Multiple DMZ on WRT54GL?

Similar Messages

• Multiple dmz hosts? ps3+xbox360

  Hi!
  I'm having difficulties in setting multiple dmz hosts. Both my ps3 and my xbox 360 require me to set them as the dmz host. However, in the router's settings page, there's only one space for ip entry to enable dmz. Thus far, my only solution has been to access the page everytime i want to play on xbox live or playstation network. Is there a better way? Am I missing something?
  Thank you!
  blgage

  got it all figured out, thanks for all your help!

• Load balancing of PIX firewalls with multiple DMZs

  I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
  In all the documentation related to the subject, I see always the firewalls with only two interfaces:
  http://www.cisco.com/warp/customer/117/fw_load_balancing.html
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
  What if I need to balance on more than 2 interfaces?
  Do I have to add more content switches, one for each interface ?
  Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
  Thank you in advance for any help.

  We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
  Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

• Load Balancing across Multiple DMZ's

  Can you split one Css11503 across two separate DMZ's securely. I have a group of server that are currently being load balanced in one DMZ I now have a requirement to Load balance another set of server in another DMZ is it possible spilt the CSS across two DMZ's and still maintain a high level of Security

  You need a separate CSS for each interface of the firewall.
  If you use the same CSS for 2 DMZ, traffic inter DMZ will be routed by CSS and will bypass the firewall.
  Gilles.

• Multiple ip address - WRT54GL

  Hello,
  I try to do next configurations:
  WRT54GL:
  external :    ip:XXX.XXX.174.101 nm: 255.255.255.0  gw:XXX.XXX.174.5
  internal :  XXX.XXX.177.158
  My Network:
  ip:XXX.XXX.177.157 nm:255.255.255.0 gw: XXX.XXX.177.158
  ip:XXX.XXX.177.156 nm:255.255.255.0 gw: XXX.XXX.177.158
  ip:XXX.XXX.177.155 nm:255.255.255.0 gw: XXX.XXX.177.158
  ip:XXX.XXX.177.154 nm:255.255.255.0 gw: XXX.XXX.177.158
  ip address in My Network are all public static (class B).
  How can I do this?
  ps. sorry for my english.
  Solved!
  Go to Solution.

  Well, you configure exactly the IP information you have posted:
  internet connection settings: static IP
  IP ...174.101
  mask 255.255.255.0
  gateway ....174.5
  plus dns servers of your ISP
  LAN ip address ....177.158
  LAN subnet maks 255.255.255.0
  DHCP server settings as appropriate and required for your network.
  In addition, you have to switch off NAT. On the Advanced Routing page, change from gateway mode to router mode (or disable NAT if your firmware has that option instead).
  That's all. Now your WRT works like a normal router would do.
  Please remember, that the firewall of the WRT won't protect your LAN. You'll have to install a firewall for your network or on all your computers. In router mode all LAN traffic is simply routed into the LAN (verify this on your router. Maybe your firmware version is different...)

• ASA 5515x Multiple DMZ ports

  I have to propose a solution where I have a 5515x firewall with 6 GE interfaces. I need to make 4 physically separated port DMZ on this firewall. Each DMZ will be completely isolated from the other DMZ.
  So this means out of the 6 ports available, 1 port will be for inside interface, 1 port for outside interface and 4 ports for DMZ.
  Is this solution possible ? What are the pros and cons for this solution

  Please post it in the the security community. 

• Load balancing across DMZs - Revisited

  I know this question has been asked before and the answer is to have separate content switches per DMZ in order to maintain the security policy. There is an option to have the content switch in front of the firewall and then use only one content switch to load balance across multiple DMZs. Is this an acceptable design or the recommendation is to have a separate content switch behind the firewall for each DMZ of the firewall?
  Can a Cisco 6500 with CSM be configured for multiple layer 2 load balanced VLANs thus achieving a mutiple DMZ load balancing scenario with only one switch/CSM?

  How do you connect the router to the firewall ?
  Problem is the response from the server to a client on the internet.
  Traffic needs to get back to the CSS and if the firewall default gateway is the router, the response will not go to the CSS and the CSS will reset it.
  If you configure the default gateway of the firewall to be the CSS, than all traffic from your network to the outside will go through the CSS.
  This could be a concern as well.
  If you don't need to know the ip address of the client for your reporting, you can enable client nat on the CSS to guarantee that server response is sent to the css without having the firewall default gateway pointing at the CSS.
  Gilles.

• 'Logical' DMZ?

  I have an ASA 5510 and I need to implement a DMZ.  I know I can either plug devices directly into a port on the ASA or use subinterfaces to create multiple DMZs with different levels of access if I don't have enough ports, and then use a switch.  So we create the IP addresses on the interface, plug in our device (switch or PC) and the interface comes up.  Is there any way to have virtual machines within our network on a physical machine be in different zones in the firewall (i.e. one on the inside, another in a DMZ for example)?  I think the only thing here isn't really so much related to the ASA as much as it is whether or not the physical server's NIC can support trunking and plug into the ASA directly or to the switch, correct?  If I were to add multiple sub-interfaces to a port on the ASA, and I wanted one VM to be inside and another to be in the DMZ, is that doable considering there is already an interface on the ASA defined as 'Inside' (i.e. if I try to add a subinterface that contains a 'secondary' IP address that participates in the same VLAN/subnet as the Inside interface I'll have an overlap)?  An just to be sure, there's no way to make a logical DMZ inside the ASA that isn't actually bound to a physical port like creating SVIs on a L3 switch, correct?  If there were, then I could just trunk the physical machine to the network and have each of the VMs participate in the zone they are intended to be in based on the VLAN tagging.  I'll try to get a diagram together that addresses this more clearly.
  Regards,
  Scott

  @Jeff
  The problem isn't so much on the server side as much as it is on the ASA side.  If I try to create a trunk to the ASA for this machine and I want one of the VMs on the inside, I'd have to do something like this:
  interface GigabitEthernet0/0
       description Outside
       ip address 192.168.1.1 255.255.255.0
       name Outside
       security-level 0
  interface GigabitEthernet0/1
       description Inside
       ip address 192.168.2.1 255.255.255.0
       name Inside
       security-level 100
  interface GigabitEthernet0/2.10
       description DMZ
       vlan 10
       name DMZ
       security-level 50
  interface GigabitEthernet0/2.??
       description Inside
       vlan ??
       name Inside-Too
       security-level ??
  Since I already have a layer 3 interface defined for the Inside interface, I don't have any VLAN tags for it locally on the ASA to tag this sub-interface with.  I also can't define the sub-interface as 192.168.2.2 to make it part of the Inside subnet because that overlaps with Gig0/1.  I suppose in this case I'd have to create another 'Inside' interface of security-level 99 or something and then just make sure that the ASA has the NAT rules and ACL rules to allow that traffic from the Gig0/2 sub-interface back inside.  The ASA isn't going to allow me to create a logical layer 3 address like an SVI on a Layer 3 switch so that I could then just apply the VLAN tag to both interface Gig0/1 and Gig0/2.??, nor can I add a VLAN tag to the subnet I define on Gig0/1.

• ISA-570 DMZ configuration?

  Our configuration is a little tricky, but certainly not uncommon.  Our ISP provides a single static WAN IP x.x.x.162/30 (gateway is x.x.x.161), then has provisioned 2 ranges of public IP's in different subnets.  One is y.y.y.112/29 and the other is z.z.z.32/28.   We use the "z" range for our DMZ and when we lease office space to a tenant they get the "y" range.
  We have been using an RV082 in "router mode" as the first inside device, some firewall rules here to protect our servers/device in the DMZ ranges.  Then a 2nd RV082 between that and our LAN running in "gateway mode" to provide traditional NAT & firewall for the private network.
  Recently, we increased the speed of our ISP fiber to 100M.  The RV082's don't really have the processing power to keep up with this, so we are trying to replace them with a more capable device.  The ISA-570 was recommended as it is rated to perform at or above 100M for VPN and Stateful firewall.
  The ISA-570 appears to have the capability to do advanced routing functions, so it would seem there should be a way to combine our two RV's into one ISA.  The ISA has a "routing mode" that you toggle on or off.  When routing mode is ON it disables all NAT functions, so that won't work.  I need to configure this with routing mode OFF, but figure out how to put in custom Routing or NAT rules since our Public IP ranges are in different subnets from our primary WAN IP.  We have tried many config options with no success.
  I'll see if I can diagram this as quickly as possible...
  WAN port - IP x.x.x.162/30   (gateway x.x.x.161 - Centurylink's device)
  DMZ1 - z.z.z.32/28  (port 9 configured with IP of z.z.z.33)
  DMZ2 - don't worry about this for now - if we get one working we can get both working
  No matter what I try, the DMZ range either gets NAT'ed through the WAN IP, or loses internet connection.
  Is there a way to do this with this device?  (My residential U-verse router can do this)  Is there another device that will allow me to function as a router and gateway at the same time?  I have tried static routing rules, RIP.... got desperate and tinkered with static/advanced NAT, Dynamic PAT, etc, but I don't really have any training in routing protocols and syntax, so I'm a little lost there.
  ** The only thing we haven't tried is setting the DMZ as a private range and configuring static NAT.  Reprogramming all the DMZ NIC's of the servers is something I'd like to avoid.  Furthermore, this really turns it into just another private LAN subnet which could be handled as a VLAN, so then what is the purpose of having so-called "DMZ" as a special classification in the ISA's config?   More confusing is the ISA-570 will program for multiple DMZ ranges, so there must be something we're missing...  If not, then it's like having a rack full of new servers and only one free port on the switch.

  Good morning
  Thanks for using our forum
  My name is Johnnatan and I am part of the Small business Support community. I apologife for the problems you are having, as your Cisco partner contact said, you are looking for a enterprise device, like the ASA. If you use your ISA as “gateway” it disables the “router” mode features and viceversa. I hope you find this answer useful,
  *Please mark the question as Answered or rate it so other users can benefit from it"
  Greetings,
  Johnnatan Rodriguez Miranda.
  Cisco Network Support Engineer.

• Wireless design guide/help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

  1- Keeping in mind that there is only one WLC where should i physically put it?
  Well since you will also be supporting Corporate and I'm guessing that is where the WLC sites, it should be in the inside network.  You would just need to allow udp 5246 & 5247
  2- How guest users will work ? How the authentication will be done?
  Guest users can use webauth in which the credentials will be stored on the WLC.
  3-There are 8 SFP ports in WLC how physical topology will look like?
  This is the tricky part.  You can either lag or not lag.  You can't split up the lag (etherchannel).  So you can either use all 8 if you with and create an etherchannel and then acl the guest traffic out the internet or you can put the guest on a layer 2 vlan in which you would connect that out to the dmz.  Or you can use one port for the management and also have a backup port, one for your internal wireless and also have a backup port and the same for guest.  SO it would look like this:
  Management primary port 1 backup port 2
  SSID primary port 3 backup port 4
  Guest primary port 5 guest port 6
  OR
  Management & SSID's primary port 1 backup port 2
  Guest primary port 3 guest port 4
  4-How many Vlans i have to make for wireless users will that be 10? (1 at each site) ?
  If you use local switching which I would think you would, the vlans for the SSID at the remote site will be created locally at each remote site.  If you want to centrally switch, means all traffic will come back to the WLC, then you will need at least one.  Now you can use a large subnet or have a subnet for each site, its up to you.  You would use AP Groups for that.
  my last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interface concept)
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Wireless design help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

         OSITAN N Many thanks  please comment
                                      Internet
                                                 FW 1
                                                     !                                                        <---------------------Traffic comming this way
                                                  FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------
                            ------Trusted-----  !                                                                                                        !
                                                     !                                                     ------Branch Router------->               RT 
                                  !           !               !                                                                                               SW
                               DSN      AD            DHCP                                                                                          !
                                                                                                                                                              AP  
                                                                                                                                                            USER
  1 Where WLC Place so that Guest trafice dont go to Trusted area?
  2. Its gona be H-Reap so DHCP would be local for branch
  3. Voce user  Qos? priority how ? example
  4 Guest Firewall rules to use only internet ?

• MP Rotation Untrusted Forest.

  Hi, 
  I realize you cannot force a client to use a particular MP, which is creating a design problem for us.
  We have multiple DMZs in an untrusted forest.
  I am not sure how to get around this problem.
  The clients cannot communicate with an MP outside of that DMZ.
  If I have 20 DMZs, and a MP in each, will this not create an MP rotation issue at some point?
  I came across this posting by Anoop, is the only workaround?
  http://anoopcnair.com/2014/04/11/workaround-sccm-2012-clients-mp-selection-rotation-issue-untrusted-dmz-forests/
  Appreciate any suggestions.

  Is there a single, shared forest (or domain) for all DMZ or a separate forests (or domains) for each DMZ?
  The workaround describe in that blog post is for the perception of a bug, not for providing for MP selection.
  Yes, MP rotation could cause an issue -- 20 MPs aren't supported within a single primary site either so you are also running into a support limitation.
  Depending upon your answer to the forest question, LocationAware is probably the only answer today (without doing something crazy like using multiple primary sites).
  Reverse proxy is another possible solution. This would enable a single MP (or sets of central MPs) to be accessed in a protected manner.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCSI Transport Failed

  Hello Guys, I'm trying to figure out if my harddrive is going bad in my system. I'm seeing a lot of SCSI transport error messages in the /var/adm/messages file. This only happens when our backups are running at night. We back up all our servers through the firewall using veritas's netbackup. Can someone help me sift thought this information in the messages file and let me know what all this means. Thanks
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 Cmd (0x2d37890) dump for Target 0 Lun 0:
  Dec 6 18:53:22 cp-hqc2 Cmd (0x2d37890) dump for Target 0 Lun 0:
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 cdb=[ 0x2a 0x0 0x0 0x60 0xba 0x74 0x0 0x0 0x2 0x0 ]
  Dec 6 18:53:22 cp-hqc2 cdb=[ 0x2a 0x0 0x0 0x60 0xba 0x74 0x0 0x0 0x2 0x0 ]
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 pkt_flags=0x4000 pkt_statistics=0x60 pkt_state=0x7
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 pkt_scbp=0x0 cmd_flags=0x1860
  Dec 6 18:53:22 cp-hqc2 pkt_flags=0x4000 pkt_statistics=0x60 pkt_state=0x7
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 Disconnected tagged cmd(s) (1) timeout for Target 0.0
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 365881 kern.info] /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 408822 kern.info] NOTICE: glm0: fault detected in device; service still available
  Dec 6 18:53:22 cp-hqc2 pkt_scbp=0x0 cmd_flags=0x1860
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 611667 kern.info] NOTICE: glm0: Disconnected tagged cmd(s) (1) timeout for Target 0.0
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 Disconnected tagged cmd(s) (1) timeout for Target 0.0
  Dec 6 18:53:22 cp-hqc2 glm: [ID 401478 kern.warning] WARNING: ID[SUNWpd.glm.cmd_timeout.6018]
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 408822 kern.info] NOTICE: glm0: fault detected in device; service still available
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 611667 kern.info] NOTICE: glm0: Disconnected tagged cmd(s) (1) timeout for Target 0.0
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 glm: [ID 401478 kern.warning] WARNING: ID[SUNWpd.glm.cmd_timeout.6018]
  Dec 6 18:53:22 cp-hqc2 got SCSI bus reset
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3 (glm0):
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 408822 kern.info] NOTICE: glm0: fault detected in device; service still available
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 611667 kern.info] NOTICE: glm0: got SCSI bus reset
  Dec 6 18:53:22 cp-hqc2 got SCSI bus reset
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3/sd@0,0 (sd0):
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 408822 kern.info] NOTICE: glm0: fault detected in device; service still available
  Dec 6 18:53:22 cp-hqc2 genunix: [ID 611667 kern.info] NOTICE: glm0: got SCSI bus reset
  Dec 6 18:53:22 cp-hqc2 SCSI transport failed: reason 'reset': retrying command
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3/sd@0,0 (sd0):
  Dec 6 18:53:22 cp-hqc2 SCSI transport failed: reason 'reset': retrying command
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3/sd@0,0 (sd0):
  Dec 6 18:53:22 cp-hqc2 scsi: [ID 107833 kern.warning] WARNING: /pci@1f,4000/scsi@3/sd@0,0 (sd0):
  Dec 6 18:53:22 cp-hqc2 SCSI transport failed: reason 'timeout': retrying command
  Dec 6 18:53:22 cp-hqc2 SCSI transport failed: reason 'timeout': retrying command

  Hello, data is not being backed up locally. This server is our firewall. We have multiple dmz zones on our firewall. One of our dmz's host's the veritas master server which backs up other web servers in other dmz zones. When the backups kick off at night, these messages appear in the /var/adm/messages file. Does this mean the firewall cannot handle the load of traffic??

• Bridge mode and router mode

  hello,
  I want to understand the basic operation, difference and advantages of both Bridge Mode and Router mode?
  i also want to know in which case i should go for Bridge mode and Router mode?
  regards
  Devang

  It realy depends on your requirements.
  Mainly bridge mode is used for multicast support, Multiple DMZs + FWSM, server initiated connections or for seemless migration from previously installed "bridged load balancing environment".
  Some of the differences are
  In bridge mode you do not need additional config for "Direct server access" / "Server Initiated connections"
  Broadcasts are dropped in routed mode whereas they are bridged in bridge mode.
  LB functionality is same in both modes.
  Syed Iftekhar Ahmed

• Pix high memory usage

  the memory of my PIX 525 is up and up, i need freed memory, How do i meke this??
  TKS

  A few questions before I give the easy answer:
  Do you use the PIX for point-to-point VPN between sites?
  Do you use the PIX as a VPN concentrator for end users?
  Do you have a DMZ or multiple DMZs?
  Has anything recently changed in your network that would have increased traffic through your PIX?
  I mention these things because they all require CPU resources and memory.
  The easiest way to free up memory is to reboot the PIX. Of course, this is not always an option but the results are very predictable. If after the reboot the memory usage goes right back up to previous levels then it's time to do a traffic study of your network and determine if this PIX has the horsepower you require or if some other network re-design is in order.
  Hope this helps.