Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.
Installing Severs in DMZ with 2 x NICs
Hi,
I have a SonicWALL TZ170 and would like to place 2 webservers & an email server in the OPT port (DMZ). Each Server has 2 x NICs but only 1 is used on the LAN (192.168.68.*). I originally changed this address to a public IP address (62.180.130.*), but I then lost contact with the LAN, so returned it to the 192.168.68.* IP and configured the 2nd NIC for the 62.180.130.*. I then plugged this NIC into the switch that is connected to the OPT port on the SonicWALL. Is this the best route to take here as it seems I have the server in both WAN & LAN at the same time....
Any help much appreciated......
Gary
I have a SonicWALL TZ170 and would like to place 2 webservers & an email server in the OPT port (DMZ). Each Server has 2 x NICs but only 1 is used on the LAN (192.168.68.*). I originally changed this address to a public IP address (62.180.130.*), but I then lost contact with the LAN, so returned it to the 192.168.68.* IP and configured the 2nd NIC for the 62.180.130.*. I then plugged this NIC into the switch that is connected to the OPT port on the SonicWALL. Is this the best route to take here as it seems I have the server in both WAN & LAN at the same time....
Any help much appreciated......
Gary
Asked:
10-
9
1 Solution
Not really a problem just looking for advice -
As above, am I doing the correct thing by having a NIC in each "zone", or do I simpy configure 1 NIC for the Public IP (WAN) & disable the 2nd NIC (LAN). When I used the SonicWALL Enhanced OS wizard to configure the Web Servers it did the job & created rule, groups & NAT policies automatically but I could nopt access the Servers form the WAN.
Cheers
G
As above, am I doing the correct thing by having a NIC in each "zone", or do I simpy configure 1 NIC for the Public IP (WAN) & disable the 2nd NIC (LAN). When I used the SonicWALL Enhanced OS wizard to configure the Web Servers it did the job & created rule, groups & NAT policies automatically but I could nopt access the Servers form the WAN.
Cheers
G
If your servers are for public access only, I'd use only one NIC on them.
If they also need a connection to your backend (for additional services), or if you plan to use the second NIC as administration network, then there should not be a problem at the TZ170.
> .. but I could nopt access the Servers form the WAN.
do you mean access through the second NIC?
If they also need a connection to your backend (for additional services), or if you plan to use the second NIC as administration network, then there should not be a problem at the TZ170.
> .. but I could nopt access the Servers form the WAN.
do you mean access through the second NIC?
Thanx for the quick response,
The Server runs web/sql online for both our staff (LAN) & customers (WAN). Taking this into account, is enabling both cards good practice or do I run into problems with WAN access to the LAN. The WAN users I think should route into the WAN card IP & the LAN users into the LAN card IP whilst in the DMZ, but when this was setup by SonicWALL wizards it blocked access from both the WAN & the LAN, although it looked OK in the ruls/policies...I'm confused. To get round this temporarily I have binned the DMZ, disabled the WAN NIC IP & placed the webserver on the LAN. Now WAN & LAN users can access the WebServer but strangly the WAN users cannot get access to the HTTPS pages even thought NAT policy & rules allow this....
Hmmmnnnn
G
The Server runs web/sql online for both our staff (LAN) & customers (WAN). Taking this into account, is enabling both cards good practice or do I run into problems with WAN access to the LAN. The WAN users I think should route into the WAN card IP & the LAN users into the LAN card IP whilst in the DMZ, but when this was setup by SonicWALL wizards it blocked access from both the WAN & the LAN, although it looked OK in the ruls/policies...I'm confused. To get round this temporarily I have binned the DMZ, disabled the WAN NIC IP & placed the webserver on the LAN. Now WAN & LAN users can access the WebServer but strangly the WAN users cannot get access to the HTTPS pages even thought NAT policy & rules allow this....
Hmmmnnnn
G
are both NICS and the TZ170 connected to the same hub/switch?
Did you reboot the TZ170 after changing NIC IPs on the server?
Did you reboot the TZ170 after changing NIC IPs on the server?
>>are both NICS and the TZ170 connected to the same hub/switch?
No. I have seperate switches for the DMZ/LAN. The TZ170 is connected to the LAN/WAN & OPT(DMZ) swicthes
TZ170 -
Wan Port - Connected to the router
LAN Port - Connected to LAN switch
OPT Port - Connected to the DMZ switch
Server1 -
NIC1 - 192.168.168.* (LAN) connected to the LAN Switch
NIC2 - 68.230.45.* (WAN) conected to the DMZ Switch
No I didnt reboot the FW after the IP chnages on the server...should I?
No. I have seperate switches for the DMZ/LAN. The TZ170 is connected to the LAN/WAN & OPT(DMZ) swicthes
TZ170 -
Wan Port - Connected to the router
LAN Port - Connected to LAN switch
OPT Port - Connected to the DMZ switch
Server1 -
NIC1 - 192.168.168.* (LAN) connected to the LAN Switch
NIC2 - 68.230.45.* (WAN) conected to the DMZ Switch
No I didnt reboot the FW after the IP chnages on the server...should I?
AFAIK most SonicWalls have problems with arp, they at least have no command to reset its arp cache. Hence I'm asking for a reboot.
Hi ahoffmann ,
I have done following using the SW Wizards to create DMZ & public web server but traffic from the WAN to the DMZ & LAN to the DMZ cannot get through to the webserver..If I type the Webservers IP into a browser from the WAN or LAN it cannot find it...
SW WAN IP - 62.62.100.22 / 255.255.255.0
SW LAN IP - 192.168.45.1 / 255.255.255.0
SW DMZ IP - 10.10.10.50 / 255.255.255.0
WebServer IP - 62.62.100.19 / 255.255.255.0
Cisco 1700 Router - 62.62.100.16 / 255.255.255.248
SonicWALL created Address objects, NAT policies & Access Rules automatically but I still cannot use the DMZ. The logs show nothing... Any ideas?
G
I have done following using the SW Wizards to create DMZ & public web server but traffic from the WAN to the DMZ & LAN to the DMZ cannot get through to the webserver..If I type the Webservers IP into a browser from the WAN or LAN it cannot find it...
SW WAN IP - 62.62.100.22 / 255.255.255.0
SW LAN IP - 192.168.45.1 / 255.255.255.0
SW DMZ IP - 10.10.10.50 / 255.255.255.0
WebServer IP - 62.62.100.19 / 255.255.255.0
Cisco 1700 Router - 62.62.100.16 / 255.255.255.248
SonicWALL created Address objects, NAT policies & Access Rules automatically but I still cannot use the DMZ. The logs show nothing... Any ideas?
G
Hi ahoffman,
I have finally got this operational, but do you know if the following is OK to do?
I now have 2 web servers in the DMZ and 1 web server outside the DMZ. All 3 servers are on a 10.10.10.* address and 255.255.255.0 subnet. The 2 servers inside the DMZ can ping each other & are pingable form LAN XP clients. The server on the LAN with 10.10.10.*address is unpingble from anywhere which is causing me grreat problems.
For physical location reasons I cannot add the 3rd server to the DMZ so added it to the LAN domain. I have to get these servers speaking to each, is there any way of acheiving this, without compromising security?
Thanx again
G
I have finally got this operational, but do you know if the following is OK to do?
I now have 2 web servers in the DMZ and 1 web server outside the DMZ. All 3 servers are on a 10.10.10.* address and 255.255.255.0 subnet. The 2 servers inside the DMZ can ping each other & are pingable form LAN XP clients. The server on the LAN with 10.10.10.*address is unpingble from anywhere which is causing me grreat problems.
For physical location reasons I cannot add the 3rd server to the DMZ so added it to the LAN domain. I have to get these servers speaking to each, is there any way of acheiving this, without compromising security?
Thanx again
G
> All 3 servers are on a 10.10.10.*
they need to be in the same logical net segment then. But as you said one is LAN and the others are DMZ, that means that you need to bridge the 2 segments. Beside that is a useless setup and firewalls do not support it, it's very dangereous 'cause you have then exposed your LAN to the DMZ.
LAN and DMZ need to be different logical nets, otherwise a firewall between them makes no sence.
they need to be in the same logical net segment then. But as you said one is LAN and the others are DMZ, that means that you need to bridge the 2 segments. Beside that is a useless setup and firewalls do not support it, it's very dangereous 'cause you have then exposed your LAN to the DMZ.
LAN and DMZ need to be different logical nets, otherwise a firewall between them makes no sence.
Damn it -
I thought so. In this scenario there is absolutley no way of having the servers communicating with each other then?
Basically the server in the LAN is a backup server which has SQL data written to it transactionally by the server in the DMZ so communication is absolutley essential for this to work. Am I going to have to ditch this project in your opinion???
Thanx
Gary
I thought so. In this scenario there is absolutley no way of having the servers communicating with each other then?
Basically the server in the LAN is a backup server which has SQL data written to it transactionally by the server in the DMZ so communication is absolutley essential for this to work. Am I going to have to ditch this project in your opinion???
Thanx
Gary
> .. communication is absolutley essential ..
that's what the routers are for :-)
Your firewall is a router too, so there should not be a problem to have different net segments for LAN and DMZ.
that's what the routers are for :-)
Your firewall is a router too, so there should not be a problem to have different net segments for LAN and DMZ.
Hmmmmm -
Could I create a VLAN on the LAN switches as follows?
Port 48 Port 48
Server1>>>>Lan Switch<----------VLAN-----
1 - at server1 end I patch the server to port 48 (Enabled VLAN)
2 - at server2 end I patch the port 48 (Enabled VLAN) into the DMZ switch
Am I going mental or would this work? I shouild stop thinking and try it I suppose but am entering unchartered waters so a bit nervous!!
Cheers
G
Could I create a VLAN on the LAN switches as follows?
Port 48 Port 48
Server1>>>>Lan Switch<----------VLAN-----
1 - at server1 end I patch the server to port 48 (Enabled VLAN)
2 - at server2 end I patch the port 48 (Enabled VLAN) into the DMZ switch
Am I going mental or would this work? I shouild stop thinking and try it I suppose but am entering unchartered waters so a bit nervous!!
Cheers
G
why would you do this? You have a router and a firewall, they both together do exactly what you need.
Ok....Can you explain how an Internet router & a firewall will allow me to have webservers in the DMZ talking to webservers in the LAN without compromising LAN security?
your router and firewall are physically the same: SonicWall.
Just configure your rules to allow access from internet to your webserver in DMZ (port 80,443) and block anything else from internet. Then also configure your firewall to allow traffic from webserver in DMZ to server in LAN (probaly port 80 too). Block anything else from DMZ to LAN too.
Just configure your rules to allow access from internet to your webserver in DMZ (port 80,443) and block anything else from internet. Then also configure your firewall to allow traffic from webserver in DMZ to server in LAN (probaly port 80 too). Block anything else from DMZ to LAN too.
Hi again,
I have done that, but am fearful that if the Server in the DMZ is compromised, then so will the Server on my LAN & in turn my LAN.
Is this not the case -
Thanx again for your time, I will offer the points later...
G
I have done that, but am fearful that if the Server in the DMZ is compromised, then so will the Server on my LAN & in turn my LAN.
Is this not the case -
Thanx again for your time, I will offer the points later...
G
> .. but am fearful that if the Server in the DMZ is compromised, then so will the Server on my LAN & in turn my LAN.
Good fear :-)
But that's the always there if you connect from A (for example server in DMZ) to B (for example server in LAN). If there is a threat, then it doesn't matter if B is in LAN or DMZ.
Consider following:
If B is in LAN, then it could only be attacked through ports opened at firewall, if you have a VPN instead, then full access is possible 'cause there is no firewall. That's why I didn't feel good with that.
If B is in DMZ, there is no firewall, full acces from A (same as with VPN, usually).
If you want know (at least a very small one) acces from A to B, then you need some communication method/prorocol which does not allow to send data from A to B, and that all communication has to initiated by B. Sounds complicated and I don't know of one ...
Good fear :-)
But that's the always there if you connect from A (for example server in DMZ) to B (for example server in LAN). If there is a threat, then it doesn't matter if B is in LAN or DMZ.
Consider following:
If B is in LAN, then it could only be attacked through ports opened at firewall, if you have a VPN instead, then full access is possible 'cause there is no firewall. That's why I didn't feel good with that.
If B is in DMZ, there is no firewall, full acces from A (same as with VPN, usually).
If you want know (at least a very small one) acces from A to B, then you need some communication method/prorocol which does not allow to send data from A to B, and that all communication has to initiated by B. Sounds complicated and I don't know of one ...
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Your question, your audience. Choose who sees your identity—and your question—with question security.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
Do you mean that you changed your second NIC's IP from private to public and the TZ170 didn't protect it?