This is the last article from the series of the articles discussing configuration of the enterprise network. The article explains the configuration of Demilitarized Zone (DMZ). Our DMZ consists of three devices - ASAv-DMZ-I, a multilayer switch vIOS-DMZ-I and Serv-DMZ-I. All the devices in DMZ are run by Qemu hypervisor. The ASAv_DMZ-I device is Cisco Adaptive Security Appliance Software version 9.6.1 and it has assigned 2048 MB RAM by GNS3. The device vIOS-DMZ-I is Cisco vIOS-L2 version 15.2 and it has assigned 512 MB RAM by GNS3. And finally, the device Serv-DMZ-I is Linux Ubuntu 16.04.3 LTS with 1024 MB RAM assigned by GNS3. The server Serv-DMZ-I provides DNS, NTP, Syslog services for devices in DMZ and a public web service for all hosts in the Internet.
Picture 1 - Demilitarized Zone - DMZ
All devices located in DMZ have their IP addresses assigned from the subnet 195.1.1.128/25. The subnet 195.1.1.128/27 is further divided with /30 mask, creating 8 subnets suitable for point-to-point link configuration . Servers located in DMZ are assigned to different VLANs. Currently, there is only server Serv-DMZ-I deployed in DMZ and configured with the IP addresses 195.1.1.161/29. The server is assigned to VLAN10 on the switch vIOS-DMZ-I. The subnet reserved for devices in VLAN10 is 195.1.1.160/29 with the default gateway IP address 196.1.1.166.
Note: The configuration files are: ASAv-DMZ-I, vIOS-DMZ-I, named.conf.options, ntp.conf, dmz.conf.
1. ASAv-DMZ-I Configuration
1.1 Initial Configuration
Password to privileged exec mode is not set. As for cable connection the interface eth0 is not connected. The interface eth0 is the Management0/0 interface on ASAv. We are not going to use the interface Management0/0. The first connected interface eth1 is represented by the Interface GigabitEthernet0/0 in ASAv CLI. The second connected interface eth2 is represented by the interface GigabitEthernet0/1 in ASAv CLI etc.
ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# hostname ASAv-DMZ-I
1.2 Login Credentials
Access to all devices located in DMZ is authenticated against a user created in a local database of a particular device.
ASAv-DMZ-I(config)# username admin password cisco
ASAv-DMZ-I(config)# enable password cisco
Let's configure authentication for access to the ASAv-DMZ-I console against a local user.
ASAv_DMZ-I(config)# aaa authentication serial console LOCAL
If we want to use GNS3 for ASAv administration, we need to configure vASA to redirect its output to a serial port. To do so, copy a file coredump.cfg to disk0.
ASAv_DMZ-I# copy disk0:/coredumpinfo/coredump.cfg disk0:/use_ttyS0
1.3 IP Addresses and Security Levels
The switch vIOS-DMZ-I is an access switch that connects servers to the network. The switch is connected to ASAv-DMZ-I GigabitEthernet0/0 interface. The security level configured on the interface GigabitEthernet0/0 is set to 100. The security level for the interface GigabitEthernet0/2 is set to 0. The interface GigabitEthernet0/2 connects ASAv_DMZ-I to the device vIOS-EDGE-I. Thanks to this security level configuration, all devices inside DMZ can initialize connection to the Internet. However, hosts in the Internet cannot initialize connection to devices in DMZ. To allow connection initialized from outside to inside for a particular network traffic, the appropriate access-list must be configured on ASAv-DMZ-I.
ASAv_DMZ-I(config)# interface Gi0/0
ASAv_DMZ-I(config-if)# description Link to vIOS-EDGE-I
ASAv_DMZ-I(config-if)# nameif OUTSIDE
ASAv_DMZ-I(config-if)# security-level 0
ASAv_DMZ-I(config-if)# ip address 195.1.1.130 255.255.255.252
ASAv_DMZ-I(config-if)# no shutdown
ASAv_DMZ-I(config-if)# exit
ASAv_DMZ-I(config)# interface Gi0/2
ASAv_DMZ-I(config-if)# description Link to vIOS-DMZ-I
ASAv_DMZ-I(config-if)# nameif INSIDE
ASAv_DMZ-I(config-if)# security-level 100
ASAv_DMZ-I(config-if)# ip address 195.1.1.133 255.255.255.252
ASAv_DMZ-I(config-if)# no shutdown
ASAv_DMZ-I(config-if)# exit
1.4 Static Routes
Configure a static default route pointing toward the router vIOS-EDGE-I.
ASAv_DMZ-I(config)# route OUTSIDE 0.0.0.0 0.0.0.0 195.1.1.129
Configure a static route pointing to devices inside DMZ.
ASAv-DMZ-I(config)# route INSIDE 195.1.1.192 255.255.255.192 195.1.1.134
ASAv-DMZ-I(config)# route INSIDE 195.1.1.160 255.255.255.224 195.1.1.134
1.5 Objects and Object Group
Define object-groups and objects network type.
ASAv-DMZ-I(config)# object network serv-dmz-i
ASAv-DMZ-I(config-network-object)# host 195.1.1.161
ASAv-DMZ-I(config)# object network public_add
ASAv-DMZ-I(config-network-object)# subnet 195.1.1.0 255.255.255.0
ASAv-DMZ-I(config)# object network google_dns1
ASAv-DMZ-I(config-network-object)# host 8.8.8.8
vASA-I(config)# object network google_dns2
vASA-I(config-network-object)# host 8.8.4.4
ASAv-DMZ-I(config)# object network vios-edge-i_gi0_0
ASAv-DMZ-I(config-network-object)# host 195.1.1.129
ASAv-DMZ-I(config)# object-group network google_dns
ASAv-DMZ-I(config-network-object-group)# network-object object google_dns1
ASAv-DMZ-I(config-network-object-group)# network-object object google_dns2
1.6 Access Lists
Allow SSH access from 195.1.1.0/24 to 195.1.1.0/24 through ASAv-DMZ-I. It allows to manage devices in DMZ from the campus network and data center.
ASAv-DMZ-I(config)# access-list out-to-ins extended permit tcp object public_add object public_add eq ssh
Allow ICMP ECHO Request from 195.1.1.0/24 to DMZ.
ASAv-DMZ-I(config)# access-list out-to-ins extended permit icmp object public_add object public_add echo
Allow ICMP ECHO Reply from Google 8.8.8.8 and 8.8.4.4
ASAv-DMZ-I(config)# access-list out-to-ins extended permit icmp object-group google_dns object public_add echo-reply
Allow access from the Internet to web server 195.1.1.161 port 80, 443
ASAv-DMZ-I(config)# access-list out-to-ins extended permit tcp any object serv-dmz-i range www https
Allow DNS requests from 195.1.1.129 (vIOS-EDGE-I) to DNS server 195.1.1.161 port 53
ASAv-DMZ-I(config)# access-list out-to-ins extended permit udp object vios-edge-i_gi0_0 object serv-dmz-i eq 53
Apply the access-list out-to-ins in incoming direction to the outside interface.
ASAv-DMZ-I(config)# access-group out-to-ins in interface OUTSIDE
Picture 2 - ASAv-DMZ-I Access-List Out-to-Ins
1.7 SSH Access
ASAv-DMZ-I(config)# aaa authentication ssh console LOCAL
ASAv-DMZ-I(config)# crypto key generate rsa modulus 4096
ASAv-DMZ-I(config)# ssh key-exchange group dh-group14-sha1%
Allow SSH access to OUTSIDE interfaces from subnet 195.1.1.0/25.
ASAv-DMZ-I(config)# ssh 195.1.1.0 255.255.255.128 OUTSIDE
Set timeout for ssh session to maximum value 60 minut.
ASAv-DMZ-I(config)# ssh timeout 60
1.8 NTP
ASAv-DMZ-I(config)# ntp server 172.16.50.1
ASAv-DMZ-I(config)# clock timezone UTC+2 +2
Picture 3 - Time Synchronization Checking
1.9 DNS Client
ASAv-DMZ-I(config)# dns server-group DefaultDNS
ASAv-DMZ-I(config-dns-server-group)# name-server 195.1.1.161
ASAv-DMZ-I(config-dns-server-group)# exit
ASAv-DMZ-I(config)# dns domain-lookup INSIDE
Picture 4 - Displaying DNS Cache
1.10 Logging Configuration
Logging information messages to console, RAM (buffer) and VTY session.
ASAv_DMZ-I(config)# logging enable
ASAv_DMZ-I(config)# logging console 6
ASAv_DMZ-I(config)# logging buffered 6
ASAv_DMZ-I(config)# logging monitor 6
Configure a remote syslog-ng server that is running on the server Serv-DMZ-I. Set syslog level 5 (notifications), including lower levels (level 1 are alerts).
ASAv-DMZ-I(config)# logging host INSIDE 195.1.1.161
ASAv_DMZ-I(config)# logging trap notifications
Log traps are sent to the server Serv-DMZ-I and they are stored in the directory /var/log/dmz.
Picture 5 - Content of DMZ Directory
1.11 Traffic Inspection
ASAv-DMZ-I(config)# policy-map type inspect http http_map
ASAv-DMZ-I(config-pmap)# parameters
ASAv-DMZ-I(config-pmap-p)# protocol-violation action drop-connection log
ASAv-DMZ-I(config)# policy-map global_policy
ASAv-DMZ-I(config-pmap)# class inspection_default
ASAv-DMZ-I(config-pmap-c)# inspect http http_map
ASAv-DMZ-I(config)# service-policy global_policy global
Picture 6 - List of Inspected Protocols
Check HTTP traffic inspection statistics.
Picture 7 - Checking HTTP Traffic Inspection Statistic
2. Switch vIOS-DMZ-I Configuration
We do not need to discuss every line of vIOS-DMZ-I configuration as the switch contains only basic configuration which does not need detailed explanation. We will just summarize some ideas that help us to understand how the switch is configured.
2.1 IP Addresses, VLAN, VTP and SVI Port
The interface GigabitEthernet0/0 is connected to ASAv-DMZ-I and it is configured as a routed interface. The interface GigabitEthernet0/1 is configured as the switchport with VLAN10. It connects the server Serv-DMZ-I to the network.
vIOS-DMZ-I(config)# interface GigabitEthernet0/0
vIOS-DMZ-I(config-if)# description Link to ASAv-DMZ-I
vIOS-DMZ-I(config-if)# no switchport
vIOS-DMZ-I(config-if)# ip address 195.1.1.134 255.255.255.252
vIOS-DMZ-I(config-if)# no shutdown
vIOS-DMZ-I(config-if)# exit
vIOS-DMZ-I(config)# interface GigabitEthernet0/1
vIOS-DMZ-I(config-if)# description Link to Serv-DMZ-I
vIOS-DMZ-I(config-if)# switchport mode access
vIOS-DMZ-I(config-if)# switchport access vlan 10
vIOS-DMZ-I(config-if)# no shutdown
vIOS-DMZ-I(config-if)# exit
vIOS-DMZ-I(config)# vlan 10
vIOS-DMZ-I(config-vlan)# name Servers_DMZ
vIOS-DMZ-I(config-vlan)# exit
We do not use VLAN Trunk Protocol (VTP) in DMZ thus we will disable VTP protocol. As a result, VLANs must be configured locallyon all switches in DMZ. It prevents to delete VLANs either accidentally by network admins or intentionally in cause of L2 attacks. The command vtp mode off also prevents a switch to forwards VTP advertisements.
vIOS-DMZ-I(config)# vtp mode off
Below is the configuration of the default gateway IP address for the subnet 195.1.1.160/29. The IP address 195.1.1.166/29 is configured on interface VLAN10.
vIOS-DMZ-I(config)# interface vlan 10
vIOS-DMZ-I(config-if)# ip address 195.1.1.166 255.255.255.248
vIOS-DMZ-I(config-if)# no shutdown
2.2 Static Default Routing
vIOS-DMZ-I(config)# ip route 0.0.0.0 0.0.0.0 195.1.1.133
2.3 Console Authentication, Privileged Exec Mode and SSH
vIOS-DMZ-I(config)# username admin secret cisco
vIOS-DMZ-I(config)# enable secret cisco
vIOS-DMZ-I(config)# line console 0
vIOS-DMZ-I(config-line)# login local
vIOS-DMZ-I(config)# ip ssh version 2
vIOS-DMZ-I(config)# ip domain-name companyXYZ.sk
vIOS-DMZ-I(config)# crypto key generate rsa modulus 4096
vIOS-DMZ-I(config)# line vty 0 1500
vIOS-DMZ-I(config-line)# transport input ssh
vIOS-DMZ-I(config-line)# login local
SSH access-list allows connections to the VTY line only from the subnet 195.1.1.0/27.
vIOS-DMZ-I(config)# ip access-list standard ssh-access
vIOS-DMZ-I(config-std-nacl)# permit 195.1.1.0 0.0.0.127
vIOS-DMZ-I(config-std-nacl)# deny any
vIOS-DMZ-I(config-std-nacl)# exit
vIOS-DMZ-I(config)# line vty 0 1500
vIOS-DMZ-I(config-line)# access-class ssh-access in
vIOS-DMZ-I(config-line)# exit
2.4 NTP
vIOS-DMZ-I(config)# ntp server 172.16.50.1
vIOS-DMZ-I(config)# clock timezone UTC+2 +2
Picture 8 - Time Synchronization Checking
2.5 DNS Client
vIOS-DMZ-I(config)# ip name-server 195.1.1.161
vIOS-DMZ-I(config)# ip domain lookup
2.6 Logging
vIOS-DMZ-I(config)# logging host 195.1.1.161
vIOS-DMZ-I(config)# logging trap notifications
3. Server Serv-DMZ-I Configuration
The server Serv-DMZ-I provides DNS, NTP, Web and Syslog services for all devices in DMZ. We have already described the configuration of DNS, NTP and Syslog-ng in Part 5 - Data Center Configuration. Therefore, I am not going to discuss the configuration again. Rather, we will introduce several commands that can be used during troubleshooting.
3.1 Checking NTP
Below is the output of the ntpstat command that reports the synchronization state of the NTP daemon running on Serv-DMZ-I. The system is synchronized to a NTP server 91.236.251.29 and the approximate time accuracy is 137 ms.
Picture 9 - Checking Synchronization State of NTP Daemon
3.2 Checking DNS
Below is the output of dig command used to perform DNS lookup IP address for the domain cisco.hu. The answer is 72.163.4.154, DNS server is 195.1.1.161 (Serv-DMZ-I) and the query took 97 ms.
Picture 10 - Querying DNS Server 195.1.1.161
If we try to send query for domain cisco.hu once again, the response is almost identical except the query time that is 0 ms. The IP address for the domain cisco.hu is cached thus no DNS query is sent.
Picture 11 - Querying DNS Server 195.1.1.161
To inspect Bind9 DNS cache first make a dump of database with the command below. Then check the content of the file /var/cache/bind/named_dump.db.
root@Serv-DMZ-I:/home/ubuntu# rndc dumpdb
Picture 12 - Content of Dumped Bind9 Database
3.3 Checking Web Server
First, we install Apache2 we server with the command below.
# apt-get install apache2
We will use curl command to check web server type and its version. The server Serv-DMZ-I is running Apache 2.4.18.
Picture 13 - Checking Web Server with Curl Command
If curl command is not available, the same information can be get with the telnet command. Tou need to enter HEAD / HTTP/1.0 once you are connected to web server. Then press Enter twice.
ubuntu@Server1:~$ telnet 195.1.1.161 80
HEAD / HTTP/1.0
Picture 14 - Checking Web Server with Telnet Command
3.4 Checking Syslog-ng
Check if syslog-ng is listening on a particular socket.
Picture 15 - Checking Syslog-ng Socket
In our case, syslog-ng is listening on all IP addresses and TCP/UDP port 514. If not, you can check the configuration file for typos with the command below.
root@Serv-DMZ-I:/home/ubuntu# syslog-ng --syntax-only
It's best not to have any dmz resources connected to the inside interface and instead use a dedicated interface for the dmz network.