Summary

In this chapter, you leveraged the work you did in Chapter 5 and added a web and mail server to your secure network topology.

You started by reviewing the work done in Chapter 5, gaining a good understanding of the existing IP addressing and interface configuration on the ASA/PIX Security Appliance.

Then, you went through a process of deciding how and where to deploy the web and mail servers. It was an easy decision based on security best practices to deploy the servers on an isolated (or DMZ) interface on the ASA/PIX Security Appliance. This architecture ensured that if by chance the servers were compromised, the attackers would not be able to also compromise hosts on the inside of your network unless they were able to get through the security appliance. But because of the restrictive nature of the ASA/PIX Security Appliance, where traffic is not allowed to be sourced from the DMZ to the inside network, this would be very unlikely.

After deciding on the topology, you defined IP addresses for the ASA/PIX Security Appliance DMZ interface, the servers in the DMZ, and the public addresses that Internet users would use.

You then physically connected the servers to the DMZ interface of the security appliance and verified connectivity between the servers.

After making the topologies and address choices, you launched ASDM and entered commands to set up the DMZ and allow access for the new web servers. The following steps enabled you to complete this deployment:

• You used the Startup Wizard to define address information and to enable the DMZ interface on the ASA/PIX Security Appliance.
  
  
• You used the Configuration NAT panel and defined the public addresses for the web and mail servers and translated them to their private DMZ addresses.
  
  
• You used the Configuration Access Rules panel to allow HTTP and SMTP traffic from the outside interface of the ASA/PIX Security Appliance to the DMZ where the servers are located.