Standalone CA setup in DMZ
Hi,
We are planning to setup Standalone CA server(workgroup) in DMZ. Is it possible and recommended?
What are points that we should keep in mind while doing so?
We have an option to use Window server 2008 R2 enterprise or server 2012, please recommend.
Regards,
Tushar
Standalone CA is are best for DMZ implementations.
http://technet.microsoft.com/en-us/library/cc756989(v=WS.10).aspx I recommend using Server 2012 as it has some newer templates.
Here are some links to helpful blogs/articles/repositories on PKI that may guide you on what you're trying to accomplish overall.
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx
http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx
Like Meinolf said, for specific questions feel free to hit us back up in the security forum or there are some of us with PKI expertise in the Directory Services forum as well.
Similar Messages
-
Everytime I try to setup my DMZ I keep breaking the internet, can someone help
Hi,
started this on friday at about 5 pm am about at the point of throwing my hands up in the air from frustration. I am trying to configure a dmz for a ip camera to be viewed from the outside. I had tried to set this config to NAT 10.1.35.5 to 2.2.2.14. Immediately after setting up the nat config all hosts on the network lose internet access. After 2 nights of no success, I tried to mimic the port forwarding setup and just forward traffic into the lan rather than trying to get the DMZ working as I could already see a few devices that were setup this way. I feel like I am missing a step while configuring NAT. It seems to me that touching any other the other public IP's tends to mess up the configuration. Is there something I need to do with the existing NATing to free up a public IP from the nat pool? (Sanitized config below)
: Saved
ASA Version 7.0(7)
hostname ASA
domain-name aaa.com
enable password Iliketurtles encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.20.10 255.255.254.0
interface Ethernet0/2
description Test DMZ for web4
shutdown
nameif dmz
security-level 25
ip address 10.1.35.1 255.255.255.0
interface Management0/0
no nameif
no security-level
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group service camera tcp-udp
description https2000
port-object range 443 443
port-object range 2000 2005
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit esp host Virginia host 2.2.2.2
access-list outside_acl extended permit ah host Virginia host 2.2.2.2
access-list outside_acl extended permit udp host Virginia eq isakmp host 2.2.2.2 eq isakmp
access-list outside_acl extended permit udp host Virginia eq 4500 host 2.2.2.2 eq 4500
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.10
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.11
access-list inside_acl extended permit ip 10.1.20.0 255.255.254.0 any
access-list inside_acl extended permit ip 10.1.24.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 2.2.2.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 10.1.24.0 255.255.254.0 any
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list dmz_in extended permit icmp 10.1.35.0 255.255.255.0 any
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range netbios-ns 139
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range 135 netbios-ssn
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 eq domain
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq www
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any object-group camera
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq 990
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any range 53000 53010
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp-data
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging asdm warnings
logging facility 22
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp permit any inside
asdm image disk0:/asdm-509.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 10.1.20.0 255.255.254.0
nat (inside) 1 10.1.24.0 255.255.254.0
nat (dmz) 0 access-list no_nat
nat (dmz) 1 10.1.35.0 255.255.255.0
static (inside,outside) 2.2.2.10 10.1.20.1 netmask 255.255.255.255
static (inside,outside) 2.2.2.11 10.1.20.13 netmask 255.255.255.255
static (dmz,outside) 2.2.2.14 10.1.35.5 netmask 255.255.255.255
static (inside,dmz) 10.1.20.0 10.1.20.0 netmask 255.255.254.0
static (dmz,inside) 10.1.35.0 10.1.35.0 netmask 255.255.255.0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.1.24.0 255.255.254.0 10.1.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password blahblahblah encrypted privilege 15
http server enable
http 10.1.4.0 255.255.255.0 outside
http 10.1.5.0 255.255.255.0 outside
http 172.16.31.0 255.255.255.0 outside
http 100.100.100.0 255.255.255.0 outside
http 10.1.24.0 255.255.254.0 inside
http 10.1.20.0 255.255.254.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside 100 match address ltl_irvine_to_va
crypto map outside 100 set peer Virginia
crypto map outside 100 set transform-set ESP-3DES-SHA
crypto map outside interface outside
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group Virginia type ipsec-l2l
tunnel-group Virginia ipsec-attributes
pre-shared-key *
telnet 10.1.24.93 255.255.255.255 inside
telnet timeout 5
ssh 100.100.100.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
Cryptochecksum:c6546262ff82a0b8748f0cbbb189194f
: endPlease add this ACL entry on the "outside_acl"
access-list outside_acl extended permit ip any host 2.2.2.14
let me know, if this helps.
thanks -
Hi Team,
We have Windows 2008 AD infrastructure with Single domain Single Forest & 30 remote AD sites with RODC in it.
We are planning for NTP server setup on Windows 2008 server in DMZ......can someone help me with steps for setup.
What is best practice for NTP architecture so that all DC will sync time from NTP & NTP sync time from external source.
Please suggest.Hi,
Would you please tell us that has the plan of your security team worked out?
Because based on what I understand, domain members will synchronize time from Domain Controllers while DCs will synchronize time from PDC.
Here is a thread below about the best practices of time synchronization in a domain:
Time Sync best practices
http://social.technet.microsoft.com/Forums/windowsserver/en-US/043b1ebe-e7bc-40ca-91e0-174a6854808e/time-sync-best-practices?forum=winserverDS
Best Regards,
Amy -
All,
I am in the process of firming up our PI architecture. I am unsure of how the setup will work in the DMZ. The picture at the bottom of the link shows two Integration servers B2B and A2A in different zone.
http://help.sap.com/saphelp_nw04/helpdata/en/d9/ef2940cbf2195de10000000a1550b0/content.htm
Based on the figure my questions are :
1. Does this mean that we need to setup two different PI systems...one in each zone.
2. If not, then what is involved in setting up the connectivity between the two systems and what exactly is being configured on the B2B server.
Thanks
naghmanHi ,
Appreciate if someone could please reply to this.
Thanks in advance.
Mikey -
Hi,
Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
Proposed Setup
1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
3) The APP server and Jump server is placed behind the Server switches.
Requirement
1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
2) Internal (Corporate) users need to access the Jump server and App server.
3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
Questions
1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
Appreciate your inputs.
Cheers
MikeyHi ,
Appreciate if someone could please reply to this.
Thanks in advance.
Mikey -
Server setup in DMZ Environment
Hi,
Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
Proposed Setup
1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
3) The APP server and Jump server is placed behind the Server switches.
Requirement
1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
2) Internal (Corporate) users need to access the Jump server and App server.
3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
Questions
1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
Appreciate your inputs.
Cheers
MikeyHi Mikey,
I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....
So your design requires some change in order to have a better architecture....
internet
|
router
|
external SW
|
internet facing firewalls
|
DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).
Internet facing Firewall
|
LAN Interface SW (Inside Interface of the firewall)
|
LAN FW (If you really want to keep it)
|
Corporate Network
Regards
Karthik -
SOA-INFRA server is not starting up D8B3 Standalone server setup
while starting the Managed Server hitting with this error:
Caused By: oracle.mds.config.MDSConfigurationException: MDS-01330: unable to load MDS configuration document
MDS-01329: unable to load element "persistence-config"
MDS-01370: MetadataStore configuration for metadata-store-usage "OWSM_TargetRepos" is invalid.
MDS-00912: MDS repository is incompatible with the middle tier. Repository version "11.1.1.55.16" is older than minimum repository version "11.1.1.56.32" required.
at oracle.mds.config.PConfig.loadFromBean(PConfig.java:695)
at oracle.mds.config.PConfig.<init>(PConfig.java:504)
at oracle.mds.config.MDSConfig.loadFromBean(MDSConfig.java:692)
at oracle.mds.config.MDSConfig.loadFromElement(MDSConfig.java:749)
at oracle.mds.config.MDSConfig.<init>(MDSConfig.java:407)
at oracle.mds.core.MDSInstance.getMDSConfigFromDocument(MDSInstance.java:2011)
at oracle.mds.core.MDSInstance.createMDSInstanceWithCustomizedConfig(MDSInstance.java:1171)
at oracle.mds.core.MDSInstance.getOrCreateInstance(MDSInstance.java:571)
at oracle.adf.share.config.ADFMDSConfig.parseADFConfiguration(ADFMDSConfig.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.adf.share.config.ADFConfigImpl.getResultFromComponent(ADFConfigImpl.
Using ZIP DB as SOA INFRA Dehyderation Database example: SCM_FUSION_SOAINFRA and FUSION_MDS etc.....
While deploying the EAR it throw this error:
An error occurred during activation of changes, please see the log for details.
Message icon - Error weblogic.application.ModuleException:
Message icon - Error Substituted for the exception oracle.mds.exception.MDSExceptionList which lacks a String contructor, original message - MDS-01329: unable to load element "persistence-config" MDS-01370: MetadataStore configuration for metadata-store-usage "ess-cp-store-usage" is invalid. MDS-00912: MDS repository is incompatible with the middle tier. Repository version "11.1.1.55.16" is older than minimum repository version "11.1.1.56.32" required.your MDS repository and the middle tier seems to be of different patch levels. You need to patch up the MDS repo or rollback the patches to the middle tier.
Regards,
Shanmu. -
Hello,
I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
I need to be able to do the following:
- RDP access from inside network to the DMZ servers
- Internet access for the DMZ
I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
- DMZ HTTPS to outside (Office 365 Services)
- Outside HTTPS to DMZ (ADFS Servers on DMZ only)
- DMZ HTTPS to inside (ADFS Servers Only)
- Inside HTTPS to DMZ (ADFS Servers Only)
Running Config:
interface Vlan1
nameif inside
security-level 100
ip address ccl-sua-asa 255.255.255.0
ospf cost 10
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
interface Vlan100
nameif outside
security-level 0
ip address 77.107.90.202 255.255.255.248
ospf cost 10
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
interface Ethernet0/1
description Connected to CCL-SUA-SW1 port 16
interface Ethernet0/2
switchport access vlan 3
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
access-list inbound remark Inbound ACT for Ruth Edmonds Only
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 5022 inactive
access-list inbound remark Inbound rules for OWA 30/06/09 MD
access-list inbound extended permit tcp any host 77.107.90.203 eq https log
access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
access-list inbound remark change request MET 56030 inbound POP3 for mimecast
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq https
access-list inbound remark Inbound rule for survey 011012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq www
access-list inbound extended deny ip any any
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
access-list outbound extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.40.0 255.255.255.0
nat (inside) 1 192.168.41.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
access-group outbound in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
Many Thanks
JamesHi,
If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
You can confirm the License level with "show version" command. It should read at the end of the output.
In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
no forward interface Vlan1
Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
OUTSIDE -> DMZ
INSIDE -> DMZ
Connection initiating should be possible.
So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
You already seem to have the Default PAT configuration for DMZ Internet traffic.
You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
The corrent NAT configuration to enable that traffic would be to use
static (inside,dmz) netmask
Repeat for all
EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
- Jouni -
How to setup DMZ on Watchguard XMT 330
Hi PCITech,there is nothing, that could be directly called a 'DMZ' as you find it on some low end routers.Instead you have network interfaces, that each may represent their own full blown network (if you set them up for that). By default WatchGuard allows you to select between 'trusted' and 'optional' for a new network, that you configure, but you can also select 'custom'. Later, when you write firewall rules, you can than reference 'Any-Trusted' and 'Any-Optional' in your rules. But sometimes you don't want a network to follow the rules, that you have in place for 'Any-Optional' and than you need to set that network as a 'Custom' network.If you want to make a server in one of these additional networks accessible by the outside world, you have to set up SNAT rules, that connect between an external interface IP/port and your internal...
Hello,
I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
Thanks in advance
This topic first appeared in the Spiceworks Community -
Accessing E-business suite in another network without configuring DMZ
Hi
How can i enable to access E-business sutie externally or to a different location.I dont want to setup the DMZ configurations and reverse proxy.Our Company have another Remote branch and they are not in same network.How can they able to access the E-business suite without enabling DMZ and reverse proxy.Is there anything like make the
IP of the Apps server as public will solve the issue ?
rgds
roshTo make it public, you just need to change the IP Address of the application and the database servers to the real one and follow the steps in the following notes. Once you are done, the system will be accessible to the users then.
Note: 338003.1 - How to change the hostname and/or port of the Database Tier using AutoConfig
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=338003.1
Note: 341322.1 - How to change the hostname of an Applications Tier using AutoConfig
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=341322.1 -
Needing to create a DMZ zone/vlan on a small ASA.
Hopefully an easy question as this is not my forte.
I have an a small ASA-5505 running 8.2(2).
I have 2 vlans
inside 192.168.58.0/24 – security level 25
outside 25.65.25.134/30 – security level 0
I want to create a small DMZ with the public range I was given, a /29 block that is being forwarded to me.
How do I setup a DMZ zone to account for this block when I am connecting over a /30 network.Your ISP should have a route for that new subnet pointing to the outside interface of your ASA.
So you can then either allocate the public IPs to the actual machines in which case you need one IP for the DMZ interface on the ASA or you can give your DMZ machines private IPs and just use the new IPs in your NAT statements on the ASA.
Up to but you don't need to assign any IP from the new block to an actual interface if you don't want to.
Jon -
- How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
- If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
(We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
thanks,
olegWhen talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.
-
How to setup a Default Playlist to Airport but allows BYOD playlist override?
Sorry for the unclear description.
Here is what I am trying to accomplish. I have my laptop or ipod playing a default playlist to my Airport express attached to my Stereo system. The music plays fine with no issues. I come into the house and want to play music from my iphone or ipad, I cannot connect or play to airport express since it is already sync'd or acquired by my laptop.
My goal is to have a default playlist playing all the time. When myself, my kids, or anyone comes in to house they can have priority over my laptop to play their music. Then when they disconnect, stop playing music, or leave the house; the default playlist kicks back on and continues to play out the speakers via the airport. I am trying to do this without human manual interaction.
I can do all of this manually like disconnect laptop, new device syncs to airport, then when they leave manually start playlist. But I am trying to figure out how to do this dynamically without human interaction.
Any ideas or solutions on how to get this to work?
Thanks!
T.Hello,
I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
Thanks in advance
This topic first appeared in the Spiceworks Community -
I am trying to add a printer to complete a install, and the printer setup utility is gone-- vanished!! How can I get this restored? Any input is appreciated!!
moblest wrote:
I wish I had the install CD. I bought the computer refurbished ...
A reputable seller would include the original system disks. Some people consider it illegal to sell a used computer without them. Too late for that now...
How do I check for disk corruption?
Run Disk Utility, assuming it's still there. Click the disk and click "verify disk". You won't be able to repair it from there, but if something is obviously wrong with your disk it will tell you.
If it checks out ok, let's assume that you just accidentally deleted Printer Setup Utility.
Read that thread I referenced earlier... you'll find a link to a standalone Printer Setup Utility (courtesy of BDAqua):
http://web.fastermac.net/~bdaqua/PrinterSetupUtility.zip
It's identical to the one I have installed. -
DMZ and DHCP ????
Hi all: We have setup and DMZ off of our BM39 server. The
only purpose of the DMZ is to allow a few clients relatively
unencumbered internet access. We have had lots of problems
with our BM proxy interfering with secure Citrix implemented
by some partner we work with (Hospitals).
We also have visiting review staff from Drug companies as we
do many drug studies. These visitors often need internet
access and up to this point I have been placing them on our
internal subnet. But I am rethinking this and am
considering moving our visitors to the DMZ instead.
To do this I want to setup a DHCP server on our BM server
(Done) to serve up addresses for the DMZ. However during
testing the clients are not seeing the DHCP server. I
suspect this is a filtering issue. I currently only have
one set of filters for the DMZ which allows all traffic from
the public interface to the DMZ and back.
I am assuming the DHCP server needs a filter to allow
traffic but I have no idea what that would look like. Can
you help me out? Thanks, Chris.OK, got this working suing Craig's filter book _ glad to
have purchased it.
>>> On 9/21/2009 at 11:05 AM, in message
<4AB75DE5.CE15.0032.0@N0_$pam.vrapc.com>,
Chris<cmosentine@N0_$pam.vrapc.com> wrote:
> Hi all: We have setup and DMZ off of our BM39 server.
> The
> only purpose of the DMZ is to allow a few clients
> relatively
> unencumbered internet access. We have had lots of
> problems
> with our BM proxy interfering with secure Citrix
> implemented
> by some partner we work with (Hospitals).
>
> We also have visiting review staff from Drug companies
> as we
> do many drug studies. These visitors often need
> internet
> access and up to this point I have been placing them on
> our
> internal subnet. But I am rethinking this and am
> considering moving our visitors to the DMZ instead.
>
> To do this I want to setup a DHCP server on our BM
> server
> (Done) to serve up addresses for the DMZ. However during
> testing the clients are not seeing the DHCP server. I
> suspect this is a filtering issue. I currently only
> have
> one set of filters for the DMZ which allows all traffic
> from
> the public interface to the DMZ and back.
>
> I am assuming the DHCP server needs a filter to allow
> traffic but I have no idea what that would look like.
> Can
> you help me out? Thanks, Chris.
Maybe you are looking for
-
My iPod touch is disabled but I no longer have a laptop to sync to - how do I fix it
My iPod touch is disabled but I no longer own a computer to sync it with - is there another way it can be fixed
-
Exception handling in outbound ABAP proxy
Hi All, i need to catch exception in outbound abap proxy in two cases: 1. if RFC dest in R3 which is pinging to XI goes down. 2. IF xi server is down. in both the cases i need to catch the exceptions. now i written the code in this way: DATA: v_excep
-
No AUTOFOCUS in night mode in N95
hi everybody, i updated my n95 to v2o fw and now there is no autofocus in night mode in camera. it's working fine in other modes but night mode, can anybody HELP? thanks!! N95(08.01) RM-159 V21.0.016
-
I have a requirement in which I need to create appointment in Oracle CRM on demand. For that I need to first query Opportunity data but I am not able to find Opportunity.wsdl in Admin section of Oracle CRM Application. Not sure if this is a permissio
-
Starting Commerce Server and Personalization Server
I am trying to evaluate these products. I am running NT 4.0, SP5 with 256MB RAM. I have installed Weblogic Server 5.1.0 with SP 6. I have installed the latest version of the Commerce Server and Personalization Server. I had to remove the -server swit