Solved: CWMS 2.5 with IRP

poomiko00 · ‎06-17-2015

Hi all,

I am currently deploy CWMS 2.5 in our system.

But, I have trouble to connect Admin VM with IRP VM.

Our IRP install in DMZ zone. I need to setup IRP route as x.x.x.1 for internal and x.x.x.254 for external.

I currently set IRP gateway to x.x.x.254 but cannot set static route to route private IP address to the correct gateway (x.x.x.1 .)

I want to know to how configure static route on IRP or this design is not valid?

Thanks all!

dpetrovi · ‎06-17-2015

Hi,

When you deploy IRP VM, you are supposed to configure the IP address that belongs to the DMZ subnet and assign it with the corresponding Default GW that can route the traffic depending who IRP VM is communicating with.

That Default GW should know if it is supposed to route the traffic outside the network or inside.

You can't configure static routes on the IRP VM (you can in the CLI (which you don't have access to) as it is basically a Linux box, but it is not supported).

Additionally, for all the communication between internal VMs and the IRP VM, you need to ensure specific ports are open in your DMZ Firewall, while for communication between IRP VM (Public VIP interface) and the internet, you need to open specific ports on the Internet Firewall. These are documented here:

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html#reference_CB65D7FE4B3746DDAF1649884AD777CE

I hope this helps.

-Dejan

View solution in original post

dpetrovi · ‎06-17-2015

Hi,

I am not sure I understand what exactly you are trying to do. If you can provide more details on what exactly you are trying to achieve, I may be able to provide you with better guidance.

In the meantime, please, reference the planning guide that explains all the available/supported topologies as well as network/port requirements: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide.html

Kind regards,

-Dejan

poomiko00 · ‎06-17-2015

Hi Dejan,

Please see diagram in the 1st post attachment, I want to implement IRP in DMZ zone which has 2 firewalls-internet, intranet. The problem is admin VM cannot connect to IRP VM.

Currently, I configured IRP VM gateway as 10.10.10.254, but for private network it should route to 10.10.10.1. However, I cannot find any way to configure static route for my private network on IRP VM.

The traffic from Admin VM flow to IRP VM in this way;

[admin VM] => [intranet FW] => [IRP VM]

But, when IRP VM reply to Admin VM the traffic goes to internet firewall due to default gateway;

[IRP VM] => [internet FW] => [intranet FW] => [admin VM]

What happen is internet firewall block that traffic due to asymmetric route.

So, I'm not sure that the design in attachment is valid.

Can IRP VM configured with static route, or I need other L3 device to route the network between internet and intranet firewall.

Best regards.

dpetrovi · ‎06-17-2015

Hi,

When you deploy IRP VM, you are supposed to configure the IP address that belongs to the DMZ subnet and assign it with the corresponding Default GW that can route the traffic depending who IRP VM is communicating with.

That Default GW should know if it is supposed to route the traffic outside the network or inside.

You can't configure static routes on the IRP VM (you can in the CLI (which you don't have access to) as it is basically a Linux box, but it is not supported).

Additionally, for all the communication between internal VMs and the IRP VM, you need to ensure specific ports are open in your DMZ Firewall, while for communication between IRP VM (Public VIP interface) and the internet, you need to open specific ports on the Internet Firewall. These are documented here:

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html#reference_CB65D7FE4B3746DDAF1649884AD777CE

I hope this helps.

-Dejan

poomiko00 · ‎06-18-2015

Hi Dejan,

All ports are allowed correctly on both firewall, but it didn't work.

So I think, I should have L3 device to route between internet and intranet zone.

Many thanks!