Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 960
  • Last Modified:

DMZ - LAN - VLAN - Servers need communicate!

Hi , I have to find a fast fix for the below so appreciate anyones help or advice -

Current scenario -
1 x SonicWALL TZ170 Enhanced OS
1 x LAN (192.*.*.*)
1 x DMZ (10.*.*.*)
1 x 10MB lan extension (connects 2 offices with private circuit)

I have 2 web servers in the DMZ and 1 web server outside the DMZ. All 3 servers are on a 10.10.10.* address and 255.255.255.0 subnet. Obviously the DMZ servers have a different gateway than the one on the LAN -
The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with 10.10.10.*address is unpingable from anywhere which is causing me great problems.
Physical location's restrict me from adding the 3rd server to the DMZ so I temporarily added it to the LAN domain as above to test, with no joy. I could simply give the 3rd server a LAN address (192.168.45.*) and create a rule to allow the servers in the DMZ to talk to the server on the LAN but I feel security may be compromised if I do this...

FYI - The FireWALL/DMZ/DMZ Servers are on one end of a Lan Extension Circuit, whilst the single server is on the other, hence the reasons I cannot add it to the DMZ..

Thanx
G

UPDATE -
Could I create a VLAN on the LAN switch as follows?

                       Port 20                                             Port 20
Server1>>>>Lan Switch<----------VLAN------------->Lan Switch<--------->DMZ<--------->Server2
1 - at server1 end I patch the server to port 20 (Enable VLAN)
2 - at server 3 end I patch the port 20 (Enable VLAN) into the DMZ switch

Am I going mental or would this work?

Cheers
G
0
gary_b
Asked:
gary_b
  • 4
  • 3
1 Solution
 
netspec01Commented:
I am unsure what you mean by a "Lan Extension Circuit".  WHat devices are at each end of this circuit?  What is the speed of this circuit?  Also please describe your switches(make/model)?
0
 
gary_bAuthor Commented:
Hi,
A "Lan Extension Circuit" is simply a 10MB private circuit which connects our 2 offices. This is completely private and not on the internet. At each end of the circuit are 2 Nortel Baystack 470 switches which have VLAN capability.
Cheers
Gary
0
 
netspec01Commented:
I am not quite clear on your network layout so you may want to re-do your net diagram above shwoing the firewall and the server in question.

>The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with >10.10.10.*address is unpingable from anywhere which is causing me great problems.

...this is a new server that is addressed with a 10.10.10.0/24 address? Is it connected to your DMZ switch?

If you have only layer 2 switches on your network ist seems that you only have two networks: your internal LAN on 192.X and another on the DMZ as 10.10.01.0/24.  Remember for traffic to get from one network to another requires that the traffic be routed.  The Sonicwall provides a routing function.  If you have layer 3 switches or another routing device you will be able to create more networks.
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
gary_bAuthor Commented:
Hi again & thanx for your help -
LAN SWITCH >>LAN PCS (192.68.*.*) <<FIREWALL>>DMZ SWITCH >>SERVER 1(10.10.*.*)

I allow all traffic from LAN to DMZ but none from DMZ to LAN...
Now at another office (connected as above -10MB circuit) I have SERVER2 which hangs off another LAN switch and is also on a 10.10.*.*. Because I cannot physically patch this into the DMZ switch it is sitting on the LAN but cannot speak to any of the other LAN clients or indeed SERVER1 in the DMZ. Thats where my problem lies. I need SERVER1 to transactionally send its data out of the DMZ & into SERVER2 on the LAN . I want try and create a VLAN through the switches perhaps enabling me to directly patch into the DMZ or am open to any other suggestions which will allow me to retain LAN security whilst also allowing the servers to communicate...

Sorry if I am being thick, but I cant see the wood for the trees at present...Ive been looking at this scenario too long!!

Cheers
Gary



0
 
netspec01Commented:
The extended LAN segment is connected directly to the DMZ switch correct?  All host on your DMZ segment are addressed 10.10.10.0/24 correct?

Remember VLANs are the same as networks.  To communicate between VLANs you have to have a router or device acting as a router.
0
 
gary_bAuthor Commented:
Hi,
The extended LAN segment is in no way connected to the DMZ switch. It is connected to the local LAN switch via a 10MB circuit. All hosts inside DMZ are 10.10.10.0/24...

Quite simply if I cannot connect the a server within "extended LAN segment " to the DMZ ("local LAN segment ") I will be forced to leave the server on the LAN, in turn compromising LAN security because I will have to allow traffic from DMZ>>LAN..

Is there any other way to acheive this in your opinion?

G
0
 
netspec01Commented:
Yes, there is a compromise is security in doing this.  I think the best you can do is to have a very tight security policy on your firewall, lock down the host, keep it patched and monitor.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now