Re: [fw-wiz] NAT cruddiness



J. Oquendo,

I don't know the routing for the vlan's, so I will assume they have
a layer 3 switch or router in place to determine these are going to
the DMZ. The DMZ only needs a route (i.e. static) for the policies or
ACL's what ever box this DMZ is on. You will need to give access from
VLAN C to VLANB via the policy or ACL in the DMZ. Now traditionally
the Object is just the way of pre-programming the networks you want
and then you can add them to your policy by name or IP. Your policy
should read something like: access-list permit VLANB_VLANC ip host
172.16.20.1 255.255.255.255 host 172.16.30.1 255.255.255.255. This is
a common Cisco ACL. You may have to work with it, as it is late and I
am pulling the ACL from memory.

Thanks,
Chris
On Jan 30, 2007, at 8:08 PM, J. Oquendo wrote:

Hey all, trying to help someone with an idiotic VLAN/DMZ issue:

Breakdown: Admin has the following:

NetworkA 172.16.20.1 (VLAN B)
MachineA 172.16.20.5 (Windows)

NetworkB 172.16.30.1 (VLAN C)
MachineB 172.16.30.2 (Windows 2003)

Supposedly Machine is thrown in a DMZ and they want to be able to
create an object of sorts to do forwarding: e.g.:

Object = 172.16.20.250 --> Redirects to MachineB

Easiest fool-proof method? I don't know enough about their topology
to know what their VLAN trunking is, nor their rules.

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: VLAN as a DMZ
    ... Subject: VLAN as a DMZ ... VLAN to communicate with the switch (to change the VLAN memberships - Telnet ... It'd be just an isolated segment. ...
    (Security-Basics)
  • Re: PGP Desktop Software
    ... does anyone know if PGP Corporate Desktop ... >>> but does anyone know of a specific technical reason why using a VLAN ... >>> DMZ segment is a bad idea? ... Even if a malicious entity can inject tagged frames into the ...
    (Security-Basics)
  • PGP Desktop Software
    ... does anyone know if PGP Corporate Desktop ... > Subject: VLAN as a DMZ ... > Provided it's properly designed so there is no way for machines in the DMZ ... Even if a malicious entity can inject tagged frames into the ...
    (Security-Basics)
  • Re: new to cisco asa 5505
    ... communication between the DMZ VLAN and the Inside ... interface Vlan1 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • DC on DMZ best pratices...
    ... AD forest spread across the Internet in 3 Sites... ... currently all networks are public IPs... ... IE DMZs protected by ISA ... basically I need to setup replication with my internal DC and my DMZ ...
    (microsoft.public.isaserver)