Re: [fw-wiz] Transparent DMZ

If your platform/IOS supports Zone-based firewalls then that would be a much
easier way to implement zoning on IOS or you could use CBAC (now called the
Classic Firewall):



On Tue, Dec 9, 2008 at 7:50 PM, Lord Sporkton <lordsporkton@xxxxxxxxx>wrote:

I cannot user routing to acheive what i am looking for. what i am
looking for is: the inside is a private network, nated to the outside
interface, the dmz allows hosts to use public ips directly using the
privider router as the gateway while still allowing firewalling of the
dmz traffic by the router. This is why there is no ip on the dmz

I moved my outside ip to the outside interface instead of the bvi
because i thought this would be needed to put an acl on it, but i will
try it on the bvi instead. Thank you for the suggestions, i will try
this as soon as possible

2008/12/9 Darden, Patrick S. <darden@xxxxxxxx>:

IRB allows you to route and bridge over a set of interfaces; however,
just because it is bridged doesn't mean the packets will be received by
endpoints--you need routing in place, and/or endpoints need to be
inclusively configured.

E.g. if you had two PCs with a crossover cable connecting their NICs, one
with and the other with they would have a link,
but they would be unable to communicate with IP.

If you use IRB, then you are creating a bridge group, probably with the
intent to route between the group and the routed interfaces on the router.
Your config backs that up... but it looks a little skewed (with perhaps
some syntax errors?). Towards that end you would need to add something like

bridge irb

int BVI 1
ip address x.y.z.p netmask

bridge 1 route ip

This sets up the behavior of bridge unless we can route. If it bridges,
then make sure the netmasks are inclusive, or else again endstations will
not register the traffic.

This is a bit puzzling to me. usually you would set this up using all
routing, with:

nexthop provider ip1
OutsideInt provider ip2
InternalInt 10.x.y.z

Then you would just route and firewall appropriately.

I hope this helps!

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Lord
Sent: Friday, December 05, 2008 6:41 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Transparent DMZ

I am trying to use a cisco 2621 router as a firewall, it should have
an outside, inside and dmz, the dmz should be able to use public ips
on the machines behind it. If anyone is familiar with sonicwalls, just
like a sonicwall transparent dmz.

Currently what i have done is made my 3 interfaces, set ips on the
outside and inside, then bridged with irb bridging the outside and dmz
interfaces. the inside interface works fine however the dmz does not
seem to be able to pass traffic(at one point in time while i was
configuring this it did work, i just cant pinpoint when). is my dmz host, and it can not get out to the internet
or receive connections.

thank you
firewall-wizards mailing list

firewall-wizards mailing list

firewall-wizards mailing list