Solved

DMZ - LAN - VLAN -  Servers need communicate!

Posted on 2004-10-07
7
890 Views
Last Modified: 2008-01-16
Hi , I have to find a fast fix for the below so appreciate anyones help or advice -

Current scenario -
1 x SonicWALL TZ170 Enhanced OS
1 x LAN (192.*.*.*)
1 x DMZ (10.*.*.*)
1 x 10MB lan extension (connects 2 offices with private circuit)

I have 2 web servers in the DMZ and 1 web server outside the DMZ. All 3 servers are on a 10.10.10.* address and 255.255.255.0 subnet. Obviously the DMZ servers have a different gateway than the one on the LAN -
The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with 10.10.10.*address is unpingable from anywhere which is causing me great problems.
Physical location's restrict me from adding the 3rd server to the DMZ so I temporarily added it to the LAN domain as above to test, with no joy. I could simply give the 3rd server a LAN address (192.168.45.*) and create a rule to allow the servers in the DMZ to talk to the server on the LAN but I feel security may be compromised if I do this...

FYI - The FireWALL/DMZ/DMZ Servers are on one end of a Lan Extension Circuit, whilst the single server is on the other, hence the reasons I cannot add it to the DMZ..

Thanx
G

UPDATE -
Could I create a VLAN on the LAN switch as follows?

                       Port 20                                             Port 20
Server1>>>>Lan Switch<----------VLAN------------->Lan Switch<--------->DMZ<--------->Server2
1 - at server1 end I patch the server to port 20 (Enable VLAN)
2 - at server 3 end I patch the port 20 (Enable VLAN) into the DMZ switch

Am I going mental or would this work?

Cheers
G
0
Comment
Question by:gary_b
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12276831
I am unsure what you mean by a "Lan Extension Circuit".  WHat devices are at each end of this circuit?  What is the speed of this circuit?  Also please describe your switches(make/model)?
0
 

Author Comment

by:gary_b
ID: 12277264
Hi,
A "Lan Extension Circuit" is simply a 10MB private circuit which connects our 2 offices. This is completely private and not on the internet. At each end of the circuit are 2 Nortel Baystack 470 switches which have VLAN capability.
Cheers
Gary
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12278257
I am not quite clear on your network layout so you may want to re-do your net diagram above shwoing the firewall and the server in question.

>The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with >10.10.10.*address is unpingable from anywhere which is causing me great problems.

...this is a new server that is addressed with a 10.10.10.0/24 address? Is it connected to your DMZ switch?

If you have only layer 2 switches on your network ist seems that you only have two networks: your internal LAN on 192.X and another on the DMZ as 10.10.01.0/24.  Remember for traffic to get from one network to another requires that the traffic be routed.  The Sonicwall provides a routing function.  If you have layer 3 switches or another routing device you will be able to create more networks.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:gary_b
ID: 12278834
Hi again & thanx for your help -
LAN SWITCH >>LAN PCS (192.68.*.*) <<FIREWALL>>DMZ SWITCH >>SERVER 1(10.10.*.*)

I allow all traffic from LAN to DMZ but none from DMZ to LAN...
Now at another office (connected as above -10MB circuit) I have SERVER2 which hangs off another LAN switch and is also on a 10.10.*.*. Because I cannot physically patch this into the DMZ switch it is sitting on the LAN but cannot speak to any of the other LAN clients or indeed SERVER1 in the DMZ. Thats where my problem lies. I need SERVER1 to transactionally send its data out of the DMZ & into SERVER2 on the LAN . I want try and create a VLAN through the switches perhaps enabling me to directly patch into the DMZ or am open to any other suggestions which will allow me to retain LAN security whilst also allowing the servers to communicate...

Sorry if I am being thick, but I cant see the wood for the trees at present...Ive been looking at this scenario too long!!

Cheers
Gary



0
 
LVL 5

Expert Comment

by:netspec01
ID: 12279038
The extended LAN segment is connected directly to the DMZ switch correct?  All host on your DMZ segment are addressed 10.10.10.0/24 correct?

Remember VLANs are the same as networks.  To communicate between VLANs you have to have a router or device acting as a router.
0
 

Author Comment

by:gary_b
ID: 12279126
Hi,
The extended LAN segment is in no way connected to the DMZ switch. It is connected to the local LAN switch via a 10MB circuit. All hosts inside DMZ are 10.10.10.0/24...

Quite simply if I cannot connect the a server within "extended LAN segment " to the DMZ ("local LAN segment ") I will be forced to leave the server on the LAN, in turn compromising LAN security because I will have to allow traffic from DMZ>>LAN..

Is there any other way to acheive this in your opinion?

G
0
 
LVL 5

Accepted Solution

by:
netspec01 earned 500 total points
ID: 12279226
Yes, there is a compromise is security in doing this.  I think the best you can do is to have a very tight security policy on your firewall, lock down the host, keep it patched and monitor.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question