Solved

Two network security devices and their addressing

Posted on 2014-04-09
5
262 Views
Last Modified: 2014-04-28
I am trying to replace an old web filter with a new one. The old one was non-transparent and was simply hanging off of a port on the core switch. I now have a SmoothWall (for web filtering only) that has been temporarily installed as a direct, non-transparent replacement for the old device. I want the smoothwall to be reconfigured as a transparent web filter. I understand that we need to bring at least one other of its interfaces into use and then route our external traffic through the Smoothwall.

The problem is that for a school we have quite a complex network, and we're expected to be jack of all trades. I'm struggling to design how this should fit in with our existing network. I THINK our network currently operates as described below.

Our core switch is a ProCurve 8212ZL with IP routing enabled. We have many subnets, each on its VLAN. The client devices on the subnets use gateway addresses within the core switch. We also have a Cisco ASA 5510 that is the gateway the core switch uses. This is on a distinct subnet from anything described so far.

The ASA has natting and static routes implemented. Traffic enters the ASA on an interface called ASA2Core and leaves it via its Outside interface on yet another subnet. It then passes back through the core switch and out to our service provider's ASA 5510.

So a typical outbound messaging, ignoring the web filter for now, arrives on subnet x, is routed to the ASA on subnet y, then escapes the building on subnet z having passed through the core switch a second time.

My questions(s): How would I integrate the Smoothwall into this? And the second transit of the core switch looks odd to me - am I right?
0
Comment
Question by:Barnet_tech
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:eeRoot
ID: 39990206
Based on your description, it sounds like the Smoothwall needs to sit inline between the ASA and Procurve, on the ASA2Core connection.  Like this:

ASA
  |
Smoothwall
  |
Procurve

The smoothwall would likely then also need a management interface connected to the Procurve so you can access it.
0
 

Author Comment

by:Barnet_tech
ID: 39990937
eeRoot,

Yes, i'm fairly sure it does need to sit inline as you've described. I think each of the interfaces will need to be on a separate subnet. I think I'm going to need to tell it about all of my VLANs, too.

I'm just trying to get clear in my mind just how I need to set up the addresses for the interfaces etc.
0
 
LVL 21

Accepted Solution

by:
eeRoot earned 500 total points
ID: 39993085
If the interface on the ASA that leads to the Procurve shows sub-interfaces, and the Procurve interface shows tagging, then there is likely VLAN tagged traffic going to the ASA.  If the ASA shows a single interface with one IP address, and the Procurve shows no tagging, or only one tag, then it is likely that the Procurve is the spanning tree (VLAN) root and using IP addresses only to route traffic to the ASA.
0
 

Author Comment

by:Barnet_tech
ID: 40026666
Sorry for the slow update - other priorities have a habit of intervening.

Your last comment is correct. The core switch is set up as the gateway for each of the VLANs. It has IP routing enabled and a static route towards the outside world via our Cisco firewall. The IP routing enables all VLANs to use a proxy server on an untagged port.

I still don't really have a solution but I do have a better understanding of how we're set up.
0
 

Author Closing Comment

by:Barnet_tech
ID: 40026668
A partial solution but the responder was not aware of the details of our setup.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Virus .zepto files 10 44
Device same like our heart 12 47
Extending  a subnet 9 36
NSD FAIL 2 22
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now