Solved

Two network security devices and their addressing

Posted on 2014-04-09
5
275 Views
Last Modified: 2014-04-28
I am trying to replace an old web filter with a new one. The old one was non-transparent and was simply hanging off of a port on the core switch. I now have a SmoothWall (for web filtering only) that has been temporarily installed as a direct, non-transparent replacement for the old device. I want the smoothwall to be reconfigured as a transparent web filter. I understand that we need to bring at least one other of its interfaces into use and then route our external traffic through the Smoothwall.

The problem is that for a school we have quite a complex network, and we're expected to be jack of all trades. I'm struggling to design how this should fit in with our existing network. I THINK our network currently operates as described below.

Our core switch is a ProCurve 8212ZL with IP routing enabled. We have many subnets, each on its VLAN. The client devices on the subnets use gateway addresses within the core switch. We also have a Cisco ASA 5510 that is the gateway the core switch uses. This is on a distinct subnet from anything described so far.

The ASA has natting and static routes implemented. Traffic enters the ASA on an interface called ASA2Core and leaves it via its Outside interface on yet another subnet. It then passes back through the core switch and out to our service provider's ASA 5510.

So a typical outbound messaging, ignoring the web filter for now, arrives on subnet x, is routed to the ASA on subnet y, then escapes the building on subnet z having passed through the core switch a second time.

My questions(s): How would I integrate the Smoothwall into this? And the second transit of the core switch looks odd to me - am I right?
0
Comment
Question by:Barnet_tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39990206
Based on your description, it sounds like the Smoothwall needs to sit inline between the ASA and Procurve, on the ASA2Core connection.  Like this:

ASA
  |
Smoothwall
  |
Procurve

The smoothwall would likely then also need a management interface connected to the Procurve so you can access it.
0
 

Author Comment

by:Barnet_tech
ID: 39990937
eeRoot,

Yes, i'm fairly sure it does need to sit inline as you've described. I think each of the interfaces will need to be on a separate subnet. I think I'm going to need to tell it about all of my VLANs, too.

I'm just trying to get clear in my mind just how I need to set up the addresses for the interfaces etc.
0
 
LVL 22

Accepted Solution

by:
eeRoot earned 500 total points
ID: 39993085
If the interface on the ASA that leads to the Procurve shows sub-interfaces, and the Procurve interface shows tagging, then there is likely VLAN tagged traffic going to the ASA.  If the ASA shows a single interface with one IP address, and the Procurve shows no tagging, or only one tag, then it is likely that the Procurve is the spanning tree (VLAN) root and using IP addresses only to route traffic to the ASA.
0
 

Author Comment

by:Barnet_tech
ID: 40026666
Sorry for the slow update - other priorities have a habit of intervening.

Your last comment is correct. The core switch is set up as the gateway for each of the VLANs. It has IP routing enabled and a static route towards the outside world via our Cisco firewall. The IP routing enables all VLANs to use a proxy server on an untagged port.

I still don't really have a solution but I do have a better understanding of how we're set up.
0
 

Author Closing Comment

by:Barnet_tech
ID: 40026668
A partial solution but the responder was not aware of the details of our setup.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question