Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-21-2019 05:05 PM
We need to have a 1 server behind the firewall with public ip address.
We do not want private ip on the server.
Firewall - outside zone
Server is behind the DMZ_Zone.
Currently DMZ has sub interface with private ip address
so when traffic comes from internet it will hit he firewall and hit should redirect that to DMZ zone where server has public ip address.
For NAT rule i can do source and destination zone as outside
Source address any and Dest has server public ip address and no natting.
For security rule same ips but dest will be dmz zone.
Will this setup work?
03-22-2019 02:54 AM
No
You first need to consider the firewall as a router
It knows that x.x.x.x/x is on the untrust interface and it knows that a.a.a.a/a is on the DMZ interface
If you add a server with ip x.x.x.z to the a.a.a.a/24 network, the firewall will not be able to route to it as it's routing table will demand the packets be sent to the x.x.x.x/x interface
Your server will also not be able to communicate with any of the other servers in the DMZ, because they too know to send x.x.x.x/x to the firewall instead of an adjacent device (default route and broadcast domain)
There are 2 solutions that I can think of (well, 3, but NAT is not an option)
1. put the server behind a vwire that is connected to the outside router. That way your server is 'on the outside' but still protected by the vwire
2. create layer2 interfaces and add the server to the same vlan as the untrust interface, make sure to enable intrazone security profiles
3. NAT 😛
03-22-2019 02:54 AM
No
You first need to consider the firewall as a router
It knows that x.x.x.x/x is on the untrust interface and it knows that a.a.a.a/a is on the DMZ interface
If you add a server with ip x.x.x.z to the a.a.a.a/24 network, the firewall will not be able to route to it as it's routing table will demand the packets be sent to the x.x.x.x/x interface
Your server will also not be able to communicate with any of the other servers in the DMZ, because they too know to send x.x.x.x/x to the firewall instead of an adjacent device (default route and broadcast domain)
There are 2 solutions that I can think of (well, 3, but NAT is not an option)
1. put the server behind a vwire that is connected to the outside router. That way your server is 'on the outside' but still protected by the vwire
2. create layer2 interfaces and add the server to the same vlan as the untrust interface, make sure to enable intrazone security profiles
3. NAT 😛
03-22-2019 08:11 AM
4. Put this server in it's own vlan/subnet. Either use a separate physical interface for it or add a subinterface on the same port as your current DMZ zone. Attach this interface to the applicable vRouter and add static or dynamic routing.
03-24-2019 03:44 PM
MAny Thanks Reaper for answering the Question.
Best Regards
Mike
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
