This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dmz with sonicwall and astaro

I had to design a dmz for a client that wanted a 2 firewall setup. This is my first 2 firewall setup. I have the sonicwall on the border and I have the astaro box as the internal firewall. The problem is I can't get internet access to my dmz clients. Can someone here please tell me what I'm doing wrong?

I'm going to list how I have the equipment set up.
Internet -> Modem
Modem -> Router
Router -> DMZ Switch
DMZ Switch -> to public servers
DMZ Switch -> Firewall External NIC
Firewall Internal NIC -> LAN Switch
LAN Switch -> LAN Systems

This thread was automatically locked due to age.

0 cyclops over 20 years ago

amp10000,

Your setup description is confusing somehow.

You might have a routing problem - in a two stage firewall setup the edge firewall needs a static route to the internal network via the external intreface of the inner firewall. I do not really know where your DMZ is but I guess it is between both firewalls and the default gateway of the servers located in this DMZ points to the internal interface of the external firewall, right?

Please review your setup carefully. From your description one could get the impression that your DMZ isn't firewalled at all since your DMZ switch is located beside or in front of the firewall system? As said it is confusing [:S]

Greetings
cyclops
Cancel
Vote Up 0 Vote Down

Cancel
0 amp10000 over 20 years ago in reply to cyclops

cyclops I figured the problem out it was dns. I had to configure the servers in the dmz with the dns servers I got from my isp after I did that all was well basically I could resolve external sites by ip but not by name. Ok now let me tell you in detail about my setup I have a sonicwall that has 2 interfaces. The first is the wan interface which has our dsl modem connected to it the second is the lan interface at 192.230.15.2 that connects into a dmz switch. I than have the external interface of the astaro box with an ip of 192.230.15.3 that is also connected to the dmz switch. So the external interface of the astaro box takes the internal ip of the sonicwall as its gateway which is 192.230.15.2. Now I have an internal interface on astaro that connects back to a lan switch at 192.168.85. network. Also all systems in the dmz take the internal ip of the sonicwall for there gateway. If theres any problems with this setup please point them out because like it said this is my first venture into a 2 firewall setup. I pulled most of my research by reading this article http://www.security-forums.com/forum/viewtopic.php?t=5653 and also by looking at a few firewall books.
Cancel
Vote Up 0 Vote Down

Cancel
0 nat_01_01 over 20 years ago in reply to amp10000

Hi amp10000,

I have a question about how you setup your 2 firewall configuration. My question could be better explained by this scenario.

Lets say I have a web server in the DMZ. To give access to an interet user I'd allow port 80 to the web server in my extranal firewall. If the website application has to request some data from the database server (located in my LAN), then I'd have to allow a port in my internal firewall to access the db server.

The web server has a different subnet from my LAN. The web server's NIC has a unique IP in the DMZ zone and a default gateway of the ip address of outer firewall's internal NIC. Also the DNS server ip address would be configured in the web server to have the ISP's DNS server.

If the web server has to resolve an IP or a name (ip/name of my db server which is in a diff subnet), won't the web server ask the default gateway(outer firewall's internal NIC) to resolve this - which would have no idea of what this address would be and would forward this request to the ISP's DNS server ?

How do I configure the webserver's NIC so that it could resolve a server name which is located in my internal lan??

Thank you in advance
Cancel
Vote Up 0 Vote Down

Cancel