Moving app servers from Inside to DMZ

Unanswered Question
Jul 23rd, 2008

I figured it out but if you have a better solution, by all mean please do.

The ISP will be changed also so the DNS record will have to change. I will configure the DMZ with the new IP range from the new ISP. Change the server IP address and the DNS record and move it to the DMZ.

I am working on a design replacing a pix firewall with FW module on a 6509. The current firewall is configured with inside and outside interfaces only. So, the NATing and the Static is between these 2 interfaces.

In my new design I will have a DMZ so the app servers will have to move to the DMZ and will require IP re-addressing.

What I am trying to do is to move the servers overtime after replacing the PIX. I am not sure if I can configure the DMZ with the new servers IP addresses (NAT, Static and ACL), configure the inside/outside on the module FW in the 6509 similar to the current pix with the current NAT, Static and ACL then as we move servers to the new DMZ the IP address will be changed.

Is it possible to have a static (DMZ, outside) public IP address to DMZ IP address and a static (inside, outside) same public IP address to inside address. Will the firewall pass the traffic to the app server on the inside prior to moving it and then to the DMZ once the server is moved and re-IPed?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Wed, 07/23/2008 - 19:43

i havnt tried it and even thought about a case like this

so lets think about it

let say ur pub IP is 1.1.1.1 and u made static to this ip to both dmz and inside

so do you think it is reasonable to make config like this

and how the firewall know to which address should forward the traffic

so u must avoid this idea

and make eather portforwarding

lets say

u have ip address on insed with ip 10.10.10.10

and server on dmz 20.20.20.20

u want http traffic to go to the inside

and smtp traffic to go to the dmz using one pub ip address

static (inside, outside) tcp 1.1.1.1 80 10.10.10.10 80 netmask 255.255.255.255 0 0

static (dmz, outside) tcp 1.1.1.1 25 20.20.20.20 25 netmask 255.255.255.255 0 0

in the case gonna be reasonable and works the same with PIX/ASA and FWSM modul

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

good luck

Rate if helpful

ramzi-kotob Thu, 07/24/2008 - 04:39

I cureently don't have a dmz. What I figured doing is:

Let's say the current server, let's call it www.xyz.com, private address is 1.1.1.1 and the public address is 2.2.2.2 so my current statement is:

static (inside, outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255

I will create a DMZ and use 3.3.3.0/24 for the dmz network. Let's say the the new public addresses are 4.4.4.0/26. I can keep the current (inside, outside) statement. Create a DMZ statement:

static (DMZ, Outside) 4.4.4.1 3.3.3.1 netmask 255.255.255.255

Outside users qoing to xyz.com at this point will still go to 1.1.1.1

When it is time to move the server, change it's IP address to 3.3.3.1 and change the DNS record to 4.4.4.1. The user going to xyz.com will now go to 4.4.4.1 and the initial static statement for (inside, Outside) will do no harm. Correct?

Actions

This Discussion