Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

New firewall - DMZ troubles

Status
Not open for further replies.
cyberspace

cyberspace

Technical User
Aug 19, 2005
968
GB
Where I work there is a 2mbit leased line and we have a /27 public subnet giving us 30 public IP addresses. The router (little ISP owned Cisco) is x.x.x.129, firewall .130. On here we have our mail server, VPN termination point, web sites, etc. This is used for some internet access but users are routed via an ADSL connection.

The existing firewall is a Symantec Raptor, old stuff, works quite well but it's heavily outdated and running on an old PC.

The DMZ isn't really a proper DMZ...what happens is:

Internet --> x.x.x.129 --> 8 port switch which has DMZ hosts coming off it --> x.x.x.130 --> LAN

Not the ideal setup (I believe this is called a "blow hole" as opposed to a proper DMZ?) but it works and the Raptor does apply rules to the hosts coming off the switch.

We recently purchased a 3Com X506, which is a "Unified Threat Management System" and it's got plenty of features. However, in testing, setting up the DMZ in the same way just didn't work and no rules were applied. I could set up a security zone for the DMZ, but then I'm not sure how that would work for our range of public addresses.

It's leaving me rather stumped right now, so any suggestions would be welcomed!

'When all else fails.......read the manual'
 
Sort by date Sort by votes
Transparent Deployment Mode...
Try page 147 of The X Family LSM User's Guide located here:

You can see the interface here...

Run the LAN and WAN respectively and demilitarize one or more of the four free interfaces.. Run those to your DMZ switch(s).. This also supports Virtual servers which is something to look at if you have a static server on the LAN

You can google the related documentation but there is a nice CLI reference manual...
---------------------------------------------------
"Related documentation
For detailed installation instructions and further configuration information, see the following manuals, which are included on the Documentation CD that is shipped with the product:
• X Family of Security Devices Hardware Installation Guide
• X Family Local Security Manager User’s Guide
Online Help is also available within the Local Security Manager (LSM) interface. For information on configuring and managing your X506 under the Command Line Interface (CLI) control, see the X Family Command Line Interface Reference."
---------------------------------------------------

I hope this helps...

B Haines
CCNA R&S, ETA FOI
 
Upvote 0 Downvote
I think what he's asking is that the new setup only works like so...

router---firewall--switch---dmz

The router gets .129 on the inside interface, and .130 goes on the firewall interface. What can go on the other side of the firewall? The whole point of a dirty DMZ is to NOT NAT...
I think the only solution is nix the router and just have the firewall route, put the router in bridge mode and have the firewall route, or have the firwall do NAT. Those are your three choices.

Burt

 
Upvote 0 Downvote
Thanks for the replies so far.

Just to clarify, i'd rather have the DMZ on it's own port in it's own security zone - I prefer to do stuff properly but I am a bit hindered by the initial design of the network (virtual servers would be great, but a LOT of work is involved in changing IP's as there are several Domino Servers on System I...how I miss Windows!!). One issue is that if I give the WAN port on the x506 .130 and then use another port for the DMZ, i'm not sure how to get traffic destined for .128/27 to come in via WAN but then onto the DMZ port.

Burt, you are correct about router/firewall addresses. The router is ISP owned and we have no access to it.

the local interface of the firewall is on the lan, 192.168.1.1 and is the default gateway for several machines (used to be company wide before using the secondary ADSL line). Incoming traffic doesn't get into this range (apart from VPN) as all stuff that needs to be accessible are on public IP's and are in the "dmz"

Appreciate the help so far. Not had much practical experience with DMZ's set up like this so it's all good learing!

'When all else fails.......read the manual'
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DWheater
  • Locked
  • Question
FTP through Back to Back Firewalls
Replies
0
Views
95
DWheater
DWheater
barcode2328
  • Locked
  • Question
Opening a firewall port temporarily.
Replies
1
Views
57
Noway2
Noway2
Evil8
  • Locked
  • Question
New ISP Issues
Replies
4
Views
95
Evil8
Evil8
bludbunny
  • Locked
  • Question
Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?
Replies
6
Views
87
VinceWhirlwind
VinceWhirlwind
forker
  • Locked
  • Question
openvpn server on windows behind firewall - how to nat
Replies
0
Views
71
forker
forker

Part and Inventory Search

Sponsor

Back
Top