Re: [fw-wiz] NAT cruddiness

---

• From: Chris Myers <clmmacunix@xxxxxxxxxxx>
• Date: Tue, 30 Jan 2007 22:43:49 -0600

---

J. Oquendo,

I don't know the routing for the vlan's, so I will assume they have
a layer 3 switch or router in place to determine these are going to
the DMZ. The DMZ only needs a route (i.e. static) for the policies or
ACL's what ever box this DMZ is on. You will need to give access from
VLAN C to VLANB via the policy or ACL in the DMZ. Now traditionally
the Object is just the way of pre-programming the networks you want
and then you can add them to your policy by name or IP. Your policy
should read something like: access-list permit VLANB_VLANC ip host
172.16.20.1 255.255.255.255 host 172.16.30.1 255.255.255.255. This is
a common Cisco ACL. You may have to work with it, as it is late and I
am pulling the ACL from memory.

Thanks,
Chris
On Jan 30, 2007, at 8:08 PM, J. Oquendo wrote:

Hey all, trying to help someone with an idiotic VLAN/DMZ issue:

Breakdown: Admin has the following:

NetworkA 172.16.20.1 (VLAN B)
MachineA 172.16.20.5 (Windows)

NetworkB 172.16.30.1 (VLAN C)
MachineB 172.16.30.2 (Windows 2003)

Supposedly Machine is thrown in a DMZ and they want to be able to
create an object of sorts to do forwarding: e.g.:

Object = 172.16.20.250 --> Redirects to MachineB

Easiest fool-proof method? I don't know enough about their topology
to know what their VLAN trunking is, nor their rules.

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

---

• References:
  • [fw-wiz] NAT cruddiness
    • From: J. Oquendo

• Prev by Date: Re: [fw-wiz] Conundrum - IGMP and IPSec
• Next by Date: [fw-wiz] pix515e with two dsl lines
• Previous by thread: [fw-wiz] NAT cruddiness
• Next by thread: [fw-wiz] pix515e with two dsl lines
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: VLAN as a DMZ ... Subject: VLAN as a DMZ ... VLAN to communicate with the switch (to change the VLAN memberships - Telnet ... It'd be just an isolated segment. ... (Security-Basics) Re: PGP Desktop Software ... does anyone know if PGP Corporate Desktop ... >>> but does anyone know of a specific technical reason why using a VLAN ... >>> DMZ segment is a bad idea? ... Even if a malicious entity can inject tagged frames into the ... (Security-Basics) PGP Desktop Software ... does anyone know if PGP Corporate Desktop ... > Subject: VLAN as a DMZ ... > Provided it's properly designed so there is no way for machines in the DMZ ... Even if a malicious entity can inject tagged frames into the ... (Security-Basics) Re: new to cisco asa 5505 ... communication between the DMZ VLAN and the Inside ... interface Vlan1 ... access-group outside_access_in in interface outside ... (comp.dcom.sys.cisco) DC on DMZ best pratices... ... AD forest spread across the Internet in 3 Sites... ... currently all networks are public IPs... ... IE DMZs protected by ISA ... basically I need to setup replication with my internal DC and my DMZ ... (microsoft.public.isaserver)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2007-01