Enterprise Network on GNS3 - Part 7 - DMZ

This is the last article from the series of the articles discussing configuration of the enterprise network. The article explains the configuration of Demilitarized Zone (DMZ). Our DMZ consists of three devices - ASAv-DMZ-I, a multilayer switch vIOS-DMZ-I and Serv-DMZ-I. All the devices in DMZ are run by Qemu hypervisor. The ASAv_DMZ-I device is Cisco Adaptive Security Appliance Software version 9.6.1 and it has assigned 2048 MB RAM by GNS3. The device vIOS-DMZ-I is Cisco vIOS-L2 version 15.2 and it has assigned 512 MB RAM by GNS3. And finally, the device Serv-DMZ-I is Linux Ubuntu 16.04.3 LTS with 1024 MB RAM assigned by GNS3. The server Serv-DMZ-I provides DNS, NTP, Syslog services for devices in DMZ and a public web service for all hosts in the Internet.

Picture 1 - Demilitarized Zone - DMZ

All devices located in DMZ have their IP addresses assigned from the subnet 195.1.1.128/25. The subnet 195.1.1.128/27 is further divided with /30 mask, creating 8 subnets suitable for point-to-point link configuration . Servers located in DMZ are assigned to different VLANs. Currently, there is only server Serv-DMZ-I deployed in DMZ and configured with the IP addresses 195.1.1.161/29. The server is assigned to VLAN10 on the switch vIOS-DMZ-I. The subnet reserved for devices in VLAN10 is 195.1.1.160/29 with the default gateway IP address 196.1.1.166.

Note: The configuration files are: ASAv-DMZ-I, vIOS-DMZ-I, named.conf.options, ntp.conf,  dmz.conf.

1. ASAv-DMZ-I Configuration

1.1 Initial Configuration

Password to privileged exec mode is not set. As for cable connection the interface eth0 is not connected. The interface eth0 is the Management0/0 interface on ASAv. We are not going to use the interface Management0/0. The first connected interface eth1 is represented by the Interface GigabitEthernet0/0 in ASAv CLI. The second connected interface eth2 is represented by the interface GigabitEthernet0/1 in ASAv CLI etc.

ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# hostname ASAv-DMZ-I

1.2 Login Credentials

Access to all devices located in DMZ is authenticated against a user created in a local database of a particular device.

ASAv-DMZ-I(config)# username admin password cisco
ASAv-DMZ-I(config)# enable password cisco

Let's configure authentication for access to the ASAv-DMZ-I console against a local user.

ASAv_DMZ-I(config)# aaa authentication serial console LOCAL

If we want to use GNS3 for ASAv administration, we need to configure vASA to redirect its output to a serial port. To do so, copy a file coredump.cfg to disk0.

ASAv_DMZ-I# copy disk0:/coredumpinfo/coredump.cfg disk0:/use_ttyS0

1.3 IP Addresses and Security Levels

The switch vIOS-DMZ-I is an access switch that connects servers to the network. The switch is connected to ASAv-DMZ-I GigabitEthernet0/0 interface. The security level configured on the interface GigabitEthernet0/0 is set to 100. The security level for the interface GigabitEthernet0/2 is set to 0. The interface GigabitEthernet0/2 connects ASAv_DMZ-I to the device vIOS-EDGE-I. Thanks to this security level configuration, all devices inside DMZ can initialize connection to the Internet. However, hosts in the Internet cannot initialize connection to devices in DMZ. To allow connection initialized from outside to inside for a particular network traffic, the appropriate access-list must be configured on ASAv-DMZ-I.

ASAv_DMZ-I(config)# interface Gi0/0
ASAv_DMZ-I(config-if)# description Link to vIOS-EDGE-I
ASAv_DMZ-I(config-if)# nameif OUTSIDE
ASAv_DMZ-I(config-if)# security-level 0
ASAv_DMZ-I(config-if)# ip address 195.1.1.130 255.255.255.252
ASAv_DMZ-I(config-if)# no shutdown
ASAv_DMZ-I(config-if)# exit

ASAv_DMZ-I(config)# interface Gi0/2
ASAv_DMZ-I(config-if)# description Link to vIOS-DMZ-I
ASAv_DMZ-I(config-if)# nameif INSIDE
ASAv_DMZ-I(config-if)# security-level 100
ASAv_DMZ-I(config-if)# ip address 195.1.1.133 255.255.255.252
ASAv_DMZ-I(config-if)# no shutdown
ASAv_DMZ-I(config-if)# exit

1.4 Static Routes

Configure a static default route pointing toward the router vIOS-EDGE-I.

ASAv_DMZ-I(config)# route OUTSIDE 0.0.0.0 0.0.0.0 195.1.1.129

Configure a static route pointing to devices inside DMZ.

ASAv-DMZ-I(config)# route INSIDE 195.1.1.192 255.255.255.192 195.1.1.134
ASAv-DMZ-I(config)# route INSIDE 195.1.1.160 255.255.255.224 195.1.1.134

1.5 Objects and Object Group

Define object-groups and objects network type.

ASAv-DMZ-I(config)# object network serv-dmz-i
ASAv-DMZ-I(config-network-object)# host 195.1.1.161

ASAv-DMZ-I(config)# object network public_add
ASAv-DMZ-I(config-network-object)# subnet 195.1.1.0 255.255.255.0

ASAv-DMZ-I(config)# object network google_dns1
ASAv-DMZ-I(config-network-object)# host 8.8.8.8

vASA-I(config)# object network google_dns2
vASA-I(config-network-object)# host 8.8.4.4

ASAv-DMZ-I(config)# object network vios-edge-i_gi0_0
ASAv-DMZ-I(config-network-object)# host 195.1.1.129

ASAv-DMZ-I(config)# object-group network google_dns
ASAv-DMZ-I(config-network-object-group)# network-object object google_dns1
ASAv-DMZ-I(config-network-object-group)# network-object object google_dns2

1.6 Access Lists

Allow SSH access from 195.1.1.0/24 to 195.1.1.0/24 through ASAv-DMZ-I. It allows to manage devices in DMZ from the campus network and data center.

ASAv-DMZ-I(config)# access-list out-to-ins extended permit tcp object public_add object public_add eq ssh

Allow ICMP ECHO Request from 195.1.1.0/24 to DMZ.

ASAv-DMZ-I(config)# access-list out-to-ins extended permit icmp object public_add object public_add echo

Allow ICMP ECHO Reply from Google 8.8.8.8 and 8.8.4.4

ASAv-DMZ-I(config)# access-list out-to-ins extended permit icmp object-group google_dns object public_add echo-reply

Allow access from the Internet to web server 195.1.1.161 port 80, 443

ASAv-DMZ-I(config)# access-list out-to-ins extended permit tcp any object serv-dmz-i range www https

Allow DNS requests from 195.1.1.129 (vIOS-EDGE-I) to DNS server 195.1.1.161 port 53

ASAv-DMZ-I(config)# access-list out-to-ins extended permit udp object vios-edge-i_gi0_0 object serv-dmz-i eq 53

Apply the access-list out-to-ins in incoming direction to the outside interface.

ASAv-DMZ-I(config)# access-group out-to-ins in interface OUTSIDE

Picture 2 - ASAv-DMZ-I Access-List Out-to-Ins 

1.7 SSH Access

ASAv-DMZ-I(config)# aaa authentication ssh console LOCAL
ASAv-DMZ-I(config)# crypto key generate rsa modulus 4096
ASAv-DMZ-I(config)# ssh key-exchange group dh-group14-sha1%

Allow SSH access to OUTSIDE interfaces from subnet 195.1.1.0/25.

ASAv-DMZ-I(config)# ssh 195.1.1.0 255.255.255.128 OUTSIDE

Set timeout for ssh session to maximum value 60 minut.

ASAv-DMZ-I(config)# ssh timeout 60

1.8 NTP

ASAv-DMZ-I(config)# ntp server 172.16.50.1
ASAv-DMZ-I(config)# clock timezone UTC+2 +2

Picture 3 - Time Synchronization Checking

1.9 DNS Client

ASAv-DMZ-I(config)# dns server-group DefaultDNS
ASAv-DMZ-I(config-dns-server-group)# name-server 195.1.1.161
ASAv-DMZ-I(config-dns-server-group)# exit

ASAv-DMZ-I(config)# dns domain-lookup INSIDE

Picture 4 - Displaying DNS Cache

1.10 Logging Configuration

Logging information messages to console, RAM (buffer) and VTY session.

ASAv_DMZ-I(config)# logging enable
ASAv_DMZ-I(config)# logging console 6
ASAv_DMZ-I(config)# logging buffered 6
ASAv_DMZ-I(config)# logging monitor 6

Configure a remote syslog-ng server that is running on the server Serv-DMZ-I. Set syslog level 5 (notifications), including lower levels (level 1 are alerts).

ASAv-DMZ-I(config)# logging host INSIDE 195.1.1.161
ASAv_DMZ-I(config)# logging trap notifications

Log traps are sent to the server Serv-DMZ-I and they are stored in the directory /var/log/dmz.

Picture 5 - Content of DMZ Directory

1.11 Traffic Inspection

ASAv-DMZ-I(config)# policy-map type inspect http http_map
ASAv-DMZ-I(config-pmap)# parameters
ASAv-DMZ-I(config-pmap-p)# protocol-violation action drop-connection log

ASAv-DMZ-I(config)# policy-map global_policy
ASAv-DMZ-I(config-pmap)# class inspection_default
ASAv-DMZ-I(config-pmap-c)# inspect http http_map

ASAv-DMZ-I(config)# service-policy global_policy global

Picture 6 - List of Inspected Protocols

Check HTTP traffic inspection statistics.

Picture 7 - Checking HTTP Traffic Inspection Statistic

2. Switch vIOS-DMZ-I Configuration

We do not need to discuss every line of vIOS-DMZ-I configuration as the switch contains only basic configuration which does not need detailed explanation. We will just summarize some ideas that help us to understand how the switch is configured.

2.1 IP Addresses, VLAN, VTP and SVI Port

The interface GigabitEthernet0/0 is connected to ASAv-DMZ-I and it is configured as a routed interface. The interface GigabitEthernet0/1 is configured as the switchport with VLAN10. It connects the server Serv-DMZ-I to the network.

vIOS-DMZ-I(config)# interface GigabitEthernet0/0
vIOS-DMZ-I(config-if)# description Link to ASAv-DMZ-I
vIOS-DMZ-I(config-if)# no switchport
vIOS-DMZ-I(config-if)# ip address 195.1.1.134 255.255.255.252
vIOS-DMZ-I(config-if)# no shutdown
vIOS-DMZ-I(config-if)# exit

vIOS-DMZ-I(config)# interface GigabitEthernet0/1
vIOS-DMZ-I(config-if)# description Link to Serv-DMZ-I
vIOS-DMZ-I(config-if)# switchport mode access
vIOS-DMZ-I(config-if)# switchport access vlan 10
vIOS-DMZ-I(config-if)# no shutdown
vIOS-DMZ-I(config-if)# exit

vIOS-DMZ-I(config)# vlan 10
vIOS-DMZ-I(config-vlan)# name Servers_DMZ
vIOS-DMZ-I(config-vlan)# exit

We do not use VLAN Trunk Protocol (VTP) in DMZ thus we will disable VTP protocol.  As a result,  VLANs must be configured locallyon all switches in DMZ. It prevents to delete VLANs either accidentally by network admins or intentionally in cause of  L2 attacks. The command vtp mode off  also prevents a switch to forwards VTP advertisements.

vIOS-DMZ-I(config)# vtp mode off

Below is the configuration of the default gateway IP address for the subnet 195.1.1.160/29. The IP address 195.1.1.166/29 is configured on interface VLAN10.

vIOS-DMZ-I(config)# interface vlan 10
vIOS-DMZ-I(config-if)# ip address 195.1.1.166 255.255.255.248
vIOS-DMZ-I(config-if)# no shutdown

2.2 Static Default Routing

vIOS-DMZ-I(config)# ip route 0.0.0.0 0.0.0.0 195.1.1.133

2.3 Console Authentication, Privileged Exec Mode and SSH

vIOS-DMZ-I(config)# username admin secret cisco
vIOS-DMZ-I(config)# enable secret cisco

vIOS-DMZ-I(config)# line console 0
vIOS-DMZ-I(config-line)# login local

vIOS-DMZ-I(config)# ip ssh version 2
vIOS-DMZ-I(config)# ip domain-name companyXYZ.sk
vIOS-DMZ-I(config)# crypto key generate rsa modulus 4096

vIOS-DMZ-I(config)# line vty 0 1500
vIOS-DMZ-I(config-line)# transport input ssh
vIOS-DMZ-I(config-line)# login local

SSH access-list allows connections to the VTY line only from the subnet 195.1.1.0/27.

vIOS-DMZ-I(config)# ip access-list standard ssh-access
vIOS-DMZ-I(config-std-nacl)# permit 195.1.1.0 0.0.0.127
vIOS-DMZ-I(config-std-nacl)# deny any
vIOS-DMZ-I(config-std-nacl)# exit

vIOS-DMZ-I(config)# line vty 0 1500
vIOS-DMZ-I(config-line)# access-class ssh-access in
vIOS-DMZ-I(config-line)# exit

2.4 NTP

vIOS-DMZ-I(config)# ntp server 172.16.50.1
vIOS-DMZ-I(config)# clock timezone UTC+2 +2

Picture 8 - Time Synchronization Checking

2.5 DNS Client

vIOS-DMZ-I(config)# ip name-server 195.1.1.161
vIOS-DMZ-I(config)# ip domain lookup

2.6 Logging

vIOS-DMZ-I(config)# logging host 195.1.1.161
vIOS-DMZ-I(config)# logging trap notifications

3. Server Serv-DMZ-I Configuration

The server Serv-DMZ-I provides DNS, NTP, Web and Syslog services for all devices in DMZ. We have already described the configuration of DNS, NTP and Syslog-ng in Part 5 - Data Center Configuration.  Therefore, I am not going to discuss the configuration again. Rather, we will introduce several commands that can be used during troubleshooting.

3.1 Checking NTP

Below is the output of the ntpstat command that reports the synchronization state of the NTP daemon running on Serv-DMZ-I. The system is synchronized to a NTP server 91.236.251.29 and the approximate time accuracy is 137 ms.

Picture 9 - Checking Synchronization State of NTP Daemon

3.2 Checking DNS 

Below is the output of dig command used to perform DNS lookup IP address for the domain cisco.hu.  The answer is 72.163.4.154, DNS server is 195.1.1.161 (Serv-DMZ-I) and the query took 97 ms.

Picture 10 - Querying DNS Server 195.1.1.161

If we try to send query for domain cisco.hu once again, the response is almost identical except the query time that is 0 ms. The IP address for the domain cisco.hu is cached thus no DNS query is sent.

Picture 11 - Querying DNS Server 195.1.1.161

To inspect Bind9 DNS cache first make a dump of database with the command below. Then check the content of the file /var/cache/bind/named_dump.db.

 root@Serv-DMZ-I:/home/ubuntu# rndc dumpdb

Picture 12 - Content of Dumped Bind9 Database

3.3 Checking Web Server

First, we install Apache2 we server with the command below.

# apt-get install apache2

We will use  curl command to check web server type and its version. The server Serv-DMZ-I is running Apache 2.4.18.

Picture 13 - Checking Web Server with Curl Command

If curl command is not available, the same information can be get with the telnet command. Tou need to enter HEAD / HTTP/1.0 once you are connected to web server. Then press Enter twice.

ubuntu@Server1:~$ telnet 195.1.1.161 80

HEAD / HTTP/1.0

Picture 14 - Checking Web Server with Telnet Command

3.4 Checking Syslog-ng

Check if syslog-ng is listening on a particular socket.

Picture 15 - Checking Syslog-ng Socket

In our case, syslog-ng is listening on all IP addresses and TCP/UDP port 514. If not, you can check the configuration file for typos with the command below.

root@Serv-DMZ-I:/home/ubuntu# syslog-ng --syntax-only

One thought on “Enterprise Network on GNS3 - Part 7 - DMZ

  1. It's best not to have any dmz resources connected to the inside interface and instead use a dedicated interface for the dmz network.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.