[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 640
  • Last Modified:

Default Gateway for server in DMZ and on Lan

I have two servers attached via a little hub to the Dmz port on ours cisco asa 5500 firewall.
Both run web based services to the internet via this connection (sharepoint and library catalogue)
Each server has two ethernet cards the other is connected to our cisco 3750 Lay3 capable switch and are in a server Vlan.
I need to access the servers from the staff Vlan.
The servers (windows 2003 and 2000) will only support one gateway address.
If I set the default to the Server_Vlan Interface Ip address on the apprporiate card then routing two/from the lan works and I can get access to the servers using standard windows networking services (browsing, RDC, file sharing etc). Accessing the web services from the internet will however fail. I believe that the returning information just goes down the wrong gateway and never makes it back to the requestor.
If I swap the Default gateway to the DMZ gateway address, web based access from the internet is ok but lan traffic suffers the same problem as above, simply the problem is reversed.

DMZ GW = 10.98.98.1
Srv1 DMZ IP = 10.98.98.2
Srv2 DMZ IP = 10.98.98.3

Server Vlan  = 192.168.22.1
Srv1 Vlan Interface = 192.168.22.30
Srv1 Vlan Interface = 192.168.22.32

Staf Vlan Interface IP = 192.168.0.250
Default Gateway = 192.168.0.2 (And is attched to this Vlan, i.e. on ASA 'ip route 0.0.0.0 0.0.0.0 192.168.0.2')

So the question is how do I configure this to achieve access from both sides so that the servers no where to send the return info.
So far the only thing I can think of (and works) is to put the servers into the staff vlan instead of the server vlan with G/W as the DMZ on the servers. That way local access doesn't get routed.

Buit this does seem to defeat the object of having Vlans. Is there a solution that I am missing here.

Thanks for your help.
Cheers
Jo


0
JoCox99
Asked:
JoCox99
  • 2
1 Solution
 
SaineolaiCommented:
Set the default route on the servers to be the IP address of the gateway to the internet .i.e., the largest network, then set static persistent routes on each of the servers to the Staff VLAN via the Server_VLAN Interface using the "route add" command.

I would be concerned about connecting a server in the DMZ to another network as it offers another possible route into the staff network.
0
 
JoCox99Author Commented:
Surely this is common practice. If anyone has a webserver that only lets web traffic in/out of the DMZ port one still has to get access to the server for maintenance purposes. In this scenario I can just shutdown the LAN port on the switch whilst I am not doing maintenance.

In our case we have two servers in the DMZ that provide services to our LAN aswell, one is via MS networking for catalogue maintenance and has a web based lookup on the DMZ, the other server provides web based services for DMZ users and LAN. I don't see what the alternatives are.

Anyway I'll give your route adding idea a go seems like the right idea allthough I have never really quite figured out this command but now is the time to resolve that I guess.

Cheers
Jo
0
 
SaineolaiCommented:
The command works as follows...

ROUTE ADD destination_network MASK network_mask gateway_address -P

For your staff VLAN it could look something like this... (I don't know the exact mask as you have not specified it), you can use a number of these commands if you need to access other internal networks via this secondard connection.  The -p at the end makes the host remember the route if the server gets rebooted.

ROUTE ADD 192.168.0.0 MASK 255.255.255.0 192.168.22.1 -p

As long as you have some form of additional security on the additional connection, I just wanted to point out that if one of the DMZ servers was compromised it could be used to attack other hosts in the network, so the number of hosts it has access to should be minimized. Maybe I should have elaborated on the one liner in the first post.
0
 
DawilliamsCommented:
Typically the routing from a dmz to the internal lan would be handled by the firewall between the two in your case the ASA box and a second nic would  not be necessary.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now