• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2486
  • Last Modified:

Netscreen 5gt - how to create a DMZ?

I have a Netscreen 5gt (not 5gt plus)
I have 2 servers. 1 webserver and 1 SQL server

I want to put the webserver in a DMZ with an network address in 192.168.1.0/24
I want to put the SQL server in another Trusted Zone with a network address in 10.10.10.0/24 with the rest of my LAN
The webserver needs to be able to talk to the SQL server to retrieve SQL data.

How do I do that?
Can I take 2 ports and bind them to 1 virtual Interface? (like port 1-2 = DMZ 10.10.10.0/24 and port 3-4 = LAN = 10.10.20.0/24)

I've tried the Work/Home Zone setup but you cant' create or edit the 'From Home To Work' policy to allow any type of communication from the 'Home' zone to the 'Work' zone. When I try to add or clone that policy and use the 'permit' setting it just throws an error saying that it cant understand.

Can I just set the firewall up as 'Trust/Untrust and then create zones using the Trust ports to create a DMZ somehow?
Would that be any different or less secure than the 'Work/Home' zone setup? (is there any filtering going on in the home/work port mode that wouldn't be going on if I created my own zones somehow?)


0
Matrix1000
Asked:
Matrix1000
  • 2
1 Solution
 
jabiiiCommented:
you can set it up in dual untrust mode,where you have 1 trusted zone, and 2 untrusted zones.
 and have your normal trust-untrust relationship, and untrust to untrust will be considered an intra zone policy when created.
you can use your normal trust-untrust policies, and the NS will know which to send it to based on your routing.

in the combined mode, where you have a work eth1, home eth2  and 3, and 2 untrusted interfaces eth4 and untrust
and again yo ucan create policies between any of them. they do by default

work/home gives you untrust=untrust int, home ports 3&4, work 1&2
and you should be able to create polices between any of them work-home, work-untrust, home untrust, home work. they do by default

I just tested them all and worked fine. what errors are you getting?
0
 
Matrix1000Author Commented:
When I try to add a 'policy' to allow ANY (or SQL) traffic Home > Work it says that type of policy is not allowed. (probably because of netscreens pre-programed Work>Home security policy)

When I try to create a Mapped IP

Mapped IP: 10.10.10.2
Netmask: 255.255.255.0
Host IP Address: 10.10.20.2
Host Virtual Router Name: trust-vr

I get an error

one ip in range (10.10.10.0 - 10.10.10.255) is used by interface ethernet2!
Mip: cant be added


So what would be the best way to do this?....

I thought I would have to do something like this but I'm not sure if I've got the right answer in mind.

1 Wan Port that connects to the internet.... ( untrust  66.45.xx.xx/24)
1 or 2 DMZ ports for my webserver (eth1 10.10.10.0/24)
2 Trusted ports for my SQL server and the rest of my office LAN ( eth2 10.10.20.0/24)

A policy that allows SQL traffic to pass from 10.10.10.0/24 > 10.10.20.0/24 and visa-versa.

A VPN connection that allows me to vpn into the netscreen 5gt and access either network so I can administer the servers :P

How would you do it to accomplish this task?
0
 
jabiiiCommented:
can you post a sanitied version of your current config? I will see what I can come up with for you.

(ip's changed etc) like untrust =1.1.1.1 trust 2.2.2.2 dmz 3.3.3.3 etc

and you have it in what mode now?
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now