'Logical' DMZ?

I have an ASA 5510 and I need to implement a DMZ.  I know I can either plug devices directly into a port on the ASA or use subinterfaces to create multiple DMZs with different levels of access if I don't have enough ports, and then use a switch.  So we create the IP addresses on the interface, plug in our device (switch or PC) and the interface comes up.  Is there any way to have virtual machines within our network on a physical machine be in different zones in the firewall (i.e. one on the inside, another in a DMZ for example)?  I think the only thing here isn't really so much related to the ASA as much as it is whether or not the physical server's NIC can support trunking and plug into the ASA directly or to the switch, correct?  If I were to add multiple sub-interfaces to a port on the ASA, and I wanted one VM to be inside and another to be in the DMZ, is that doable considering there is already an interface on the ASA defined as 'Inside' (i.e. if I try to add a subinterface that contains a 'secondary' IP address that participates in the same VLAN/subnet as the Inside interface I'll have an overlap)?  An just to be sure, there's no way to make a logical DMZ inside the ASA that isn't actually bound to a physical port like creating SVIs on a L3 switch, correct?  If there were, then I could just trunk the physical machine to the network and have each of the VMs participate in the zone they are intended to be in based on the VLAN tagging.  I'll try to get a diagram together that addresses this more clearly.
Regards,
Scott

@Jeff
The problem isn't so much on the server side as much as it is on the ASA side.  If I try to create a trunk to the ASA for this machine and I want one of the VMs on the inside, I'd have to do something like this:
interface GigabitEthernet0/0
     description Outside
     ip address 192.168.1.1 255.255.255.0
     name Outside
     security-level 0
interface GigabitEthernet0/1
     description Inside
     ip address 192.168.2.1 255.255.255.0
     name Inside
     security-level 100
interface GigabitEthernet0/2.10
     description DMZ
     vlan 10
     name DMZ
     security-level 50
interface GigabitEthernet0/2.??
     description Inside
     vlan ??
     name Inside-Too
     security-level ??
Since I already have a layer 3 interface defined for the Inside interface, I don't have any VLAN tags for it locally on the ASA to tag this sub-interface with.  I also can't define the sub-interface as 192.168.2.2 to make it part of the Inside subnet because that overlaps with Gig0/1.  I suppose in this case I'd have to create another 'Inside' interface of security-level 99 or something and then just make sure that the ASA has the NAT rules and ACL rules to allow that traffic from the Gig0/2 sub-interface back inside.  The ASA isn't going to allow me to create a logical layer 3 address like an SVI on a Layer 3 switch so that I could then just apply the VLAN tag to both interface Gig0/1 and Gig0/2.??, nor can I add a VLAN tag to the subnet I define on Gig0/1.

Similar Messages

  • DMZ VLANs in the Data Centre - Physical or Logical Seperation

    I am building a new DMZ in my Data Centre and I'm looking at the merits of Logical Seperation rather than Physical Seperation.
    Instead of putting in some new DMZ Switches and then physically cabling all the DMZ devices and Servers to these switches so that these are physically seperate from the rest of the DC, I'm thinking of connecting them up to the existing DC Switches and just use a different set of VLANs with the routed interface for these on Physical Firewalls.
    Can people please appraise me of the concerns or issues with this? Are there any articles or design papers on this?
    Thanks

    Come on guys I expected someone to at least make some form of comment!
    It looks like either the community doesn't know or doesn't care!

  • Logical Network not showing up in Cloud Settings

    In my SCVMM environment, I had the default Logical Network that gets added as soon as you add a cluster or host into it. Since, I wanted more Networks like DMZ Network and Networks based on Departments, I went ahead and created those in the Logical Network
    and defined IP Pools in it so that When I provision a Virtual Machine through Windows Azure Pack, Users can be see all the Networks.
    I am facing a problem when I try to add the Logical Networks in the Cloud.  I am only seeing the default Logical Network and unable to see the Logical Networks that I created manually?  What could be the reason?  How can I troubleshoot it?

    I don't know if they have been uploaded or matched.  I did see the tracks on my phone of the new album I imported into my computer.  So I think some syncing has ocurred.  But there is no download button on my phone like there is for other tracks I have uploaded.  All the tracks are greyed out and I can't play them on my phone?  Any ideas?

  • SCVMM Logical switch setup from not using SCVMM

    I'm playing around with SCVMM 2012 SP1 with my Hyper-V 2012 setup. I have a test server but I'm looking at migrating from the way I was doing thing to the way SCVMM does things (with logical switch and multiple virtual network adapters per VLAN)
    This is how I currently have my production setup:
    Each Hyper-V host has two nics
    Those two nics are teamed together using Windows 2012 Teaming (Hyper-V port, switch independent)
    They were not configured with SCVMM
    The Hyper-V virtual switch is named "Trunk"
    All VM's are part of the Trunk virtual switch and tagged on the guest level
    What I'm trying to do after watching this video: http://technet.microsoft.com/en-us/video/tdbe13-network-management-in-system-center-2012-sp1-vmm.aspx
    Created my logical network "Datacenter"
    Added my three VLANs to the Network site: (VLAN 1 is management, VLAN 10 is client, VLAN 505 is DMZ)
    Created my Native Port Profile with HyperVPort and Switch Independent and mapped it to my network site and used the Datacenter logical network (DID NOT check network virtualization.. don't want to use that)
    Created my logical switch with uplink mode TEAM and bound to my uplink port profile
    Now on my test host:
    I broke the existing TEAM I had. So now it is a server with two nics and the IP it had on one nic (10.10.0.207)
    Went to properties of VM
    Virtual Switches -> New Logical Switch -> Mapped to my "datacenter" logical switch, picked both physical adapters and mapped to my only uplink port profile I have
    New Virtual Network Adapter
    Name: Management, Checked this adapter inherits settings from physical, mapped to my Management Network, set to "Host Management" port profile"
    New Virtual Network Adapter
    Name: Client, adapter inherits is not checked, mapped to my Client Network, set to medium bandwidth port profile
    However when I do this:
    Error (2940)
    VMM is unable to complete the requested file transfer. The connection to the HTTP server HYPERV07.mgmt.local could not be established.
    Unknown error (0x80072ee2)
    Recommended Action
    Ensure that the HTTP service and/or the agent on the machine HYPERV07.mgmt.local are installed and running and that a firewall is not blocking HTTP/HTTPS traffic on the configured port.
    What I noticed:
    I never lose connectivity to the host during this process
    Always failes at 65%
    Is this because I don't have a dedicate NIC for management? Also would there be an easy way to migrate from how my production is setup to what I'm trying to do?

    I am actually just finishing up but I redeployed and went to 2012 R2. It seemed to be able to do it.
    What I did was created one logical switch with one vSwitch (which is a trunk). Then multiple VM Networks that have the different VLAN ID's.
    It seemed to work OK except during the creating it wouldnt TAG VLAN 1 on the vSwitch when it created which was needed for it to communicate on my network. Once I saw it creatd it and lost connectivity I manually put the VLAN 1 on the vSwitch and set the
    IP address for the host.
    So far seems ok but I'm still associating VM's with the Logical Switch I setup and bringing everything back up... 

  • How to segment traffic in a DMZ scenario

    I had two customers looking for this. In other blades, they have the ability to hook up to 8 NIC's to a switch and then that switch(s) can be in DMZ1, DMZ2, internal etc. So basically they are able to do physical segmentation of their vhosts on ESX  via physical NICS. Since UCS has only one NIC we have to trunk multiple vlans down and logically segment or use PALO but its still not a physical segementation. The only way i can think this would work is to use a UCS uplink port into say the DMZ as a access port. Then configure the vNICS on the server as access ports in the DMZ vlan. Finally pin the server to a FEX and traffic should enter the FI on the uplink in that vlan, hit the DMZ vlan on UCS and go down the pinned FEX to the server. Obviously there is a whole lot of issues such as ESX management traffic, vmotion traffic, and really only one link can be used so scaling is a huge issue. With a small customer with a couple of servers in a DMZ that could work.
    The other way is using the 1000v in conjunction with the PALO and VN-link to tag traffic. Then you could use the 1000v to setup ACL's to segment traffic in a sort of SMT fashion or possibly use vShield. I really dont have any hands on with vShield or worked with VN-link wondering if anyone else has tried a similar scenario.

    Hi
    With the M81KR (VIC) adapter you could create multiple vNICs and assign it to different vSwitches/uplink port profiles etc to provide segmentation.
    Going out of the UCS system, you could use pinning (as long as your upstream is not a disjoint Layer 2 in EHM) to deterministically route traffic.
    When one looks at DMZ isolation etc, a lot of it comes depends on the environment one is looking at.
    Nexus 1000v has a guide published at http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/dmz_virtualization_vsphere4_nexus1000V.pdf (not UCS specific) on hot to achieve this using diff portgroups (VLANs essentially) /uplink port profiles/ACLs/PVLANs etc and you could apply it to a UCS environment with the M81KR.
    The various vNICs presented to the hypervisor or bare metal OS are distinct PCI entities but as you correctly mentioned they are not physically segmented going out to the fabric - for example you create 4 vNICs on Side A. They all will go on the same IOM-FI link as in UCS, HIF (the interfaces downwards from the IOM) and not vNIC to FI link pinning is followed. The full width blades (with 2 adapters) give you more choices though as the number of HIFs is more.
    Hope it helps.
    Thanks
    --Manish

  • Logical architecture+best practice

    Hi,
    what does these mean for you regading Oracle applications :
    1-logical architecture
    2-best practice
    Regards.

    1-logical architecture -> I assume the technical architecture for deployment of Oracle Applications (Single node, multi node, HA, DMZ configuration etc)
    2-best practice -> Best Practices in each function within maintaining and implementing Oracle Applications.. like best practice for Upgrades, Coning Patching etc
    Sam
    http://www.appsdbablog.com

  • Chaning the Logical network of a VM network

    I have 3 x 2012 R2 hyper-V hosts in the same data centre.
    They are stand-alone and some virtual machines use Hyper-V replica.
    Each host has 4 NICs, 1 for management (not available to Hyper-V), 1 for "external" services (physically plugged into DMZ switch) and 2 for internal services.
    In SCVMM, under the "VM Networks" node, I can see External, Internal1 and Internal2, each are associated with a logical network that auto-created by SCVMM.
    I would simply like to use "External" and "internal" as my logical networks. I have created these logical networks, associated the IP ranges, but am unable to change association in the "VM networks" area.
    What am I doing wrong ?
    Thanks.

    Hi Sir,
    Yes , you can not change that association in "VM networks" .
    I would suggest you to refer to following article regarding " Configure NIC teaming using VMM ":
    http://blogs.technet.com/b/privatecloud/archive/2013/04/03/configure-nic-teaming-and-qos-with-vmm-2012-sp1-by-kristian-nese.aspx
    It will help you understanding the function of common "network configuration" part  .
    Best Regards,
    Elton Ji
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

  • DMZ and application restriction

    Here's our setup/situation:
    - 1 Oracle database with APEX 2.2 installed inside our firewall with several applications
    running on it, 1 of which will be accessed from the internet.
    - 1 Apache 2.0 web server in our DMZ that accesses the APEX internal web server
    using ProxyPass for /pls/htmldb and /i.
    - we are trying to figure out how we can restrict access to the one application, app 111, that
    people will need to get to from the internet. Right now they can simply change the app
    # in the URL to get to the other applications. We're taking a look at mod_rewrite but
    it's been a slow, tedious process so far.
    So, I'm curious how other people have solved this issue and the various bumps in the road that you encountered. Any and all advice, tips, and solutions are welcome.
    Thanks

    D-Shizzle,
    Here is a possibility.
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    # Prevent direct access to the application 100
    RewriteCond %{QUERY_STRING} !NLS_LANG
    RewriteRule ^/pls/htmldb/f?p=100 https://www.yourdomain.com
    I've seen a similar rewrite rule work for a non Apex application. I'm not an Apache expert and don't have an environment to test this logic in, so your have to test...
    Is it possible for you to have two proxy servers? One to handle external traffic and another for internal traffic? On the externally faced server you could investigate ProxyPass logic specific for your external need.
    Like I said I'm not an expert, just giving ideas. Once you get your solution working it would be interesting to see the code. I can see the same requirement being requested where I'm working.
    Todd

  • IDS 4215, right place for a sniffing interface (DMZ or LAN)

    I have got at work this sensor with two interfaces only, I have been asked to check that
    IDSWORK# show version
    Application Partition:
    Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S47
    OS Version 2.4.18-5smpbigphys-4215
    Platform: IDS-4215
    one interface which is Ethernet 0 connected to switch in DMZ , and Ethernet 1 connected to switch 4005,,,,logically I have to monitor DMZ zone not switch 4005 (since I have got only two interfaces, my case),,,Am I right ?
    That means Ethernet 0 should be for sniffing (monitoring)since it is connected to DMZ,and interface 1 for command and control since it is connected to 4005 switch, but according to cisco specification
    http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1051279
    Table 5-2
    FastEthernet0/0: Interfaces Supporting Inline VLAN Pairs (Sensing Ports)
    FastEthernet0/1: Interfaces Not Supporting Inline (Command and Control Port)
    Note: Cisco has mentioned FastEthernet, the one that I have got Ethernet ,,,,does make any difference ?
    Since I have not done that configuration , it has been done by some one else, do I need to change that ?

    Looks like your IDS come with basic ports (2 x Ethernet) with E0 as C&C port, while E1 is monitoring port.
    BTW, Ethernet/FastEthernet ports are actually the same.
    To monitor your DMZ segment, place the E1 in that segment, while E0 on inside segment where besides direct managing the box from its web management GUI or CLI, you can probably can use basic VMS that is bundled free with it.
    And since you have dedicated switch to host the whole DMZ segment, you can easily monitor (SPAN) the whole box and send all traffic to IDS.
    Whether or not you need to change the config, you probably need to check it out, at least to verify which signature(s) is enabled/disabled, and pc/mgt host is allowed to access the box and so on. But it's a good practise to check and review the config/setup again as this is a security box that you need to trust to monitor and tell you about any possible threats, attacks or violations.
    HTH
    AK

  • OVM and DMZ

    We are deploying a new OVM environment and I would like to get the feedback on what the community thinks about putting the pool manager in the DMZ with the pool members....
    Better yet what does the community think about putting any of the OVM compondents in the DMZ?
    Thanks!!
    Doug
    Here is the Logical Flow...
    DUAL ISP RUNNING BGP
    ------->
    Cisco 5540 ASA HA (FOT NAT)
    ----------->
    DMZ NETWORK SWITCH (FOR DMZ LB INTERFACE)
    ---------------->
    F5 BIGIP LOAD BALANCER (FOR PAT and LB)
    ------------------------>
    BACKEND LOAD BALANCER SWITCH (FOR HOST TRUNKING)
    ------------------------------>
    PHYSICAL SERVERS OVM POOL MEMBERS / POOL MANAGER / OVM MANAGER
    -------------------------------------->
    BACKEND NETAPP NFS STORAGE OVER PRIMARY INTERFACE
    Edited by: user12470398 on Jan 18, 2010 8:11 PM

    user9010393 wrote:
    We are deploying a new OVM environment and I would like to get the feedback on what the community thinks about putting the pool manager in the DMZ with the pool members....
    Better yet what does the community think about putting any of the OVM compondents in the DMZ?Several of my clients run Oracle VM Servers in their DMZ. In that scenario, I recommand that Dom0 not be connected to the DMZ, i.e. it has no IP address on that network. Rather, the Dom0 and Oracle VM Manager are on a dedicated management network that has no access inbound from the Internet. The DomU's should be connected to DMZ-facing bridges. I would not run Oracle VM Manager in the DMZ. All communication from the Manager to the OVS servers is initiated by the Manager itself, so that can be inside your network.

  • Add interfaces to DMZ

        Hello Everyone
    I have a new ASA 5512 which does not allow me to use VLANs like I did with previous version.  I have 3 interfaces, inside, outside and dmz.  I want to add another unused interface to my DMZ network instead of uplinking my dmz interface to a switch.  Before i could create a vlan for DMZ and then add the interfaces to that.  How can i have multiple interfaces on the same network?   I essentionally want to make int gi0/3 into an acces port on the dmz network.
    Thanks in advance              

    Hi,
    To my understanding you wont be able to have 2 interface be part of the same subnet since all the ports are router/routed ports instead of switch ports.
    You can configure a physical interface as a Trunk and configure the required Vlans on that Trunk. You can also configure an Etherchannel/Port-channel of multiple interfaces and use it as Trunk (which would be more logical choice wih the new ASA5500-X series as they have a better performance/throughput than the original ASA series.
    We have actually run out of allocated Vlan interfaces on an FWSM once. The device had so many virtual firewalls (Security Contexts) that we reached the 1000 interface cap on the device.
    - Jouni

  • EZ VPN client in DMZ and a router-on-a-stick

    Does anyone know if it is possible to use a Cisco 1811 as an EZVPN client
    while the router is setup with only one interface? I have a customer that
    requested their VPN router to us be setup in their DMZ with no public facing
    interface on the 1811 (VPN device). I usually configure our VPN
    configurations with an internet facing interface and a DMZ facing interface.

    I don't think it is possible with only one *logical* interface. Router as a EZVPN Client requires two interfaces to do PAT for traffic going to the Internet. So far as I know, this is autoconfigured in both Client and NEM modes and cannot be disabled. However you *can* use 802.1q trunk to create two *logical* interfaces and configure EZVPN Client, or just configure Site-to-Site on a stick.
    HTH

  • ASA5510 configuration to end VPN L2L and remote client in DMZ interface

    Hi,
    we have a Cisco ASA5510 with 3 interfaces.
    - Internet Interface with private addressing
    - DMZ Interface with public IP address
    - Internal interface.
    Our ISP route our public IP range to our Internet interface (with a 192.168.x.x).
    I'm trying to configure ASA5510 for L2L VPN and for Cisco VPN client server listening in the public IP@ assigned to the DMZ interface, but for the moment without success.
    Is it possible?. Any consideration to have into account?.
    I attach a diagram.
    I see packets UDP500 arriving to the Internet interface but there is no replies:
    172: 17:07:25.164115 81.223.31.240.50763 > X.X.X.X.500:  udp 1160
    (X.X.X.X is a public IP@ configured in the DMZ interface)
    Thanks a lot.

    I don't think it is possible with only one *logical* interface. Router as a EZVPN Client requires two interfaces to do PAT for traffic going to the Internet. So far as I know, this is autoconfigured in both Client and NEM modes and cannot be disabled. However you *can* use 802.1q trunk to create two *logical* interfaces and configure EZVPN Client, or just configure Site-to-Site on a stick.
    HTH

  • DMZ pattern with single HTTP server and OC4J separated

    I am new to Oracle products and I am I trying to configure 9iAS Rel 2 for a JSP/servlet project and would greatly appreciate any comments or pointers to specific documents that may be helpful.
    I would like to use the DMZ pattern for a small application without clustering anything or installing Infrastructure. I would like to have just the HTTP server between the two firewalls and have the application server (hosting the business logic) and the database server (9i Rel 2) behind the second firewall. I want to keep this as simple as possible.
    Is there any way to install just an HTTP server (such as Apache) in between the two firewalls and have it direct requests to the Oracle 9i (Rel 2) application server (J2EE & Web cache installation) behind the second firewall?
    If that is not possible (due to the need for Oracle's HTTP server and mod_OC4J to forward requests), then I would assume that I would have to install a copy of 9iAS on the one machine between the two firewalls (so that I would have the Oracle HTTP server with mod_OC4J) and then install another copy on a machine behind the second firewall (to host the business logic). Is this correct?
    With those installations in place, would I then follow the modifications that are mentioned in "Scenario C: Routing (or clustering) Instances Across Firewalls" of the 'Oracle9i Application Server: mod_oc4j Technical Overview' (i.e modify the following files opmn.xml, ons.conf mod_oc4j.conf) so that the 9iAS in between the two firewalls ignores its OC4J and forwards requests the to 9iAS behind the second firewall? (I know that this document is talking about clustering which is what I do not want to do, but I can't find any information about trying to put a single instance of a HTTP server in the DMZ while having a single instance of OC4J behind the second firewall).
    Would a better approach be to install a copy of 9iAS in the DMZ and then install a stand along copy of OC4J behind the second firewall?
    Does mod_oc4j automatically install with the J2EE and Web cache installation of 9iAS Rel 2?
    Thanks for your insights,
    - David

    You'r on the right track. You can't install just OHS or just OC4J seperatly but you can get the end result you are looking for.
    Install an iAS instance (j2ee&webcache) in the DMZ and shutdown all but the OHS process.
    Instanll a second iAS instance behind your firewall an shut down all but the OC4J process.
    you now have effectively what you want OHS in the DMZ and OC4J at the intranet.
    Now if you follow the directions in the Mod_oc4j overview doc. You modify the ons.conf by using the dcmctl commands
    getopmnport/addopmnlink
    Then you modify the mod_oc4j.conf using the instance:// tag to rouet requests from the OHS in the DMZ to the OC4J's
    in the intranet.
    You will need to open ports in the firewall for the ajp traffic between OHS and the OC4J's

  • Logical GR in Third Party Process

    Hi Friends
    There is logical GR involved in third party process. What if we do not want to trigger it?

    very useful thraed for your Qn-
    [stock not updating after doing MIGO (gr) for third party sales |stock not updating after doing MIGO (gr) for third party sales;
    BR
    Raj

Maybe you are looking for

  • Error message when connecting to database!

    Hi For this assignment i create a databse with Acces. when i run the following code i get an error message. Dropping indexes & tables ? Could not drop primary key on UserStocks table: [Microsoft][ODBC Microsoft Access Driver] Cannot find table or con

  • Converting photos in raw converter

    How come some photos will convert into raw converter and others won't canon 3

  • Can you use Apple TV with Face Time?

    Can you use Face Time on a MacBook Pro with an Apple TV?

  • Updates not installed

    CreativeCloud Desktop alerts me of new updates. But, I already have installed this updates about 4 times. They keep coming back (hence, I think they are not installed at all). What to do about that? i

  • What is my full skype address?

    I just obtained a skype account. I want to Skype with someone. What address do I give them? Just my username or my user name with a suffix attached? In other words, what is my full skype address?