PI setup in DMZ
All,
I am in the process of firming up our PI architecture. I am unsure of how the setup will work in the DMZ. The picture at the bottom of the link shows two Integration servers B2B and A2A in different zone.
http://help.sap.com/saphelp_nw04/helpdata/en/d9/ef2940cbf2195de10000000a1550b0/content.htm
Based on the figure my questions are :
1. Does this mean that we need to setup two different PI systems...one in each zone.
2. If not, then what is involved in setting up the connectivity between the two systems and what exactly is being configured on the B2B server.
Thanks
naghman
Hi ,
Appreciate if someone could please reply to this.
Thanks in advance.
Mikey
Similar Messages
-
Everytime I try to setup my DMZ I keep breaking the internet, can someone help
Hi,
started this on friday at about 5 pm am about at the point of throwing my hands up in the air from frustration. I am trying to configure a dmz for a ip camera to be viewed from the outside. I had tried to set this config to NAT 10.1.35.5 to 2.2.2.14. Immediately after setting up the nat config all hosts on the network lose internet access. After 2 nights of no success, I tried to mimic the port forwarding setup and just forward traffic into the lan rather than trying to get the DMZ working as I could already see a few devices that were setup this way. I feel like I am missing a step while configuring NAT. It seems to me that touching any other the other public IP's tends to mess up the configuration. Is there something I need to do with the existing NATing to free up a public IP from the nat pool? (Sanitized config below)
: Saved
ASA Version 7.0(7)
hostname ASA
domain-name aaa.com
enable password Iliketurtles encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.20.10 255.255.254.0
interface Ethernet0/2
description Test DMZ for web4
shutdown
nameif dmz
security-level 25
ip address 10.1.35.1 255.255.255.0
interface Management0/0
no nameif
no security-level
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group service camera tcp-udp
description https2000
port-object range 443 443
port-object range 2000 2005
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit esp host Virginia host 2.2.2.2
access-list outside_acl extended permit ah host Virginia host 2.2.2.2
access-list outside_acl extended permit udp host Virginia eq isakmp host 2.2.2.2 eq isakmp
access-list outside_acl extended permit udp host Virginia eq 4500 host 2.2.2.2 eq 4500
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.10
access-list outside_acl extended permit tcp 100.100.100.0 255.255.255.0 host 2.2.2.11
access-list inside_acl extended permit ip 10.1.20.0 255.255.254.0 any
access-list inside_acl extended permit ip 10.1.24.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 2.2.2.0 255.255.254.0 any
access-list ltl_irvine_to_va extended permit ip 10.1.24.0 255.255.254.0 any
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.20.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.11.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.250.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.4.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.5.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.6.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 10.1.7.0 255.255.255.0
access-list no_nat extended permit ip 10.1.24.0 255.255.254.0 172.16.31.0 255.255.255.0
access-list dmz_in extended permit icmp 10.1.35.0 255.255.255.0 any
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range netbios-ns 139
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 range 135 netbios-ssn
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0 eq domain
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq www
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any object-group camera
access-list dmz_in extended permit udp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 10.1.20.0 255.255.254.0
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq 990
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any range 53000 53010
access-list dmz_in extended permit tcp 10.1.35.0 255.255.255.0 any eq ftp-data
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging asdm warnings
logging facility 22
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp permit any inside
asdm image disk0:/asdm-509.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 10.1.20.0 255.255.254.0
nat (inside) 1 10.1.24.0 255.255.254.0
nat (dmz) 0 access-list no_nat
nat (dmz) 1 10.1.35.0 255.255.255.0
static (inside,outside) 2.2.2.10 10.1.20.1 netmask 255.255.255.255
static (inside,outside) 2.2.2.11 10.1.20.13 netmask 255.255.255.255
static (dmz,outside) 2.2.2.14 10.1.35.5 netmask 255.255.255.255
static (inside,dmz) 10.1.20.0 10.1.20.0 netmask 255.255.254.0
static (dmz,inside) 10.1.35.0 10.1.35.0 netmask 255.255.255.0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.1.24.0 255.255.254.0 10.1.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password blahblahblah encrypted privilege 15
http server enable
http 10.1.4.0 255.255.255.0 outside
http 10.1.5.0 255.255.255.0 outside
http 172.16.31.0 255.255.255.0 outside
http 100.100.100.0 255.255.255.0 outside
http 10.1.24.0 255.255.254.0 inside
http 10.1.20.0 255.255.254.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside 100 match address ltl_irvine_to_va
crypto map outside 100 set peer Virginia
crypto map outside 100 set transform-set ESP-3DES-SHA
crypto map outside interface outside
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group Virginia type ipsec-l2l
tunnel-group Virginia ipsec-attributes
pre-shared-key *
telnet 10.1.24.93 255.255.255.255 inside
telnet timeout 5
ssh 100.100.100.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
Cryptochecksum:c6546262ff82a0b8748f0cbbb189194f
: endPlease add this ACL entry on the "outside_acl"
access-list outside_acl extended permit ip any host 2.2.2.14
let me know, if this helps.
thanks -
Hi Team,
We have Windows 2008 AD infrastructure with Single domain Single Forest & 30 remote AD sites with RODC in it.
We are planning for NTP server setup on Windows 2008 server in DMZ......can someone help me with steps for setup.
What is best practice for NTP architecture so that all DC will sync time from NTP & NTP sync time from external source.
Please suggest.Hi,
Would you please tell us that has the plan of your security team worked out?
Because based on what I understand, domain members will synchronize time from Domain Controllers while DCs will synchronize time from PDC.
Here is a thread below about the best practices of time synchronization in a domain:
Time Sync best practices
http://social.technet.microsoft.com/Forums/windowsserver/en-US/043b1ebe-e7bc-40ca-91e0-174a6854808e/time-sync-best-practices?forum=winserverDS
Best Regards,
Amy -
Hi,
We are planning to setup Standalone CA server(workgroup) in DMZ. Is it possible and recommended?
What are points that we should keep in mind while doing so?
We have an option to use Window server 2008 R2 enterprise or server 2012, please recommend.
Regards,
TusharStandalone CA is are best for DMZ implementations.
http://technet.microsoft.com/en-us/library/cc756989(v=WS.10).aspx I recommend using Server 2012 as it has some newer templates.
Here are some links to helpful blogs/articles/repositories on PKI that may guide you on what you're trying to accomplish overall.
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx
http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx
Like Meinolf said, for specific questions feel free to hit us back up in the security forum or there are some of us with PKI expertise in the Directory Services forum as well. -
Hi,
Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
Proposed Setup
1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
3) The APP server and Jump server is placed behind the Server switches.
Requirement
1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
2) Internal (Corporate) users need to access the Jump server and App server.
3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
Questions
1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
Appreciate your inputs.
Cheers
MikeyHi ,
Appreciate if someone could please reply to this.
Thanks in advance.
Mikey -
Server setup in DMZ Environment
Hi,
Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
Proposed Setup
1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
3) The APP server and Jump server is placed behind the Server switches.
Requirement
1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
2) Internal (Corporate) users need to access the Jump server and App server.
3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
Questions
1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
Appreciate your inputs.
Cheers
MikeyHi Mikey,
I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....
So your design requires some change in order to have a better architecture....
internet
|
router
|
external SW
|
internet facing firewalls
|
DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).
Internet facing Firewall
|
LAN Interface SW (Inside Interface of the firewall)
|
LAN FW (If you really want to keep it)
|
Corporate Network
Regards
Karthik -
Hello,
I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
I need to be able to do the following:
- RDP access from inside network to the DMZ servers
- Internet access for the DMZ
I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
- DMZ HTTPS to outside (Office 365 Services)
- Outside HTTPS to DMZ (ADFS Servers on DMZ only)
- DMZ HTTPS to inside (ADFS Servers Only)
- Inside HTTPS to DMZ (ADFS Servers Only)
Running Config:
interface Vlan1
nameif inside
security-level 100
ip address ccl-sua-asa 255.255.255.0
ospf cost 10
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
interface Vlan100
nameif outside
security-level 0
ip address 77.107.90.202 255.255.255.248
ospf cost 10
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
interface Ethernet0/1
description Connected to CCL-SUA-SW1 port 16
interface Ethernet0/2
switchport access vlan 3
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
access-list inbound remark Inbound ACT for Ruth Edmonds Only
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 5022 inactive
access-list inbound remark Inbound rules for OWA 30/06/09 MD
access-list inbound extended permit tcp any host 77.107.90.203 eq https log
access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
access-list inbound remark change request MET 56030 inbound POP3 for mimecast
access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq https
access-list inbound remark Inbound rule for survey 011012 ML
access-list inbound extended permit tcp any host 77.107.90.205 eq www
access-list inbound extended deny ip any any
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
access-list outbound extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.40.0 255.255.255.0
nat (inside) 1 192.168.41.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
access-group outbound in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
Many Thanks
JamesHi,
If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
You can confirm the License level with "show version" command. It should read at the end of the output.
In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
no forward interface Vlan1
Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
OUTSIDE -> DMZ
INSIDE -> DMZ
Connection initiating should be possible.
So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
You already seem to have the Default PAT configuration for DMZ Internet traffic.
You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
The corrent NAT configuration to enable that traffic would be to use
static (inside,dmz) netmask
Repeat for all
EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
- Jouni -
How to setup DMZ on Watchguard XMT 330
Hi PCITech,there is nothing, that could be directly called a 'DMZ' as you find it on some low end routers.Instead you have network interfaces, that each may represent their own full blown network (if you set them up for that). By default WatchGuard allows you to select between 'trusted' and 'optional' for a new network, that you configure, but you can also select 'custom'. Later, when you write firewall rules, you can than reference 'Any-Trusted' and 'Any-Optional' in your rules. But sometimes you don't want a network to follow the rules, that you have in place for 'Any-Optional' and than you need to set that network as a 'Custom' network.If you want to make a server in one of these additional networks accessible by the outside world, you have to set up SNAT rules, that connect between an external interface IP/port and your internal...
Hello,
I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
Thanks in advance
This topic first appeared in the Spiceworks Community -
Accessing E-business suite in another network without configuring DMZ
Hi
How can i enable to access E-business sutie externally or to a different location.I dont want to setup the DMZ configurations and reverse proxy.Our Company have another Remote branch and they are not in same network.How can they able to access the E-business suite without enabling DMZ and reverse proxy.Is there anything like make the
IP of the Apps server as public will solve the issue ?
rgds
roshTo make it public, you just need to change the IP Address of the application and the database servers to the real one and follow the steps in the following notes. Once you are done, the system will be accessible to the users then.
Note: 338003.1 - How to change the hostname and/or port of the Database Tier using AutoConfig
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=338003.1
Note: 341322.1 - How to change the hostname of an Applications Tier using AutoConfig
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=341322.1 -
Needing to create a DMZ zone/vlan on a small ASA.
Hopefully an easy question as this is not my forte.
I have an a small ASA-5505 running 8.2(2).
I have 2 vlans
inside 192.168.58.0/24 – security level 25
outside 25.65.25.134/30 – security level 0
I want to create a small DMZ with the public range I was given, a /29 block that is being forwarded to me.
How do I setup a DMZ zone to account for this block when I am connecting over a /30 network.Your ISP should have a route for that new subnet pointing to the outside interface of your ASA.
So you can then either allocate the public IPs to the actual machines in which case you need one IP for the DMZ interface on the ASA or you can give your DMZ machines private IPs and just use the new IPs in your NAT statements on the ASA.
Up to but you don't need to assign any IP from the new block to an actual interface if you don't want to.
Jon -
- How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
- If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
(We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
thanks,
olegWhen talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.
-
How to setup a Default Playlist to Airport but allows BYOD playlist override?
Sorry for the unclear description.
Here is what I am trying to accomplish. I have my laptop or ipod playing a default playlist to my Airport express attached to my Stereo system. The music plays fine with no issues. I come into the house and want to play music from my iphone or ipad, I cannot connect or play to airport express since it is already sync'd or acquired by my laptop.
My goal is to have a default playlist playing all the time. When myself, my kids, or anyone comes in to house they can have priority over my laptop to play their music. Then when they disconnect, stop playing music, or leave the house; the default playlist kicks back on and continues to play out the speakers via the airport. I am trying to do this without human manual interaction.
I can do all of this manually like disconnect laptop, new device syncs to airport, then when they leave manually start playlist. But I am trying to figure out how to do this dynamically without human interaction.
Any ideas or solutions on how to get this to work?
Thanks!
T.Hello,
I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
Thanks in advance
This topic first appeared in the Spiceworks Community -
DMZ and DHCP ????
Hi all: We have setup and DMZ off of our BM39 server. The
only purpose of the DMZ is to allow a few clients relatively
unencumbered internet access. We have had lots of problems
with our BM proxy interfering with secure Citrix implemented
by some partner we work with (Hospitals).
We also have visiting review staff from Drug companies as we
do many drug studies. These visitors often need internet
access and up to this point I have been placing them on our
internal subnet. But I am rethinking this and am
considering moving our visitors to the DMZ instead.
To do this I want to setup a DHCP server on our BM server
(Done) to serve up addresses for the DMZ. However during
testing the clients are not seeing the DHCP server. I
suspect this is a filtering issue. I currently only have
one set of filters for the DMZ which allows all traffic from
the public interface to the DMZ and back.
I am assuming the DHCP server needs a filter to allow
traffic but I have no idea what that would look like. Can
you help me out? Thanks, Chris.OK, got this working suing Craig's filter book _ glad to
have purchased it.
>>> On 9/21/2009 at 11:05 AM, in message
<4AB75DE5.CE15.0032.0@N0_$pam.vrapc.com>,
Chris<cmosentine@N0_$pam.vrapc.com> wrote:
> Hi all: We have setup and DMZ off of our BM39 server.
> The
> only purpose of the DMZ is to allow a few clients
> relatively
> unencumbered internet access. We have had lots of
> problems
> with our BM proxy interfering with secure Citrix
> implemented
> by some partner we work with (Hospitals).
>
> We also have visiting review staff from Drug companies
> as we
> do many drug studies. These visitors often need
> internet
> access and up to this point I have been placing them on
> our
> internal subnet. But I am rethinking this and am
> considering moving our visitors to the DMZ instead.
>
> To do this I want to setup a DHCP server on our BM
> server
> (Done) to serve up addresses for the DMZ. However during
> testing the clients are not seeing the DHCP server. I
> suspect this is a filtering issue. I currently only
> have
> one set of filters for the DMZ which allows all traffic
> from
> the public interface to the DMZ and back.
>
> I am assuming the DHCP server needs a filter to allow
> traffic but I have no idea what that would look like.
> Can
> you help me out? Thanks, Chris. -
SA 540 and DMZ Issue for Wireless Guest Access
I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540. My goal is to provide internet access to wireless guest users without giving them access to the entire LAN. The internet access for the wireless guest users is painfully slow. It takes 5 minutes to access Google. Has anybody else had issues with slowness. I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers. Just to humor myself, I configured firewall rules to allow DMZ full access to the LAN and WAN. I am still having the same results. Any thoughts and suggestions?
Hi,
I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
Firmware 1.0.39
BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset. -
hi,
I am trying to setup a guest WLAN using a local controller and a controller in my DMZ using the mobility-anchor configuration.
Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
Local Controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest" - assigned it to the management interface.
Have tried the following with regards to DHCP on this WLAN.
Set it to "override" and specified the DMZ controller's mangement interface
Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management interface
Left DHCP server blank on the local controller's management interface
Setup the DMZ controller as the mobility anchor for the "guest" WLAN
DMZ controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest"
Created a dynamic interface called "guest" associated to the "guest" WLAN
Setup mobility anchor for the "guest" interface, mobility-anchor = local controller
Created an internal DHCP server scope and enabled it
Have tried the following with regards to DHCP on the "guest" WLAN
Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest" dynamic interface
Set DHCP to "assignment required" and specified the IP address of the controllers "guest" dynamic interface as the DHCP server on the "guest" dynamic interface
Set DHCP to "override" and specified the DMZ controller's management interface IP
Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
After all this, my client still cannot get an IP address via DHCP. I verfiied the client is associating to the AP.
Any help would be appreciated.
Thanks
Leeon the DMZ controller, what is the output of a debug client < mac address of the client> You may also want to capture debug mobility handoff enable, from both WLC.
For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC. One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.
Maybe you are looking for
-
Hope you all are doing good. I have a business issue to be implemented in ODI 11G. Here it is. I am trying to load a target table from two sources having same coulmn names. But one source is in file format and other is in Oracle Database. This is wha
-
Accessing app store from another country
I've bought my mac in the uk. Now back home I'm not able to access the store. Please help me!
-
Hello, can i use the new magsafe connector on a mac pro from 2008?
Hello, I have a mac pro 15' from 2008, and the connector just stop working, in fact I have 2 connectors, because I broke a mac pro brand new, and then I had to buy this one, so both connectors stop working all of a sudden, and now when I went to Appl
-
Need FM or BAPI to update LIKP-BEROT
After the second transfer order is created with source storage type as 200 and destination storage type as 916, populate the field LIKP-BEROT with value 200. This is required for the business to identify the deliveries that are ready for 2nd st
-
LabVIEW crashes when trying to use VISA controls
When I try and place VISA controls onto the front panel or a constant into the block diagram LabVIEW crashes and says that LabVIEW.exe caused an error and that LabVIEW must be restarted. Is there some setup required in order to use VISA or is there s