Moving app servers from Inside to DMZ

Unanswered Question
Jul 23rd, 2008
User Badges:

I figured it out but if you have a better solution, by all mean please do.

The ISP will be changed also so the DNS record will have to change. I will configure the DMZ with the new IP range from the new ISP. Change the server IP address and the DNS record and move it to the DMZ.



I am working on a design replacing a pix firewall with FW module on a 6509. The current firewall is configured with inside and outside interfaces only. So, the NATing and the Static is between these 2 interfaces.

In my new design I will have a DMZ so the app servers will have to move to the DMZ and will require IP re-addressing.

What I am trying to do is to move the servers overtime after replacing the PIX. I am not sure if I can configure the DMZ with the new servers IP addresses (NAT, Static and ACL), configure the inside/outside on the module FW in the 6509 similar to the current pix with the current NAT, Static and ACL then as we move servers to the new DMZ the IP address will be changed.

Is it possible to have a static (DMZ, outside) public IP address to DMZ IP address and a static (inside, outside) same public IP address to inside address. Will the firewall pass the traffic to the app server on the inside prior to moving it and then to the DMZ once the server is moved and re-IPed?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Wed, 07/23/2008 - 19:43
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i havnt tried it and even thought about a case like this

so lets think about it

let say ur pub IP is 1.1.1.1 and u made static to this ip to both dmz and inside

so do you think it is reasonable to make config like this

and how the firewall know to which address should forward the traffic

so u must avoid this idea

and make eather portforwarding

lets say

u have ip address on insed with ip 10.10.10.10

and server on dmz 20.20.20.20

u want http traffic to go to the inside

and smtp traffic to go to the dmz using one pub ip address


static (inside, outside) tcp 1.1.1.1 80 10.10.10.10 80 netmask 255.255.255.255 0 0

static (dmz, outside) tcp 1.1.1.1 25 20.20.20.20 25 netmask 255.255.255.255 0 0


in the case gonna be reasonable and works the same with PIX/ASA and FWSM modul


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml


good luck


Rate if helpful

ramzi-kotob Thu, 07/24/2008 - 04:39
User Badges:

I cureently don't have a dmz. What I figured doing is:

Let's say the current server, let's call it www.xyz.com, private address is 1.1.1.1 and the public address is 2.2.2.2 so my current statement is:

static (inside, outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255


I will create a DMZ and use 3.3.3.0/24 for the dmz network. Let's say the the new public addresses are 4.4.4.0/26. I can keep the current (inside, outside) statement. Create a DMZ statement:

static (DMZ, Outside) 4.4.4.1 3.3.3.1 netmask 255.255.255.255

Outside users qoing to xyz.com at this point will still go to 1.1.1.1

When it is time to move the server, change it's IP address to 3.3.3.1 and change the DNS record to 4.4.4.1. The user going to xyz.com will now go to 4.4.4.1 and the initial static statement for (inside, Outside) will do no harm. Correct?

Marwan ALshawi Thu, 07/24/2008 - 05:53
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

in this case u r right..

good luck


rate if helpful

Actions

This Discussion