Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ-issue

Status
Not open for further replies.

Stin0

IS-IT--Management
Nov 8, 2006
21
BE
Hello all,

I've got a weird situation going on with some netgear Dual-WAN/VPN router

As I said it has 2 WAN-ports.
On WAN 1 I've got a static ip (192.168.4.2), Default GW (192.168.4.1 = cisco ISDN router from ISP).
The LAN-interface has the ip of 192.168.1.1 (that is the scope of our LAN).
Between the Cisco and our netgear device I've put a switch with some webservers on them.

I can get from our LAN to our Webservers, from the internet it works also fine. The problem is that I can not get from the webserver to the LAN.
I need to get to the A.D from our LAN, as I need it for authentication.
I tried to put in some static routes but nothing happened.

Any idea's?

Kindest regards,


Stijn

 
You need to punch a hole in your Netgear Dual WAN/VPN router to allow traffic originating on it's WAN side to your LAN side of the appliance. It's a basic statefull firewall and probably has it's security to allow all traffic orginating from the LAN to WAN as open (that's why you can access the web server from the LAN), but blocks all traffic originating from the WAN to LAN side. You can access the web server from the Internet because the web server is plugged into your switch off of the Cisco's LAN subnet, does not go through the Netgear, and it either has that port on the Cisco open or is wide open to all ports (when I say ports, I mean TCP/UDP ports).
Like I said, your quick fix is to open up whatever ports you need; however, you really need to take a look at your design better. Having a DMZ zone for web servers is great, but having them tied to your A.D. inside your lan is not due to the ports that have to be opened to allow Kerberos. If someone gains access to the web server, then game over since they now have access to your Active Directory. Also, you are having to double NAT (once through the Cisco and again through your Netgear). There's nothing per say wrong with that, but it's twice the work for you to create static NAT(s).

 
Thanx for the reply...
What i've changed now (and this works), is that i've made a different LAN ip on a differnet subnet of my LAN on the netgearbox.

I still see the problem with the AD-connection however...
Thing i have to do is make a new AD (new forest, new domain)in the DMZ and make a kind of a trust-relationship between the LAN-AD and the DMZ-AD.

Hopefully i get my hands on some resources so I can tighten the security.

Thanx a lot for the clarification!

Kindest regards,

Stijn
 
I wouldn't even do that. Just make your web servers simple non AD joined servers. Each server will have it's own security with usernames and passwords. Unless you have some particular app you have to run on your web servers that has to have AD access (I'd be looking for another app personally), then this is the best route. Creating another AD and then establishing a trust between the two, you would still have to open ports galore.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top