Hi! We are using SuSE 8.1 prof. as firewall. Now we have to add a VPN ... this VPN-"blackbox" should be in a DMZ so that I can control the traffic and what's going on on that VPN-Gateway. The VPN-Gateway only needs ftp to my firewall InternetGateway (CISCO-Router) 212.125.104.73 (mask 255.255.255.248) | | eth1 212.125.104.75 (mask 255.255.255.248) +++++Firewall (SuSE 8.1)+++++ eth2 ----- VPN eth0 10.10.0.102 (mask 255.255.0.0) | | LAN the VPN needs one of our offical IP-Adresses ... .77 and .78 are still free and the VPN needs ftp to the firewall ... how configure the DMZ on eth2? I haven't found any usefull documents in the net :-(
Hi List. Your setup leads to some problem because all your IPs are "used" between in the net between the cisco and your firewall. There are two solutions: 1.) Install a host-route on the Cisco and the firewall that will lead to that one host in your DMZ 2.) Thats what our net looks like: Cisco 192.168.100.1/255.255.255.254 | | | eth1:192.168.100.2/255.255.255.254 Firewall1---------------------eth0:<external IP><external Netmask> eth2:192.168.200.1/255.255.255.254 | | | eth0:192.168.200.2/255.255.255.254 Firewall2 | | LAN you have to set up a transfer-net between the cisco and the firewall, so you can use all your IPs in the DMZ and setup all your servers there. I guess all your external servers including the firewall are on one switch with the Cisco. So just move that switch to the DMZ-interface of the firewall and set up that transfer net ... the thing is, you can now control all traffic that wants to reach your DMZ hosts on the firewall, including your VPN server ... Hope someone does understand that ;) Greetings, Michael On Wed, 25 Jun 2003, Philipp Flesch wrote:
Hi! We are using SuSE 8.1 prof. as firewall. Now we have to add a VPN ... this VPN-"blackbox" should be in a DMZ so that I can control the traffic and what's going on on that VPN-Gateway. The VPN-Gateway only needs ftp to my firewall
InternetGateway (CISCO-Router) 212.125.104.73 (mask 255.255.255.248)
| |
eth1 212.125.104.75 (mask 255.255.255.248) +++++Firewall (SuSE 8.1)+++++ eth2 ----- VPN eth0 10.10.0.102 (mask 255.255.0.0) | | LAN
the VPN needs one of our offical IP-Adresses ... .77 and .78 are still free and the VPN needs ftp to the firewall ... how configure the DMZ on eth2? I haven't found any usefull documents in the net :-(
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- GiS - Gesellschaft fuer integrierte Systemplanung mbH +==================================================================+ Michael Scherer mscherer@gis-systemhaus.de Tel: 06201-503-74 Junkersstr.2 69469 Weinheim Fax: 06201-503-66 +==================================================================+ It's a book about a Spanish guy called Manual, you should read it. -- Dilbert
Hello folks, there are some points, which I have to disagree. Yes, there must be a route to the DMZ, but it has to be set in the firewall, that's enough. Modification of routes in the cisco is often not possible because the provide controls it's config. todo: 1. The firewall has to have FORWARDING enabled. 2. Configure the dmz-interface in SuSEfirewall2 3. Add rules for IP_FORWARD_* in SuSEfirewall2, so that the hosts in DMZ can be accessed from outside. 4. Add a static route to each host in the DMZ that's it. Here is info for Michael: from "man arp": ... NOTE: As of kernel 2.2.0 it is no longer possible to set an ARP entry for an entire subnet. Linux instead does automagic proxy arp when a route exists and it is forwarding. See arp(7) for details. ... kind regards, Reinhard Am Mittwoch, 25. Juni 2003 11:28 schrieb Michael 'bukhem' Scherer:
Hi List.
Your setup leads to some problem because all your IPs are "used" between in the net between the cisco and your firewall.
There are two solutions:
1.) Install a host-route on the Cisco and the firewall that will lead to that one host in your DMZ
2.) Thats what our net looks like:
Cisco 192.168.100.1/255.255.255.254
eth1:192.168.100.2/255.255.255.254 Firewall1---------------------eth0:<external IP><external Netmask> eth2:192.168.200.1/255.255.255.254
eth0:192.168.200.2/255.255.255.254 Firewall2
LAN
you have to set up a transfer-net between the cisco and the firewall, so you can use all your IPs in the DMZ and setup all your servers there. I guess all your external servers including the firewall are on one switch with the Cisco. So just move that switch to the DMZ-interface of the firewall and set up that transfer net ...
the thing is, you can now control all traffic that wants to reach your DMZ hosts on the firewall, including your VPN server ...
Hope someone does understand that ;)
Greetings, Michael
On Wed, 25 Jun 2003, Philipp Flesch wrote:
Hi! We are using SuSE 8.1 prof. as firewall. Now we have to add a VPN ... this VPN-"blackbox" should be in a DMZ so that I can control the traffic and what's going on on that VPN-Gateway. The VPN-Gateway only needs ftp to my firewall
InternetGateway (CISCO-Router) 212.125.104.73 (mask 255.255.255.248)
eth1 212.125.104.75 (mask 255.255.255.248) +++++Firewall (SuSE 8.1)+++++ eth2 ----- VPN eth0 10.10.0.102 (mask 255.255.0.0)
LAN
the VPN needs one of our offical IP-Adresses ... .77 and .78 are still free and the VPN needs ftp to the firewall ... how configure the DMZ on eth2? I haven't found any usefull documents in the net :-(
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- GiS - Gesellschaft fuer integrierte Systemplanung mbH +==================================================================+ Michael Scherer mscherer@gis-systemhaus.de Tel: 06201-503-74 Junkersstr.2 69469 Weinheim Fax: 06201-503-66 +==================================================================+ It's a book about a Spanish guy called Manual, you should read it. -- Dilbert
-- Reinhard Moosauer IT Beratung
participants (3)
-
Michael 'bukhem' Scherer
-
Philipp Flesch
-
Reinhard Moosauer