dmz on Sonicwall tz 210

I have a Sonicwall tz 210 that I need to configure a dmz for (which I have never done).  I need to have a firewall rule that will allow DMZ to LAN connections so I can RDP into it.  

The webserver is connected to the sonicwall via port x3.  When I tried to configure a DMZ I was given an error about a subnet overlap.  I'm not sure how to handle this situation.

My Network configuration.

Internal secure connection.

192.168.100.***
Subnet:  255.255.255.0
Gateway:  192.168.100.***

My webserver's static address is in the range of the above network.

My ISP assigned address is 70.99.210.***
Subnet 255.255.255.248

I don't know if I am supposed to assign the DMZ according to the internal network or point the external address to it.

Thanks!
gwarcherAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

simsjrgCommented:
Your DMZ need to be a different subnet/range i.e. 10.10.10.0

Then configure your webserver in that range

Finally create a rule/policy from the internal subnet to the DMZ subnet. I would lock it down as much as possibly like source/destination IP, Port, Protocol etc.
0
gwarcherAuthor Commented:
I already have a network segment in that range.  Can I use something like 192.168.1.1 range?
0
simsjrgCommented:
Oh and you will need a policy from untrusted/internet to the DMZ for HTTP/HTTPS or whatever services it has running.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

simsjrgCommented:
>> I already have a network segment in that range.  Can I use something like 192.168.1.1 range?

Sure it can be any RFC 1918 Address:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

0
gwarcherAuthor Commented:
so how would I then configure the webserver's static IP?  would I use the assigned ISP and then use the DMZ IP as the default gateway?

0
simsjrgCommented:
You want the Webserver in the DMZ not on the public internet so the server will have an IP in the DMZ range not the ISP. The remaining configuration after that is all in the sonicwall. You can either use you egress IP (the IP that you have set on the sonicwall (www.ipchicken.com will show you this address) or assign a new static mapping from a new public IP to the DMZ and create the appropriate policies)

Sorry if this sounds a bit strange but I really don't use SonicWALLs too often. I am an Cisco/Juniper guy so my terminology may be a bit off.
0
gwarcherAuthor Commented:
so i specified the DMZ IP address as 192.168.1.1 and subnet as 255.255.255.0

I set the webserver to 192.168.1.2 with the default gateway being 192.168.1.1

Is this correct or should I use the default gateway from my main network?

With the current settings the webserver is not able to ping out or be pinged.
0
simsjrgCommented:
You got it all correct so far. They next part is to allow traffic to flow between the two subnets. This is where the policies come in to play. The only traffic that will pass is what you specifically allow. I believe you can use the wizard to create the rules/policies you need. I will see if I can find a guide.
0
SteveIT ManagerCommented:
Follow the same pattern as currently used for your trust to un trust policy - on our sonic wall ask con 2000 I configure only http https and sms traffic to be allowed and always enable logging
0
gwarcherAuthor Commented:
I think I'm getting there.   Although I don't think my DNS server is supposed to be assigned to the 192.168.100 address group.  Do I use my public dns server when configuring the webserver's static ip?
0
gwarcherAuthor Commented:
There is a firewall rule DMZ > LAN that is denying all connections.  Do I have to modify this?
0
gwarcherAuthor Commented:
Alright, so I specified one of my WAN DNS servers as the alternate and it started talking to the internet.  Is this a security concern of any kind?
0
simsjrgCommented:
>> I think I'm getting there.   Although I don't think my DNS server is supposed to be assigned to the 192.168.100 address group.  Do I use my public dns server when configuring the webserver's static ip?

You can use either one... Depends on infrastructure.

>> There is a firewall rule DMZ > LAN that is denying all connections.  Do I have to modify this?

Leave this deny in place and create the other rules (the allows) above it. This way its checks through the allows then if it doesn't match any of them it hits the deny and drops.

>> Alright, so I specified one of my WAN DNS servers as the alternate and it started talking to the internet.  Is this a security concern of any kind?

Not really like the first question this depends on your infrastructure.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.