subnet 192.168.1.0 255.255.255.0
object network net_SITE2_lan
subnet 192.168.21.0 255.255.255.0
object network net_SITE1_dmz
subnet 172.16.1.0 255.255.255.0
object network net_SITE2_dmz
subnet 172.16.21.0 255.255.255.0
object network SITE2_DMZ_WAP
host 172.16.21.2
object network 192.168.21.8
host 192.168.21.8
description FOR SITE2 WAP
access-list inside_access_in extended permit ip object net_SITE2_lan any
access-list inside_access_in extended deny tcp any any eq smtp
access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
pager lines 24
logging enable
logging buffer-size 16384
logging buffered notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.1.35 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2_DMZ_WAP
nat (dmz,any) static 192.168.21.8
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 192.168.1.35 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 60
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd dns 192.168.2.2 192.168.1.6 interface inside
dhcpd lease 34000 interface inside
dhcpd domain -DOMAIN OMITTED- interface inside
dhcpd update dns both interface inside
dhcpd address 172.16.21.100-172.16.21.200 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd lease 34000 interface dmz
dhcpd enable dmz
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server -NTP SERVERS OMITTED-
ntp server -NTP SERVERS OMITTED-
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username -OMITTED- password -OMITTED- encrypted privilege 15
tunnel-group -IP OMITTED- type ipsec-l2l
tunnel-group -IP OMITTED- general-attributes
default-group-policy GroupPolicy1
tunnel-group -IP OMITTED- ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5
class-map netflow-export-class
match any
class-map inspection_default
match default-inspection-traffic
class-map QoS_RDP
match access-list QoS_RDP_Server_Branch
class-map QoS_EA
match port tcp eq 2000
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect xdmcp
class netflow-export-class
flow-export event-type all destination 192.168.1.35
class QoS_RDP
priority
class QoS_EA
priority
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Logoff

Server 2012 Clustered Hosts - How can I place a Hyper-V Guest in the DMZ?

I have 3 server 2012 hyper v clustered hosts. I've been recently asked to create a VM where external parties will have local admin rights. I've been resisting things for a variety of IMO valid security reasons. What I'm trying to understand is if it would
be possible to build a guest VM that was not part of our domain and put in our firewalls DMZ zone. In this way these folks could be local admins but there's be no connection with the internal network.
In a single host environment if I'm understand things correctly I'd create a external type virtual switch, connect it to a specific physical network card on my host and then connect that card to my switch's DMZ port. But my environment is clustered... does
that mean I'd designate a physical network card on all 3 hosts, connect them to all the same named external virtual switch and plug all 3 in to DMZ ports on my firewall? Could I also instead of plugging all 3 in to DMZ ports on my firewall plug all 3 into
some little rinky dink 4 port gigabit switch and then plug that in to my firewall's dmz port?

Hi,
When your guest vm using the external vswitch, it can be considered as the physical host, therefore it has the physical network features, in the DMZ zone we often create the
decided subnet for the security reason. Therefore the decide NIC is needed, it will used for the Hyper-V host VLAN settings.
When considering Hyper-V for server consolidation in a DMZ it is recommended not to run VMs of vastly differing trust levels on the same physical host in production environments
(i.e. do not consolidate all DMZ boxes on one physical host).
Instead, the recommendation is to consolidate all the front-end boxes on one physical server and do the same for the back-end, depending on the workloads.
More information:
Hyper-V 2008 R2: Virtual Networking Survival Guide
http://social.technet.microsoft.com/wiki/contents/articles/151.hyper-v-2008-r2-virtual-networking-survival-guide.aspx
Hyper-V: What are the uses for different types of virtual networks?
http://blogs.technet.com/jhoward/archive/2008/06/17/hyper-v-what-are-the-uses-for-different-types-of-virtual-networks.aspx
Understanding Networking with Hyper-V
http://www.microsoft.com/downloads/details.aspx?FamilyID=3FAC6D40-D6B5-4658-BC54-62B925ED7EEA&displaylang=en&displaylang=en
VLAN Settings and Hyper-V
http://blogs.msdn.com/virtual_pc_guy/archive/2008/03/10/vlan-settings-and-hyper-v.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

DMZ Issue

I'm using a RV320 and have a puzzling issue. I would like to provide DHCP for the DMZ network but I can't get it to work. I created a VLAN, assigned the DMZ to that subnet by giving it an address in that subnet, but it is not passing out addresses to the devices connected to the DMZ port. I'm stumped - does anyone know what I am missing?

Hi,
If you are using the option Enable DMZ from Network Menu. Overthere you have 2 options - to put a subnet or a range of IPs. But the 2 options require to put a public IP or IPs. Than on the DMZ port you plug the machine which will receive this trafic and you configure this machine with this same public IP.
This router do not support NAT on the DMZ zone - what I mean is that you cannot assign VLAN with DHCP to the DMZ zone. This feature is support only by SA500 and ISA500 from the small business range.

SERVERS ON DMZ

Hello all,
I have a cisco asa 5545 on which the DMZ port is connected to the 2960 switch.Also i have two servers connected to the L2 switch which needs to be routed to Internet.
My question is can I make these two servers access the internet through the single dmz port? Also these servers are connected to the switch on the ame vlan and the switch in turn to the dmz port of the firewall.
Thanks

Yes, just give them an IP from the subnet used for that vlan and use the dmz interface on the ASA as their default gateway.
Then depending on the access you need setup the NAT statements and the acl rules.
If you want external access you will need static NAT entries and allow that the traffic in an acl applied inbound to your outside interface.
If you just want the servers to be able to go out to the internet then you need a dynamic NAT statement and no need for an acl.
Jon

DMZ Ports in ASA5512-X

Similar Messages

Maybe you are looking for