Firewall Wizards mailing list archives
Re: Transparent DMZ
From: "Lord Sporkton" <lordsporkton () gmail com>
Date: Tue, 9 Dec 2008 08:50:03 -0800
I cannot user routing to acheive what i am looking for. what i am looking for is: the inside is a private network, nated to the outside interface, the dmz allows hosts to use public ips directly using the privider router as the gateway while still allowing firewalling of the dmz traffic by the router. This is why there is no ip on the dmz interface. I moved my outside ip to the outside interface instead of the bvi because i thought this would be needed to put an acl on it, but i will try it on the bvi instead. Thank you for the suggestions, i will try this as soon as possible 2008/12/9 Darden, Patrick S. <darden () armc org>:
IRB allows you to route and bridge over a set of interfaces; however, just because it is bridged doesn't mean the
packets will be received by endpoints--you need routing in place, and/or endpoints need to be inclusively configured.
E.g. if you had two PCs with a crossover cable connecting their NICs, one with 10.0.0.1/24 and the other with
10.0.1.1/24 they would have a link, but they would be unable to communicate with IP.
If you use IRB, then you are creating a bridge group, probably with the intent to route between the group and the
routed interfaces on the router. Your config backs that up... but it looks a little skewed (with perhaps some syntax
errors?). Towards that end you would need to add something like this:
bridge irb
int BVI 1
ip address x.y.z.p netmask
bridge 1 route ip
This sets up the behavior of bridge unless we can route. If it bridges, then make sure the netmasks are inclusive,
or else again endstations will not register the traffic.
This is a bit puzzling to me. usually you would set this up using all routing, with:
nexthop provider ip1
OutsideInt provider ip2
DmzInt 38.102.248.178
InternalInt 10.x.y.z
Then you would just route and firewall appropriately.
I hope this helps!
--p
-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Lord
Sporkton
Sent: Friday, December 05, 2008 6:41 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Transparent DMZ
I am trying to use a cisco 2621 router as a firewall, it should have
an outside, inside and dmz, the dmz should be able to use public ips
on the machines behind it. If anyone is familiar with sonicwalls, just
like a sonicwall transparent dmz.
Currently what i have done is made my 3 interfaces, set ips on the
outside and inside, then bridged with irb bridging the outside and dmz
interfaces. the inside interface works fine however the dmz does not
seem to be able to pass traffic(at one point in time while i was
configuring this it did work, i just cant pinpoint when).
38.102.248.179 is my dmz host, and it can not get out to the internet
or receive connections.
thank you
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- -Lawrence _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Transparent DMZ Lord Sporkton (Dec 08)
- Re: Transparent DMZ Darden, Patrick S. (Dec 09)
- Re: Transparent DMZ Lord Sporkton (Dec 10)
- Re: Transparent DMZ Farrukh Haroon (Dec 11)
- Re: Transparent DMZ Lord Sporkton (Dec 10)
- Re: Transparent DMZ Darden, Patrick S. (Dec 09)