DMZ, NAT/Global design question

wilson_1234_2 · ‎07-29-2007

I have some servers on our inside network that have a secondary NIC for replication and failover purposes.

This secondary NIC on the inside servers is in it's own seperate VLAN (10.10.10.x).

We need to add this set up to a couple of DMZ servers.

I want to put the secondary NIC also behind the firewall to keep all interfaces on the DMZ servers secure.

My questions are:

Can I put the secondary NIC that will be on the DMZ interface of the firewall in the same subnet as the inside VLAN that the other servers are in?

(There are no interrfaces on the firewall in the 10.10.10.0 VLAN)

I am thinking I should be able to do that technically, but is it acceptable?

Is there any benifit to putting the DMZ in an entirely different subnet (172.16.200.0) and NATing to the 10.10.10.0 subnet from the inside interface?

Jon Marshall · ‎07-30-2007

Hi Wilson

Technically yes you can do this but it would be helpful to understand a little more.

When you say failover how does this work. If the secondary Nic is in a totally different subnet how does the failover work ??

Jon

wilson_1234_2 · ‎07-30-2007

Thanks jon,

The failover works by failing over to an entirely different server in the DR site, that part is already taken care of.

The secondary NIC is to make sure the data is replicating I believe.

The only thing I am concerned about is to make sure the server in the HQ side can communicate with the server in the DR side on the second logical interface.

They do not HAVE to be in the same VLAN, but it would be nice for organizational purposes.

We have several servers on the inside already in an existing VLAN and I was thinking we could keep the logical interface on the DMZ in the same VLAN.

Everything is in it's own seperate VLAN here, including the firewall inside interfaces, so everything is routed from the core switches via the SVI.

So the default gatway for the 10.10.10.0 vlan is on the core switch.

On the firewall, I would just route the 10.10.10.0 network to the inside.

If I set up a static NAT to the logical interface DMZ,in the same subnet as the NICs for the servers on the inside network, I will have to put a static route in the core switches to those hosts, and the next hop will be the PIX inside interface (10.10.20.1)

Does that sound right?

Jon Marshall · ‎07-30-2007

Wilson

Couple of things

1) If you connect the secndary NIC to an internal vlan which is routed off the core switch then you have in effect bypassed your firewall ie. If somebody could gain access to one of those DMZ servers they would have a direct route into your network.

2) Sorry to be a bit slow but it's been a long day :). I'm not sure why you would need a static NAT if you place the DMZ NIC's into the same internal subnet. If you do place them in the same internal subnet 10.10.10.x then traffic from the core switch will just get switched to these servers ie. it won't go via the firewall inside interface.

I think i may have misunderstood your last point, if so please clarify.

Jon

Jon Marshall · ‎08-01-2007

Hi Wilson

Is this problem sorted ?

Jon

wilson_1234_2 · ‎08-03-2007

Yes jon,

It is in place and working.

Thanks for the help