This is probably a stupid question, but that hasn't stopped me before, so:
If I had a sever in a DMZ and needed to set up a secondary NIC on it and I had no other interfaces for additional DMZs,
Is there a secure way to set up the second NIC for point to point communication to another server in a DR site DMZ?
For example, could I subnet the second NIC and have both NICs use the same DMZ interface for their default gateway?
Well you can do this but in effect they are to all intents and purposes on the same LAN. Yes you have used a /30 but they still use the same gateway so i'm not sure what this is achieving. Why can you just not use the existing NIC ?
What firewall are you using. You say you have run out of interfaces, however a lot of firewalls support 802.1q trunking so you may be able to use logical interfaces.
Could you elaborate on what exactly you are trying to achieve from a security perspective ?
Thanks for the reply.
I have a pix 525 with 6.3.
The server is a web server that is using a software package that needs to have a seperate IP Address for management purposes.
It has to stay in constant communication on the seperate NIC with the failover server in the DR site.
I need to establish this communication but stay in the DMZ on the firewall.
My concern was from a Windows perspective and putting the secon NIC in the same subnet may cause issues.
If you have pix 525 running 6.3 you should be able to run logical interfaces if you need to. Do you know if you already running these ?.
Could you post the output of a "sh ver" from your firewall and also a "sh run" showing just the interface details (make sure you remove any sensitive information).
In an ideal world you would probably look to have this management NIC on a separate DMZ. Lets see if your firewall will support logical interfaces first.
Thanks for the reply Jon,
The firewall is not using any logical interfaces, they are all NICs and each DMZ has it's own interface plugged into the DMZ switch.
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
up 1 year 58 days
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.
0: ethernet0: address is 000b.46d0.35eb, irq 10
1: ethernet1: address is 000b.46d0.35ec, irq 11
2: ethernet2: address is 00e0.b605.bbbb, irq 11
3: ethernet3: address is 00e0.b605.bbba, irq 10
4: ethernet4: address is 00e0.b605.bbb9, irq 9
5: ethernet5: address is 00e0.b605.bbb8, irq 5
6: ethernet6: address is 0002.b3a4.54b3, irq 5
Maximum Physical Interfaces: 8
Maximum Interfaces: 12
Cut-through Proxy: Enabled
Inside Hosts: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.
You can create your extra DMZ by using logical interfaces.
Here's an example from one of our firewalls
interface eth0 100full
interface eth1 100full
interface eth1 vlan191 physical
interface eth1 vlan171 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan171 app-layer-inside security95
So what you have above is that on the eth1 interface we are using logical interfaces.\ The physical interface is assigned to vlan 191 and is called inside.
The logical interface is assigned to vlan 171 and is called app-layer-inside.
You then IP address these interfaces as you would any interface and apply access-lists etc to each interface if you want.
In this example we have used the inside interface but you can use any of your DMZ interfaces.
The switchport that the interface you choose is connected to must be configured as an 802.1q trunk.
There will obviously be downtime on that interface when you configure it.
Attached is a link with more details of configuring logical interfaces.
What great help you are.
Is there any danger is disrupting service to the physical interface while creating and configuring the logical interface and getting it working?
Glad to help and many thanks for ratings.
Yes you will need downtime on the physical interface when you create the logical one and there will be a disruption of service to that DMZ.
One last thing worth noting. Because you are craeting more than one DMZ on the same interface be aware that you will not get the full bandwidth of the interface to each DMZ. However considering one of your DMZ's is going to be management this shouldn't be a problem.
Thanks again Jon,
On the technical side, thanks for mentioning the bandwidth, I dont think it will be an issue, but wouldn't be the same for any configuration?
For example if I had put a switch on the DMZ and plugged two servers into the switch?
On a personal note:
I am glad that at the very least I am able to give you points for the help.
I feel like such a beginner comapred to you guys that are the experts.
I would be embarrassed to tell you how old I am.
I swear I do not know how you all keep such an array of encyclopedic details in your head.
I think my brain is defective.
Not quite the same. You are using 1 interface on your firewall to pass 2 vlans worth of traffic. So if your existing DMZ had 100Mbps to the switch you now have 2 DMZ's sharing 100Mbps. However as i say shouldn't be an issue unless the point to point server traffic is a lot.
On the personal side, i cannot speak for anyone else in this forum but i don't particularly consider myself an expert in anything. I have strengths and weakness, eg. you don't see me posting in IP telephony except to maybe ask a question or two :). So if i find myself in the future having to install an IPT solution i will be the beginner !
I certainly don't keep every fact in my head and i suspect most of the others don't either but there is a base knowledge you acquire. After that a lot of it is knowing where to look and how to apply that knowledge.
And as for age, well i think you get all ages here on this forum so there should be no embarrassment as to how old you are, it really makes no difference.
Finally ratings, they are a sign of appreciation that someone has taken the time to help a person out on a problem and it also makes it easier for other people to find the answers to their questions.
Please post as often as you need, there are many people in these forums that can help.
Thanks for the reply, sorry, but on the interface thing:
If there are two DMZs on one interface and say a single server in each VLAN,
or two servers in the same VLAN,
What makes the link with two servers in two seperate DMZs utilize more bandwidth than the
link wih two servers in a single DMZ ?
No need to apologize. I didn't fully understand what you were asking before. You are quite right in your example ie.
both in same vlan (DMZ)
each in separate vlan (DMZ) but both vlans on same interface.
Just one more question on this,
I have been asked about setting up the end to end communication in a seperate VLAN.
This would in affect bypass the firewall, on the DMZ to inside network.
The only way that I could think of to do it would be set up the server interface with a 30 bit subnet mask to the VLAN on each end.
An then they could communicate.
What would be the reasons to NOT do it this way?
Sorry not very clear on what you are trying to do. Could you provide a bit more detail.
How would you be bypassing the firewall ?.
This would be instead of using the logical interface on the firewall, instead use a seperate VLAN.
Have the two devices communicate end to end.
The 30 bit subnet mask really wouldn't be doing anything I guess.
But I suppose I could set up access-lists.
But the logical interface on the firewall would probably be the best thing to do correct?
I was asked if we couldn't just do this with VLANs rather than setting up the logical interface.
I was just thinking of reasons not to do it with VLANs, I like the firewall idea better.
It just seems to be the correct way to go.