Re: [fw-wiz] Transparent DMZ



If your platform/IOS supports Zone-based firewalls then that would be a much
easier way to implement zoning on IOS or you could use CBAC (now called the
Classic Firewall):

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

Regards

Farrukh

On Tue, Dec 9, 2008 at 7:50 PM, Lord Sporkton <lordsporkton@xxxxxxxxx>wrote:

I cannot user routing to acheive what i am looking for. what i am
looking for is: the inside is a private network, nated to the outside
interface, the dmz allows hosts to use public ips directly using the
privider router as the gateway while still allowing firewalling of the
dmz traffic by the router. This is why there is no ip on the dmz
interface.

I moved my outside ip to the outside interface instead of the bvi
because i thought this would be needed to put an acl on it, but i will
try it on the bvi instead. Thank you for the suggestions, i will try
this as soon as possible

2008/12/9 Darden, Patrick S. <darden@xxxxxxxx>:

IRB allows you to route and bridge over a set of interfaces; however,
just because it is bridged doesn't mean the packets will be received by
endpoints--you need routing in place, and/or endpoints need to be
inclusively configured.

E.g. if you had two PCs with a crossover cable connecting their NICs, one
with 10.0.0.1/24 and the other with 10.0.1.1/24 they would have a link,
but they would be unable to communicate with IP.

If you use IRB, then you are creating a bridge group, probably with the
intent to route between the group and the routed interfaces on the router.
Your config backs that up... but it looks a little skewed (with perhaps
some syntax errors?). Towards that end you would need to add something like
this:

bridge irb

int BVI 1
ip address x.y.z.p netmask

bridge 1 route ip

This sets up the behavior of bridge unless we can route. If it bridges,
then make sure the netmasks are inclusive, or else again endstations will
not register the traffic.

This is a bit puzzling to me. usually you would set this up using all
routing, with:

nexthop provider ip1
OutsideInt provider ip2
DmzInt 38.102.248.178
InternalInt 10.x.y.z

Then you would just route and firewall appropriately.

I hope this helps!
--p

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Lord
Sporkton
Sent: Friday, December 05, 2008 6:41 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Transparent DMZ


I am trying to use a cisco 2621 router as a firewall, it should have
an outside, inside and dmz, the dmz should be able to use public ips
on the machines behind it. If anyone is familiar with sonicwalls, just
like a sonicwall transparent dmz.

Currently what i have done is made my 3 interfaces, set ips on the
outside and inside, then bridged with irb bridging the outside and dmz
interfaces. the inside interface works fine however the dmz does not
seem to be able to pass traffic(at one point in time while i was
configuring this it did work, i just cant pinpoint when).
38.102.248.179 is my dmz host, and it can not get out to the internet
or receive connections.

thank you
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
-Lawrence
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
    (comp.security.firewalls)
  • Proxy ARP and Routing
    ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...
    (SunManagers)
  • Re: Firewall in HA: how VRRP works?
    ... addresses on each interface. ... The VRRP link is how the primary/backup keep tabs on ... > each firewall has 4 interface(internet,intranet, DMZ and VRRP) ...
    (Security-Basics)
  • Re: DMZ and VPN
    ... You can have one interface on the public network and the other ... interface on the DMZ. ... considered a firewall itself with it own firewall capabilities. ... DMZs on the same network segment/firewall NIC. ...
    (Security-Basics)
  • Re: 2.6.12: connection tracking broken?
    ... This seems to happen only if you use bridge interfaces, ... something related to connection tracking otherwise netfilter seems to work ... interface and then the same setup using a bridge interface to ... bridge firewall being loaded, the tests I did today with 2.6.12 final didn't ...
    (Linux-Kernel)