Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Setting up DMZs/Screened Subnets with Commodity Firewalls

We have a couple of DMZs set up with Firewalls such as Checkpoint and NetGear (fvs114) to separate the subnets.

The NetGear is causing me problems and I am looking at other firewalls (such as SonicWall Soho 3 which I happen to have) or a router such as the Cisco 800 or 1800 series. This subnets do not go directly to the internet. They are just separating my data servers from my DMZ that that has my webservers on one side and our Protected intranet on the other.

The problem is that these are Firewall/Dsl Routers that are intended to route information from your local network to the Internet that also have firewall functions. After reading the document on the Netgear - it talks about Internet Sharing Firewalls where requests from the outside are discarded. Only packets that come from the outside as a response are accepted. On the Netgear, this is also the case unless you have a rule set up to accept requests by service (such as port 80 - http). I don't know if the Cisco 800 series would have the same problem or not.

I don't know if this normal or not but one of the things required is a Gateway. I would assume that a normal non-internet sharing firewall wouldn't have a Gateway as you are only routing packets from one subnet to another (no Nat).

The Wan side has a gateway that is usually the DSL Router.

You can usually set up the Firewall as Standard or Nat. With standard the Lan and Wan have to be the same sub net. With Nat the Wan is the ISPs Router address (public) and the Lan is your private network.

In my case, I want to use Firewall or Router inside the private network where both the Lan and Wan would have private addresses but each would be a public address.

So on my Protected network I would have all my user machines on the 10.0.0.X network and my DMZ that has my Sql Servers would be on the 10.0.3.X network.

I don't know if it matters which side has Lan or Wan interface. But what about the Gateway address. I have it set up at the moment as:

Wan:

IP Address:10.0.0.251

Mask: 255.255.255.0

Gateway: ?

Lan:

IP Address: 10.0.3.251

Mask: 255.255.255.0

Sql Server IP Address: 10.0.3.2

My workstation: 10.0.0.25

I am assuming that Nat needs to be set for this to work. But in the Internet world you would not be able to accesses an address in the private network directly. Only in response to a request. So there would need to be a request from the Private address first to the Internet and the Internet would respond. But not the other way round.

Since I am Natting here, wouldn't I have the same problem? Is there a way to make this work with these types of Firewalls or do I need a router?

We have a Checkpoint Firewall that does this great. But that is too expensive for us here in this scenario.

Thanks,

Tom

2 REPLIES

Re: Setting up DMZs/Screened Subnets with Commodity Firewalls

Hello Tom,

Please let me introduce you to some common practice in connecting to the Internet.

Typically one uses private adresses (such as your 10.x networks on the private side of the firewall, this is often called the inside.

To allow for incoming communication, you need to use port forwarding. (port 80 for example to allow connections from outside to your www server.

For the rest, either by firewall or by NAT, you do want to accept only traffic in response to a request from the inside. This firewalling behaviour is very desirable to keep your computers protected from malicious hackers on the Evil Internet.

Noticed that you have a 10.x adress on the outside. I assume that this is fed into your Checkpoint FW who is nat'ting the traffic and that your real external ip adress is something else. Your connection would not be reachable otherwise. (RFC1918)

You can use either a router or a firewall to connect to the Internet.

Regards,

Leo

New Member

Re: Setting up DMZs/Screened Subnets with Commodity Firewalls

Hello Leo,

In my case, I am not using the firewall as a border router. That is what the Checkpoint is doing. We have a couple of subnets that we use to separate our Data from our Web Servers and Protected network.

In these cases you would have a Wan (--> Internet) and a Lan (--> Protected Network).

In my case, I am not using the firewalls to access the Internet at all. This is why we have 2 different private subnets.

We mainly wanted to allow certain workstations in our Protected subnet to have access to the DB servers but not all (Wan->Lan/10.0.0.x ->10.0.3.x). There is also a couple of cases where we need one of the servers in the Data DMZ to access a couple of machines in our protected network (Lan->Wan/10.0.3.x->10.0.0.x).

We thought the Netgear would solve the problems and it does to some extent. But we are finding that periodically we can't seem to connect across the firewall for a short time (10-20 minutes). Sometimes turning off the firewall and a switch the firewall is connected to off.

This has been a real problem and we are looking at another solution.

This is also compounded by the fact that there are actually 2 firwalls in this configuration. But since it is doing the same job (different subnets), whatever we do with the one firewall we would do with the other.

Thanks,

Tom

155
Views
0
Helpful
2
Replies
CreatePlease to create content