Solved

Installing Severs in DMZ with 2 x NICs

Posted on 2004-09-25
20
540 Views
Last Modified: 2010-04-09
Hi,
I have a SonicWALL TZ170 and would like to place 2 webservers & an email server in the OPT port (DMZ). Each Server has 2 x NICs but only 1 is used on the LAN (192.168.68.*). I originally changed this address to a public IP address (62.180.130.*), but I then lost contact with the LAN, so returned it to the 192.168.68.* IP and configured the 2nd NIC for the 62.180.130.*. I then plugged this NIC into the switch that is connected to the OPT port on the SonicWALL. Is this the best route to take here as it seems I have the server in both WAN & LAN at the same time....

Any help much appreciated......
Gary
0
Comment
Question by:gary_b
  • 10
  • 9
20 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12154049
hmm, and what is the problem here?
Do you mean that you changed your second NIC's IP from private to public and the TZ170 didn't protect it?
0
 

Author Comment

by:gary_b
ID: 12154068
Not really a problem just looking for advice -
As above, am I doing the correct thing by having a NIC in each "zone", or do I simpy configure 1 NIC for the Public IP (WAN) & disable the 2nd NIC (LAN). When I used the SonicWALL Enhanced OS wizard to configure the Web Servers it did the job & created rule, groups & NAT policies automatically but I could nopt access the Servers form the WAN.

Cheers
G
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12154089
If your servers are for public access only, I'd use only one NIC on them.
If they also need a connection to your backend (for additional services), or if you plan to use the second NIC as administration network, then there should not be a problem at the TZ170.

> .. but I could nopt access the Servers form the WAN.
do you mean access through the second NIC?
0
 

Author Comment

by:gary_b
ID: 12154109
Thanx for the quick response,
The Server runs web/sql online for both our staff (LAN) & customers (WAN). Taking this into account, is enabling both cards good practice or do I run into problems with WAN access to the LAN. The WAN users I think should route into the WAN card IP & the LAN users into the LAN card IP whilst in the DMZ, but when this was setup by SonicWALL wizards it blocked access from both the WAN & the LAN, although it looked OK in the ruls/policies...I'm confused. To get round this temporarily I have binned the DMZ, disabled the WAN NIC IP & placed the webserver on the LAN. Now WAN & LAN users can access the WebServer but strangly the WAN users cannot get access to the HTTPS pages even thought NAT policy & rules allow this....

Hmmmnnnn
G
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12154118
are both NICS and the TZ170 connected to the same hub/switch?
Did you reboot the TZ170 after changing NIC IPs on the server?
0
 

Author Comment

by:gary_b
ID: 12154134
>>are both NICS and the TZ170 connected to the same hub/switch?
No. I have seperate switches for the DMZ/LAN. The TZ170 is connected to the LAN/WAN & OPT(DMZ) swicthes

TZ170 -
Wan Port - Connected to the router
LAN Port - Connected to LAN switch
OPT Port - Connected to the DMZ switch
Server1 -
NIC1 - 192.168.168.* (LAN) connected to the LAN Switch
NIC2 - 68.230.45.* (WAN) conected to the DMZ Switch

No I didnt reboot the FW after the IP chnages on the server...should I?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12156068
AFAIK most SonicWalls have problems with arp, they at least have no command to reset its arp cache. Hence I'm asking for a reboot.
0
 

Author Comment

by:gary_b
ID: 12164158
Hi ahoffmann ,
I have done following using the SW Wizards to create DMZ & public web server but traffic from the WAN to the DMZ & LAN to the DMZ cannot get through to the webserver..If I type the Webservers IP into a browser from the WAN or LAN it cannot find it...

SW WAN IP - 62.62.100.22 / 255.255.255.0
SW LAN IP - 192.168.45.1 / 255.255.255.0
SW DMZ IP - 10.10.10.50 / 255.255.255.0
WebServer IP - 62.62.100.19 / 255.255.255.0
Cisco 1700 Router - 62.62.100.16 / 255.255.255.248

SonicWALL created Address objects, NAT policies & Access Rules automatically but I still cannot use the DMZ. The logs show nothing... Any ideas?
G
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12168078
set logging to debug (sorry, have no Sonicwall handy)
0
 

Author Comment

by:gary_b
ID: 12247959
Hi ahoffman,
I have finally got this operational, but do you know if the following is OK to do?
I now have 2 web servers in the DMZ and 1 web server outside the DMZ. All 3 servers are on a 10.10.10.* address and 255.255.255.0 subnet. The 2 servers inside the DMZ can ping each other & are pingable form LAN XP clients. The server on the LAN with 10.10.10.*address is unpingble from anywhere which is causing me grreat problems.
For physical location reasons I cannot add the 3rd server to the DMZ so added it to the LAN domain. I have to get these servers speaking to each, is there any way of acheiving this, without compromising security?

Thanx again
G
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12253762
>  All 3 servers are on a 10.10.10.*
they need to be in the same logical net segment then. But as you said one is LAN and the others are DMZ, that means that you need to bridge the 2 segments. Beside that is a useless setup and firewalls do not support it, it's very dangereous 'cause you have then exposed your LAN to the DMZ.

LAN and DMZ need to be different logical nets, otherwise a firewall between them makes no sence.
0
 

Author Comment

by:gary_b
ID: 12256851
Damn it -
I thought so. In this scenario there is absolutley no way of having the servers communicating with each other then?
Basically the server in the LAN is a backup server which has SQL data written to it transactionally by the server in the DMZ so communication is absolutley essential for this to work. Am I going to have to ditch this project in your opinion???
Thanx
Gary
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12259870
> .. communication is absolutley essential ..
that's what the routers are for :-)
Your firewall is a router too, so there should not be a problem to have different net segments for LAN and DMZ.
0
 

Author Comment

by:gary_b
ID: 12259922
Hmmmmm -
Could I create a VLAN on the LAN switches as follows?

                       Port 48                                             Port 48
Server1>>>>Lan Switch<----------VLAN------------->Lan Switch<--------->DMZ<--------->Server2
1 - at server1 end I patch the server to port 48 (Enabled VLAN)
2 - at server2 end I patch the port 48 (Enabled VLAN) into the DMZ switch

Am I going mental or would this work? I shouild stop thinking and try it I suppose but am entering unchartered waters so a bit nervous!!

Cheers
G
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12259975
why would you do this? You have a router and a firewall, they both together do exactly what you need.
0
 

Author Comment

by:gary_b
ID: 12265487
Ok....Can you explain how an Internet router & a firewall will allow me to have webservers in the DMZ talking to webservers in the LAN without compromising LAN security?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12302107
your router and firewall are physically the same: SonicWall.
Just configure your rules to allow access from internet to your webserver in DMZ (port 80,443) and block anything else from internet. Then also configure your firewall to allow traffic from webserver in DMZ to server in LAN (probaly port 80 too). Block anything else from DMZ to  LAN too.

0
 

Author Comment

by:gary_b
ID: 12305738
Hi again,
I have done that, but am fearful that if the Server in the DMZ is compromised, then so will the Server on my LAN & in turn my LAN.
Is this not the case -

Thanx again for your time, I will offer the points later...
G
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 400 total points
ID: 12311352
> .. but am fearful that if the Server in the DMZ is compromised, then so will the Server on my LAN & in turn my LAN.
Good fear :-)
But that's the always there if you connect from A (for example server in DMZ) to B (for example server in LAN). If there is a threat, then it doesn't matter if B is in LAN or DMZ.

Consider following:
  If B is in LAN, then it could only be attacked  through ports opened at firewall, if you have a VPN instead, then full access is possible 'cause there is no firewall. That's why I didn't feel good with that.
  If B is in DMZ, there is no firewall, full acces from A (same as with VPN, usually).
 
If you want know (at least a very small one) acces from A to B, then you need some communication method/prorocol which does not allow to send data from A to B, and that all communication has to initiated by B. Sounds complicated and I don't know of one ...
0
 

Expert Comment

by:tvurt
ID: 12495301
Get a second firewall.  I have a similar configuration and setup, a sonicwall pro230 providing the DMZ public access filtering for all ports except http/https, on the public nics. Then a TZ170 that only permits traffic from the webservers "private" nics to the SQL servers on the truly private LAN.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now