Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

Two network security devices and their addressing

I am trying to replace an old web filter with a new one. The old one was non-transparent and was simply hanging off of a port on the core switch. I now have a SmoothWall (for web filtering only) that has been temporarily installed as a direct, non-transparent replacement for the old device. I want the smoothwall to be reconfigured as a transparent web filter. I understand that we need to bring at least one other of its interfaces into use and then route our external traffic through the Smoothwall.

The problem is that for a school we have quite a complex network, and we're expected to be jack of all trades. I'm struggling to design how this should fit in with our existing network. I THINK our network currently operates as described below.

Our core switch is a ProCurve 8212ZL with IP routing enabled. We have many subnets, each on its VLAN. The client devices on the subnets use gateway addresses within the core switch. We also have a Cisco ASA 5510 that is the gateway the core switch uses. This is on a distinct subnet from anything described so far.

The ASA has natting and static routes implemented. Traffic enters the ASA on an interface called ASA2Core and leaves it via its Outside interface on yet another subnet. It then passes back through the core switch and out to our service provider's ASA 5510.

So a typical outbound messaging, ignoring the web filter for now, arrives on subnet x, is routed to the ASA on subnet y, then escapes the building on subnet z having passed through the core switch a second time.

My questions(s): How would I integrate the Smoothwall into this? And the second transit of the core switch looks odd to me - am I right?
0
Barnet_tech
Asked:
Barnet_tech
  • 3
  • 2
1 Solution
 
eeRootCommented:
Based on your description, it sounds like the Smoothwall needs to sit inline between the ASA and Procurve, on the ASA2Core connection.  Like this:

ASA
  |
Smoothwall
  |
Procurve

The smoothwall would likely then also need a management interface connected to the Procurve so you can access it.
0
 
Barnet_techAuthor Commented:
eeRoot,

Yes, i'm fairly sure it does need to sit inline as you've described. I think each of the interfaces will need to be on a separate subnet. I think I'm going to need to tell it about all of my VLANs, too.

I'm just trying to get clear in my mind just how I need to set up the addresses for the interfaces etc.
0
 
eeRootCommented:
If the interface on the ASA that leads to the Procurve shows sub-interfaces, and the Procurve interface shows tagging, then there is likely VLAN tagged traffic going to the ASA.  If the ASA shows a single interface with one IP address, and the Procurve shows no tagging, or only one tag, then it is likely that the Procurve is the spanning tree (VLAN) root and using IP addresses only to route traffic to the ASA.
0
 
Barnet_techAuthor Commented:
Sorry for the slow update - other priorities have a habit of intervening.

Your last comment is correct. The core switch is set up as the gateway for each of the VLANs. It has IP routing enabled and a static route towards the outside world via our Cisco firewall. The IP routing enables all VLANs to use a proxy server on an untagged port.

I still don't really have a solution but I do have a better understanding of how we're set up.
0
 
Barnet_techAuthor Commented:
A partial solution but the responder was not aware of the details of our setup.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now