DMZ: Demilitarized Zone
DMZ: Demilitarized Zone
DMZ: Demilitarized Zone
For example,DMZ is used in the border between South Korea and North Korea.
DMZ is also an area of the network where you can place your internet services such
as FTP server,E-mail server or Web server that you want public to access.
The purpose of a DMZ is to add an additional layer of security to an organization's
LAN; an external network node can access only what is exposed in the DMZ, while
the rest of the organization's network is firewalled.There are multiple
configurations,the one which is experimented here is a single firewall network.The
DMZ is used to create an isolated network which can be reached from the inside
(private) network and the Internet (public) network, but cannot act as a transit
point for traffic between the two.
Fig1.0
The above figure shows us the configuration of DMZ we have worked on in this
project. There are many different ways to design a network with a DMZ. Two most
basic methods are :
1.Single Firewall
2.Dual Firewall
Here in this project we will work with Single Firewall architecture. These designs
can be expanded to create very complex architectures depending on the network
requirements.
A single firewall with at least 3 network branches can be used to create a network
architecture containing a DMZ. The external network is formed from the public
network or ISP to the firewall on the first network interface, the internal or private
network is formed from the the second network interface, and the DMZ is formed
from the third network interface The firewall becomes a single point of failure for
the network and must be able to handle all of the traffic going to the DMZ as well
as the internal network.
Router>en
Router#configure terminal
Router(config)#int Gig6/0
Router(config-if)#ip address 172.16.0.2 255.255.0.0
Router(config-if)#no shut
ciscoasa>en
ciscoasa#conf t
ciscoasa(config)#hostname CISCOASA
CISCOASA(config)#domain-name ccnasecurity.com
CISCOASA(config)#clock set 22:16:00 Jan 28 2017
Now we must configure the ASA interfaces VLAN 1 (inside) will have the highest
security setting of 100 and VLAN 2(outside) will have lowest security setting of 0.
This is done by using the commands:
CISCOASA(config)#int vlan <nummber>
CISCOASA(config-if)#nameif <name>
CISCOASA(config-if)#ip add 192.168.0.1 255.0.0.0
CISCOASA(config-if)#security-level 100
Now we configure a static route on the ASA outside interface to enable the AS to
reach the external networks:
CISCOASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.200.1
Now configure address translation using PAT and network objects.
CISCOASA(config)#object network inside-net
CISCOASA(config-network-object)#subnet 192.168.0.1
255.255.255.0
CISCOASA(config-network-object)#nat (inside,outside) dynamic
interface
CISCOASA(config-network-object)#end
Now modify the default the MPF application inspection global service policy:
CISCOASA(config)#class-map inspection_default
CISCOASA(config-cmap)#match default-inspection-traffic
CISCOASA(config-cmap)#exit
CISCOASA(config)#policy-map global_policy
CISCOASA(config-pmap)#class inspection_default
CISCOASA(config-pmap-c)#inspect icmp
CISCOASA(config-pmap-c)#exit
CISCOASA(config)#service-policy global_policy
Configure a named access list OUTSIDE -DMZ that permits TCP protocol on port 80
from any external host to the internal IP address of the servers. Apply access list to
the ASA outside interface in the ‘IN’ direction.
CISCOASA(config)#access-list OUTSIDE-DMZ permit icmp any host
10.0.0.2
CISCOASA(config)#accss=list OUTSIDE-DMZ permit tcp any host
10.0.0.2 eq 80
CISCOASA(config)#access-group OUTSIDE-DMZ in interface outside
These are the steps needed to create a DMZ network. Complexity will vary
according the internal and external network configurations and the type of DMZ
architecture you use.