Use the ASDM Startup Wizard to Deploy Web and Mail Services


Congratulations! Now that you have successfully defined all of the network entities and designed a new network topology, you are ready to deploy mail and web services using the ASDM Startup Wizard. To fully deploy your new servers, you must do the following:

  • Configure and connect your web and mail servers to the DMZ of the ASA/PIX Security Appliance.

  • Use ASDM to configure the security appliance to allow Internet users access to your new servers.

Connect the New Servers to the ASA/PIX Security Appliance

Before you can run ASDM and configure the ASA/PIX Security Appliance, you must first connect the new servers to the security appliance (a straightforward task).

You need to do the following:

  • Configure your mail and web servers with the new IP addresses, subnets, and gateways.

  • Obtain a Layer 2 network switch and connect it to both the DMZ interface of the ASA/PIX Security Appliance and the network interface cards on your servers.

  • Verify Layer 2 connectivity to the ASA/PIX Security Appliance using the ping command.

Here are the steps:

Step 1.

IP address setup on the servers Use the Network Control Panel on the mail and web servers to configure the inside IP addresses, the subnets, and the gateway.

The web server address will be 192.168.2.3, the gateway address will be 192.168.2.1, and the subnet mask will be 255.255.255.0.

The mail server address will be 192.168.2.4, the gateway address will be 192.168.2.1, and the subnet mask will be 255.255.255.0.

Step 2.

Connect the servers to the ASA/PIX Security Appliance Now that the servers have been configured with the correct IP addresses, you need to physically connect them to the DMZ interface of the ASA/PIX Security Appliance. Use the port labeled Ethernet 2 on the security appliance.

Obtain a network switch. Plug a straight-through Ethernet cable from the switch to Ethernet 2 on the security appliance. Plug a straight-through cable from the switch to the Ethernet interface of each of the servers. The LEDs on the switch should show a link indication a few seconds after they are connected.

Step 3.

Verify that you have connectivity You cannot connect to the ASA/PIX Security Appliance yet because it isn't configured. However, you should be able to ping between the two servers, 192.168.2.3 and 192.168.2.4. The inability to successfully ping points to a Layer 2 problem. If this happens, check your IP address configuration, check your cables, and, ultimately, contact your switch vendor if you are still having problems.

Configure Your ASA/PIX Security Using ASDM

Now that the new servers have been successfully configured and physically connected to the ASA/PIX Security Appliance, you are ready to run ASDM. Using ASDM, you configure the ASA/PIX Security Appliance to secure your servers and allow Internet users access to your servers.

NOTE

Although it is beyond of the scope of this book, it has been assumed that your ISP is managing DNS for you. Before you can allow users to access your servers using a name such as http://www.mywebserver.com, you need to make sure that your ISP has entered the DNS names for both your web and mail servers:


Step 1.

Use the same PC that was configured and connected in Chapter 5 and launch ASDM using your browser by entering https://192.168.1.1. An ASA user will use a slightly different URL, https://192.168.1.1./admin.

Step 2.

Enter the appropriate responses to certificate pop-ups and usernames and passwords. Upon completion, the ASDM home page displays. (See Figure 6-3.)

Figure 6-3. ASDM Home


Step 3.

Choose the pull-down menu wizard and choose Startup Wizard.

Step 4.

When the Startup Wizard launches, the first screen asks whether you want to continue with the existing configuration. Because you are adding to your configuration and not changing anything you have already configured, click this option and then click Next.

Step 5.

Continue clicking Next until you see the Other Interface Configuration screen. (See Figure 6-4.)

Figure 6-4. ASDM Interface Configuration


Step 6.

Highlight Ethernet 2 and click the Edit button.

Step 7.

In the display panel, enter the configuration information for the DMZ interface as indicated in Figure 6-5. (Don't forget to check Enable). Then click OK. You will get a warning about a security level change, to which you should click OK.

Figure 6-5. DMZ Configuration Panel


Traffic between ASA/PIX Security Appliance interfaces is determined by security level. By default, traffic can flow unimpeded from an interface with a higher security level to an interface with a lower security level. Traffic in the reverse direction is blocked unless an access rule is in place to allow traffic. The outside interface has a security level of zero, and all other security appliance interfaces are greater than zero. This means that traffic originating inside the ASA/PIX Security Appliance can flow in and out, but if traffic is originated outside the security appliance, you need to write an access rule to allow traffic flow.

Step 8.

Click Next until the wizard is done, and then click Finish.

You have now finished configuring the security appliance interface. It is now time to create an address translation and access lists, which together will allow Internet users to access your servers:

Step 1.

Navigate to Configuration > Features > NAT Translation Rules in ASDM. The NAT Configuration Panel will display. Click Add.

Step 2.

Choose DMZ as the interface.

Step 3.

Enter the IP address 192.168.2.3 for the web server.

Step 4.

Enter the mask as 255.255.255.255.

Caution

This entry is not really a subnet mask. The ASA/PIX Security Appliance is expecting a selection of 255.255.255.255 to let it know you are adding a host, rather than a network, to the NAT table.

Step 5.

Click the Static radio button and enter 199.199.199.203 in the IP Address field.

Step 6.

Click the Static button and enter the public IP address 199.199.199.203. (See Figure 6-6.)

Figure 6-6. Add Translation for HTTP Server


Step 7.

Click OK.

Step 8.

Click Apply when you are back to the main panel to save the changes.

Now, you need to add a translation for the mail server:

Step 1.

Select configuration "NAT feature" in ASDM to display the NAT configuration panel. Click Add.

Step 2.

Choose DMZ as the interface.

Step 3.

Enter the IP address 192.168.2.4 for the mail server.

Step 4.

Enter the mask as 255.255.255.255.

Caution

This entry is not really a subnet mask. The ASA/PIX Security Appliance is expecting a selection of 255.255.255.255 to let it know you are adding a host, rather than a network, to the NAT table.

Step 5.

Click the Static radio button and enter 199.199.199.204 in the IP Address field.

Step 6.

Click OK.

Step 7.

Click Apply when you are back to the Mail NAT panel to save changes.

Figure 6-7. Add Translation for Mail Server


You need to complete one last sequence of steps before Internet users will have access to your new servers. You need to create an access policy that allows Internet users access to the web and mail services on the IP addresses you just defined.

First, set up an access list for the web server:

Step 1.

Navigate to the ASDM panel Configuration > Features > Security Policy > Access Rules. The default panel will be Access Rules. Click Add and fill in the panel as shown in Figure 6-8.

Figure 6-8. Access Policy Panel HTTP


Step 2.

Click the Interface pull-down in the Source Host/Network section and choose Outside. As indicated by an IP address of 0.0.0.0 and a mask of 0.0.0.0, the default is to allow access for all Internet users.

Step 3.

Click the Interface pull-down in the Destination Host/Network section and choose DMZ. Enter the IP address 192.168.2.3. You can do so either manually or by using the pop-up button to the right of the text box. Make sure that the mask is set to 255.255.255.255.

Caution

This entry is not really a subnet mask. The ASA/PIX Security Appliance is expecting a selection of 255.255.255.255 to let it know you are adding a host, rather than a network, to the access rule.

Step 4.

Choose the TCP option in the Protocol and Service section.

Step 5.

Click the pop-up button next to the text box in the Destination Port Service section. Choose HTTP.

Step 6.

Click OK.

Step 7.

When you are redirected back to the Main Access Rules panel, click Apply to download the new configuration to the ASA/PIX Security Appliance.

Now, you need to do the same steps for the mail server.

NOTE

Most mail servers will work with this configuration, but some servers will need additional ports opened on the security appliance. If mail doesn't work after the completion of these steps, check with your mail vendor to identify the additional ports that you need to open. Then, follow this guide to open the ports they are expecting.


Step 1.

Click the Configuration Navigation button, and then choose the Security Policy feature. The default panel is Access Rules. Click Add. Fill in the panel as shown in Figure 6-9.

Figure 6-9. Access Policy Panel SMTP


Step 2.

Click the Interface pull-down in the Source Host/Network section and choose Outside.

Step 3.

Click the Interface pull-down in the Destination Host/Network section and choose DMZ. Enter the IP address 192.168.2.4. You can do so either manually or by using the pop-up button to the right of the text box. Make sure that the mask is set to 255.255.255.255.

Caution

This entry is not really a subnet mask. The ASA/PIX Security Appliance is expecting a selection of 255.255.255.255 to let it know you are adding a host, rather than a network, to the access rule.

Step 4.

Choose the TCP option in the Protocol and Service section.

Step 5.

Click the pop-up button next to the text box in the Destination Port Service section. Choose SMTP.

Step 6.

Click OK.

Step 7.

When you are redirected back to the Main Access Rules panel, click Apply to download the new configuration to the ASA/PIX Security Appliance.

Congratulations! Successful completion of these steps has given you a network where your inside users can browse the Internet. You have also deployed a web server and mail server that Internet users can access.

Many people stop their Internet deployment networks at this point. They have connectivity and are relatively secure. Why shouldn't they stop? As discussed several times previously, the only way to achieve full security is with several layers of defense. You still need to lock down the perimeter of you system, perhaps deploy VPN, and definitely deploy host intrusion prevention.

With your current network security posture, you are still susceptible to the most costly attacks day-zero attacks. You may feel secure, but the first Blaster, Slammer, Sasser, Code Red, Nimda, or major mail virus that hits will potentially affect your servers and the hosts on the inside of your network. This can potentially cost you several thousands of dollars to clean up. Following through with defense in depth is an incidental expense in comparison.



Securing Your Business with Cisco ASA and PIX Firewalls
Securing Your Business with Cisco ASA and PIX Firewalls
ISBN: 1587052148
EAN: 2147483647
Year: 2006
Pages: 120
Authors: Greg Abelar

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net