[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 795
  • Last Modified:

Understanding network configurations

We have a network which has two MPLS connections that route from two ports on a Cisco ASA Firewall (default gateway) which sits just off the main network switch.

1)  MPLS 1 routes to our sister company (ERP related traffic only).
2)  MPLS 2 routes internal Internet traffic out via an ISP router.  Our ISP also provides an offsite firewall and domain hosting services.

The internal network IP range is as follows:

10.213.0.0/19 or 255.255.224.0 (10.213.0.1 – 10.213.31.254)      

(MPLS 2) The router network to the Internet is:

10.213.253.8/29 or 255.255.255.248 (10.213.253.9 – 10.213.253.14)

The ASA firewall has two IP address one internal and one external (10.213.10.1 and 10.213.253.9).
For various reasons I need to place a BLOXX device between the ASA firewall and the ISP router.  This device basically performs web monitoring and filtering for the internal network.  My question is how do I set this up?  The device will be configured in pass through mode and will be connected in line between the ASA firewall and the ISP router.  

From which IP range do I assign an IP address?  Will the default gateway for the device be the ISP router?  Do I assign internal DNS servers or DNS addresses of the ISP to the device?  
0
DHPBilcare
Asked:
DHPBilcare
  • 7
  • 5
1 Solution
 
kuohCommented:
 I'm not familiar with BLOXX, but usually these types of filtering appliances are placed between the firewall and the internal network.  It is generally simpler to do it this way because you have full control of the internal network and any special routing needs.  You mentioned "various" reasons as the need to place it on the outside interface, can you perhaps elaborate on that?
0
 
DHPBilcareAuthor Commented:
It tends to slow down the ERP traffic to the sister company which is why the device is being moved outside the ASA firewall.  Our ISP also provide an external firewall which we pay for and they manage.  The ASA is new as is the ERP.  We simply want to move BLOXX to the outside of the ASA so that it filters the Internet traffic but not the internal ERP traffic.  In this sense the ISA is more of a router than firewall.

I simply need to understand which IP range to use.  At the moment BLOXX is inside the ASA on 10.213.0.1 address with the ASA as the default gateway.  When I move it outside the ASA does it go on the 10.213.253 range with the ISP as the gateway ?

Thanks for the comment.  
0
 
ujitnosCommented:
When u move the BLOXX between the ASA and the  ISProuter, the IP that will be used to manage the BLOXX will be that of 10.213..253 range, as you will be placing the device between that network.
The IP that you give for this inline device is to manage it so the default gateway for the management ip of bloxx can point to ur ASA interface, 10.213.253.X.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
DHPBilcareAuthor Commented:
Thanks or that.

The BLOXX device also asks for DNS server addresses?   Do I use the internal DNS servers that are inside the ASA?  Or point to the ISP?
0
 
ujitnosCommented:
U can use internal or external..... but preferably use internal, as it may help resolve internal address if any.
0
 
DHPBilcareAuthor Commented:
I've set up the BLOXX device on a dual interface (pass through):

BLOXX Internal IP: 10.213.253.11
BLOXX External IP: 10.213.253.12
BLOXX Default Gateway: 10.213.253.9  (ASA Cisco outside firewall)

However internal clients timeout trying to access the Internet even though I can ping the Internet.  Should I change the default gateway on the BLOXX to the ISP router?  

BLOXX is not blocking anyhting.
0
 
ujitnosCommented:
yes, if you have configured it in pass-through mode, the default gateway is your ISP router interfcae.
Is it transperant mode orexplicit mode?
0
 
DHPBilcareAuthor Commented:
BLOXX is set in transperant mode.

Just to confirm am I still ok to set the DNS addresses on BLOXX as my internal servers?
0
 
ujitnosCommented:
Yes, its ok to set the DNS as your internal DNS server. If u have option to set secondary DNS server, set it as your ISP dns server.
0
 
DHPBilcareAuthor Commented:
I have set the default gateway to the ISP rotuer inteface but once BLOXX has booted I cannt access the Internet with IE timing out waiting for the web address to reply.  I can ping through successfully.
0
 
DHPBilcareAuthor Commented:
The end solution to enable the link to work was to static router on the BLOXX device device which points back to the netork insdide the firewall.  Thus:

Network: 10.213.0.0
0
 
DHPBilcareAuthor Commented:
As I was saying I set up a static route on BLOXX as follows that mapped back to the internal network:

Network: 10.213.0.0
Mask: 255.255.224.0
Gateway: 10.213.253.9

And all is working.
0
 
ujitnosCommented:
Ok.. great.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now