Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Two network security devices and their addressing

Posted on 2014-04-09
5
Medium Priority
?
280 Views
Last Modified: 2014-04-28
I am trying to replace an old web filter with a new one. The old one was non-transparent and was simply hanging off of a port on the core switch. I now have a SmoothWall (for web filtering only) that has been temporarily installed as a direct, non-transparent replacement for the old device. I want the smoothwall to be reconfigured as a transparent web filter. I understand that we need to bring at least one other of its interfaces into use and then route our external traffic through the Smoothwall.

The problem is that for a school we have quite a complex network, and we're expected to be jack of all trades. I'm struggling to design how this should fit in with our existing network. I THINK our network currently operates as described below.

Our core switch is a ProCurve 8212ZL with IP routing enabled. We have many subnets, each on its VLAN. The client devices on the subnets use gateway addresses within the core switch. We also have a Cisco ASA 5510 that is the gateway the core switch uses. This is on a distinct subnet from anything described so far.

The ASA has natting and static routes implemented. Traffic enters the ASA on an interface called ASA2Core and leaves it via its Outside interface on yet another subnet. It then passes back through the core switch and out to our service provider's ASA 5510.

So a typical outbound messaging, ignoring the web filter for now, arrives on subnet x, is routed to the ASA on subnet y, then escapes the building on subnet z having passed through the core switch a second time.

My questions(s): How would I integrate the Smoothwall into this? And the second transit of the core switch looks odd to me - am I right?
0
Comment
Question by:Barnet_tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39990206
Based on your description, it sounds like the Smoothwall needs to sit inline between the ASA and Procurve, on the ASA2Core connection.  Like this:

ASA
  |
Smoothwall
  |
Procurve

The smoothwall would likely then also need a management interface connected to the Procurve so you can access it.
0
 

Author Comment

by:Barnet_tech
ID: 39990937
eeRoot,

Yes, i'm fairly sure it does need to sit inline as you've described. I think each of the interfaces will need to be on a separate subnet. I think I'm going to need to tell it about all of my VLANs, too.

I'm just trying to get clear in my mind just how I need to set up the addresses for the interfaces etc.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 2000 total points
ID: 39993085
If the interface on the ASA that leads to the Procurve shows sub-interfaces, and the Procurve interface shows tagging, then there is likely VLAN tagged traffic going to the ASA.  If the ASA shows a single interface with one IP address, and the Procurve shows no tagging, or only one tag, then it is likely that the Procurve is the spanning tree (VLAN) root and using IP addresses only to route traffic to the ASA.
0
 

Author Comment

by:Barnet_tech
ID: 40026666
Sorry for the slow update - other priorities have a habit of intervening.

Your last comment is correct. The core switch is set up as the gateway for each of the VLANs. It has IP routing enabled and a static route towards the outside world via our Cisco firewall. The IP routing enables all VLANs to use a proxy server on an untagged port.

I still don't really have a solution but I do have a better understanding of how we're set up.
0
 

Author Closing Comment

by:Barnet_tech
ID: 40026668
A partial solution but the responder was not aware of the details of our setup.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question