Firewall Wizards mailing list archives
Re: Transparent DMZ
From: "Lord Sporkton" <lordsporkton () gmail com>
Date: Tue, 9 Dec 2008 08:50:03 -0800
I cannot user routing to acheive what i am looking for. what i am looking for is: the inside is a private network, nated to the outside interface, the dmz allows hosts to use public ips directly using the privider router as the gateway while still allowing firewalling of the dmz traffic by the router. This is why there is no ip on the dmz interface. I moved my outside ip to the outside interface instead of the bvi because i thought this would be needed to put an acl on it, but i will try it on the bvi instead. Thank you for the suggestions, i will try this as soon as possible 2008/12/9 Darden, Patrick S. <darden () armc org>:
IRB allows you to route and bridge over a set of interfaces; however, just because it is bridged doesn't mean the packets will be received by endpoints--you need routing in place, and/or endpoints need to be inclusively configured. E.g. if you had two PCs with a crossover cable connecting their NICs, one with 10.0.0.1/24 and the other with 10.0.1.1/24 they would have a link, but they would be unable to communicate with IP. If you use IRB, then you are creating a bridge group, probably with the intent to route between the group and the routed interfaces on the router. Your config backs that up... but it looks a little skewed (with perhaps some syntax errors?). Towards that end you would need to add something like this: bridge irb int BVI 1 ip address x.y.z.p netmask bridge 1 route ip This sets up the behavior of bridge unless we can route. If it bridges, then make sure the netmasks are inclusive, or else again endstations will not register the traffic. This is a bit puzzling to me. usually you would set this up using all routing, with: nexthop provider ip1 OutsideInt provider ip2 DmzInt 38.102.248.178 InternalInt 10.x.y.z Then you would just route and firewall appropriately. I hope this helps! --p -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Lord Sporkton Sent: Friday, December 05, 2008 6:41 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Transparent DMZ I am trying to use a cisco 2621 router as a firewall, it should have an outside, inside and dmz, the dmz should be able to use public ips on the machines behind it. If anyone is familiar with sonicwalls, just like a sonicwall transparent dmz. Currently what i have done is made my 3 interfaces, set ips on the outside and inside, then bridged with irb bridging the outside and dmz interfaces. the inside interface works fine however the dmz does not seem to be able to pass traffic(at one point in time while i was configuring this it did work, i just cant pinpoint when). 38.102.248.179 is my dmz host, and it can not get out to the internet or receive connections. thank you _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- -Lawrence _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Transparent DMZ Lord Sporkton (Dec 08)
- Re: Transparent DMZ Darden, Patrick S. (Dec 09)
- Re: Transparent DMZ Lord Sporkton (Dec 10)
- Re: Transparent DMZ Farrukh Haroon (Dec 11)
- Re: Transparent DMZ Lord Sporkton (Dec 10)
- Re: Transparent DMZ Darden, Patrick S. (Dec 09)