Re: [fw-wiz] Transparent DMZ




IRB allows you to route and bridge over a set of interfaces; however, just because it is bridged doesn't mean the packets will be received by endpoints--you need routing in place, and/or endpoints need to be inclusively configured.

E.g. if you had two PCs with a crossover cable connecting their NICs, one with 10.0.0.1/24 and the other with 10.0.1.1/24 they would have a link, but they would be unable to communicate with IP.

If you use IRB, then you are creating a bridge group, probably with the intent to route between the group and the routed interfaces on the router. Your config backs that up... but it looks a little skewed (with perhaps some syntax errors?). Towards that end you would need to add something like this:

bridge irb

int BVI 1
ip address x.y.z.p netmask

bridge 1 route ip

This sets up the behavior of bridge unless we can route. If it bridges, then make sure the netmasks are inclusive, or else again endstations will not register the traffic.

This is a bit puzzling to me. usually you would set this up using all routing, with:

nexthop provider ip1
OutsideInt provider ip2
DmzInt 38.102.248.178
InternalInt 10.x.y.z

Then you would just route and firewall appropriately.

I hope this helps!
--p

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Lord
Sporkton
Sent: Friday, December 05, 2008 6:41 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Transparent DMZ


I am trying to use a cisco 2621 router as a firewall, it should have
an outside, inside and dmz, the dmz should be able to use public ips
on the machines behind it. If anyone is familiar with sonicwalls, just
like a sonicwall transparent dmz.

Currently what i have done is made my 3 interfaces, set ips on the
outside and inside, then bridged with irb bridging the outside and dmz
interfaces. the inside interface works fine however the dmz does not
seem to be able to pass traffic(at one point in time while i was
configuring this it did work, i just cant pinpoint when).
38.102.248.179 is my dmz host, and it can not get out to the internet
or receive connections.

thank you
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Weird DMZ PF bridge prob.
    ... I've setup a PF OBSD bridge for my DMZ, with public servers in the DMZ ... I log into my LAN via VPN remotely, & do RDP to my workstation from there. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: [fw-wiz] Transparent DMZ
    ... I cannot user routing to acheive what i am looking for. ... interface, the dmz allows hosts to use public ips directly using the ... dmz traffic by the router. ... bridge 1 route ip ...
    (Firewall-Wizards)
  • RE: ipchains and bridging
    ... Basically says use rules on the 'bridge' interface, ... Subject: ipchains and bridging ... > for the outside NIC, DMZ NIC, and servers in the DMZ. ...
    (Security-Basics)
  • RE: ipchains and bridging
    ... Basically says use rules on the 'bridge' interface, ... Subject: ipchains and bridging ... > for the outside NIC, DMZ NIC, and servers in the DMZ. ...
    (Security-Basics)
  • Burma Travel Documentary
    ... We are on Route #1, ... Yesterday was a full tour of Rangoon/Yangon. ... hotel is near Inya lake and what is reported to be the White Bridge ...
    (soc.culture.burma)