I’m evaluating ASL with the intent of buying either ASL or an appliance. I have an evaluation copy of ASL 5.1.
I’m running on an old machine with a 266Mz PII, 256MB of Memory, a 40GB Hard Disk and 3 x 10/100 NICs.
I’m trying to get a DMZ working the way I want it to. The intent is to be able to implement (or remove) the ASL firewall with the change of two network plugs, essentially placing (or removing) the ASL firewall between my provider’s router and my DMZ switch with no changes to either the provider’s router or my servers.
We currently run servers directly on the net with firewall capabilities in each server, including packet filtering. We’d like to offload the firewall functions to a boundary firewall, in particular all the SYN Flood activity we see. We’d also like to implement intrusion protection on the boundary device. The reason that I want to keep my server IP addresses the same is that I don’t want to implement something new that is yet another single point of failure on my network without an easy implementation/backout.
Here’s my test setup (production will be a similar concept but on a larger scale with different addresses).
Provider Information:
Gateway: 2x9.8x2.1x8.57
Subnet Mask: 255.255.255.248
ASL Information:
Internal Adapter: eth0
Internal Address: 192.168.2.xxx
Subnet Mask: 255.255.255.0
ASL Internal Address: 192.168.2.100
DHCP Address Range: 192.168.2.101 to 199
External Type: static
External Adapter: eth1
External Address 2x9.8x2.1x8.60
Subnet Mask: 255.255.255.248
External Gateway: 2x9.8x2.1x8.57
Masquerading Set Up: Internal (Network) -> All / All MASQ__External None
Packet Filter Rule Set Up: Internal (Network) > Any Service > Allow -> Any
At this point everything is working fine. I can work normally from behind the firewall on the internal network.
I haven’t been able to find much in the ASL manual about DMZ’s other than the diagrams, which show the DMZ and text saying that you should have one if you provide services externally. I did find a DNAT Guidebook, which describes a couple of methods for setting up servers in a DMZ using DNAT. I’ve been trying to follow method b – Using additional addresses on the public interface. The document uses addresses different than the public addresses for the DMZ. (It also doesn’t follow other ASL documentation for examples and doesn’t even agree with the diagrams in the document i.e. the examples show eth0 as external even though the diagrams show eth0 as internal plus a few other anomalies.)
I’ve managed to get the aliases on the external network set up and externally pingable with the following definitions.
Additional Name 1 on eth1: itest_external
Additional Type 1 on eth1: Static
Additional Address 1 on eth1: 2x9.8x2.1x8.61
Subnet Mask: 255.255.255.255
Additional Name 1 Gateway: None
Additional Name 2 on eth1:Itesttoo_external
Additional Type 2 on eth1: Static
Additional Address 2 on eth1: 2x9.8x2.1x8.62
Subnet Mask: 255.255.255.255
Additional Name 2 Gateway: None
I’ve also setup the server entries:
Server Name: itest
Type: Host
Address: 2x9.8x2.1x8.61
Server Name: itesttoo
Type: Host
Address: 2x9.8x2.1x8.62
The servers themselves are setup the way they would be if they were directly on the network:
Hostname: itest.xxxx.com
IP Address: 2x9.8x2.1x8.61
Netmask: 255.255.255.248
Gateway: 2x9.8x2.1x8.57
Hostname: itesttoo.xxxx.com
IP Address: 2x9.8x2.1x8.62
Netmask: 255.255.255.248
Gateway: 2x9.8x2.1x8.57
The problems seem to come with the definition of the DMZ network and the DNAT/SNAT rules. I’ve tried defining the DMZ a couple of ways:
1.
DMZ Type: static
DMZ Adapter: eth2
DMZ Address: 2x9.8x2.1x8.61
Subnet Mask: 255.255.255.254
When I activated this with DNAT to the external alias, I got messages of a duplicate IP on my server.
2.
DMZ Type: static
DMZ Adapter: eth2
DMZ Address: 2x9.8x2.1x8.56
Subnet Mask: 255.255.255.248
I don’t even get as far as activating a DNAT rule for this. As soon as I enable the DMZ network, the Internal -> External interface stops working.
I can think of a number of ways of trying this with different addresses and masks but I’ve already spent a lot of time on this.
My suspicion is that I can’t do this based on some of the posts I’ve seen. But before I ditch the product and the time I’ve spent on it, I thought I’d ask the question.
Does anyone run a DMZ with the same addresses as their external addresses? If so, can you point me to documentation on how its done or provide some information on how to setup ASL to do this?
Thanks.
This thread was automatically locked due to age.