Add another network to DMZ



  • Hi.
    I have a NS25 with Trusted, DMZ and Untrusted zones, each holding a class C network.
    Now I need to add another network to the DMZ (this time a private IP range) to hold a different kind of services. Is it possible to add a new network to the DMZ zone? How?

    thanks in advance.



  • thanks a lot Oldo. You’re the man!
    I have everything working.  😄
    4 vlans, 4 dmz zones.
    Now it’s down to “policy time”……



  • The way you switch from a regular interface > sub-interface is to:

    1. Unset the current IP on your ethernet2 interface with the xx.62/27 address. You end up with a regular physical interfase with no IP, you may bind it to the null zone.
    2. Create a new sub-interface with the VID (VLAN ID) you need and bind it to the DMZ.
    3. Set the xx.62 IP on the sub interface and add any management services you may have had set.

    Done. Now you only use sub-interfaces (tagged interfaces). Now switch to a trunk port in your switch.

    /oldO



  • how can I do that? I haven’t found an option either in web management or telnet session….  :?

    Then I need to enable routing between the interfaces, correct? What option should I use?

    tx.



  • The physical interface that has the xxx.62 IP-address also has a VLAN ID, but you have it set up as a regular non-tagged interface.

    Why not tag that interface as well? Then you should have no problem switching to a trunk-port.

    /oldO



  • Well, Oldo. I’ve began the config of our NS25. I’ve been asked to create 4 DMZ’s. I’ve created the following:

    INT          VLAN          IP adress          ZONE            Layer 
    ethernet2      -      193.XXX.YY.62/27    DMZ              Layer3  Up
    ethernet2.1  91    192.168.140.254/24  DMZ-Priv        Layer3  Up
    ethernet2.2  92    193.XXX.YY.126/27  DMZ-WEB      Layer3  Up
    ethernet2.3  93    192.168.141.254/24  DMZ-WEB-Priv Layer3  Up

    This interface is connected to a FE interface on a cisco 3500XL.
    I have been using only the DMZ on eth2 without problems. But when I created the other 3 subinterfaces and changed the FE int port mode from Static to Trunk I’ve lost connection to the IP 193.136.21.62 on eth2.

    I’ve announce eth2.2 via OSPF and now I can ping IP 193.XXX.YY.126. But if I change ethernet2 port mode from Static to Trunk I cannot access any network. Well, I need VLAN’s to separate the DMZ’s and allocate FE interfaces to each one in 3500XL switch. How can I solve this problem?

    Thanks in advance.



  • sorry, I meant “I can use different policies” 😄
    I’ll disable intra-zone block.

    our NS25 is advanced: supports unlimited number of users, 3 virtual routers, 11 zones and 16 vlans.

    Next week I will start configuring the NS and I will give feedback.

    thanks a lot Oldo.



  • Sure you could create what you showed in your config with DMZ1 and DMZ2 (DMZ1 and DMZ2 beeing your new security zones). Only keep basic IP routing in mind and this should be no problem… What I mean with basic IP routing is, don’t try having the same IP-range on lets say ethernet2.1 and ethernet2.3.

    In your example you have two interfaces in each zone. There is a zone setting called “intra-zone block” that can be enabled/disabled. If it is enabled you will need policies for traffic traversing interfaces event though both interfaces are in the same zone. If disabled, traffic will flow even though you don’t have any policies.

    You said “This way I cant use different policies on each DMZ”… I’m not sure what you mean, could you please clarify?

    P.S. Hope your NS25 isn’t a baseline? The baseline license doesn’t support VLANs



  • Well, Oldo… I was told 1 hour ago that 2 DMZs are needed (both with Private and Public IP address ranges). I have to do it anyhow.

    So I’m thinking of creating another DMZ zone. Then create 2 subinterfaces, one on each DMZ. Can I create something like:

    DMZ1 - Public IP subnet - Interface ethernet2
              Private IP range - SubInt ethernet2.1

    DMZ2 - Public IP subnet - SubInt ethernet2.2
              Private IP range - SubInt ethernet2.3

    This way I cant use different policies on each DMZ. Am I thinking correctly?

    tx in advance.



  • As you said your self, it’s a subinterface ID, not the VLAN ID, so yes they can be different.
    Sure, why not create a sub-interface. If you want you can place the new subinterface in it’s own zone if you want. This way you don’t even need to have it in the same security-zone as your “public” DMZ.



  • I have a DMZ on ethernet2 with a public address range. Now I need a new DMZ with a private address range (just for some license servers).
    I’ve read the screenos guide and I’m thinking of using subinterfaces, say, ethernet2.1 with private range say 192.168.1.0/24. The subinterface number has to match the VLAN tag? Or can I use subinterface ID 1 and VLAN 200?
    If that’s possible I’m thinking of creating a new zone and put the subinterface on it. What do you think?

    thanks in advance



  • Or sub-interfaces. Loopbacks too.



  • Probably need to do this from the CLI…

    set interface ethernet2 ip 1.2.1.0/24 secondary


 

24
Online

38.4k
Users

12.7k
Topics

44.5k
Posts