Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
2
Replies

Interconnected DMZs, default gateway & routing protocols

bdube
Level 2
Level 2

‎04-16-2001 08:49 AM - edited ‎03-08-2019 08:09 PM

Hi,

As a consultant, i have to provide a solution to one of my customers to interconnected DMZs located in different sites.

The context: My customer has presently 3 sites, and in a near future 4, with Internet access protected with Cisco PIX in each case. In the DMZ of each site, their are some servers, someone with High Availability configuration for production activities 24/7. Firewalls provide NAT.

The need: My customer don't want to move all servers in a centralized site or hosted by someone else. He "just" wants to provide an alternate path to those servers from the Internet if the directly connected firewall or associated Internet access failed. To do so, he wants to use one or many of the other Internet access instead of duplicating each Internet access and associates equipement.

The solution:

a) Layer 1&2 : Linked DMZ toghether. Have a direct connection between sites, from DMZ of each site to a centralized router. The customer will use LAN extension service to do that. Only consider an installation cost to add a VC because he already have high speed access (100 Mbps LAN extension) between those sites for corporate network.

b) Layer 3: NT servers generally use "default gateway" to reach his next hop, the IP address of DMZ interface on PIX. Now, must be abandonned and replace by dynamic routing. In this case probably RIP because it's by default for NT servers. Now a NT servers may have 2 different path to send out packets, through firewall & centralized router connecting each DMZ.

c) The routes advertisement come from the router in front of each firewall, those directly connected to the Internet, through the firewall up to the DMZ. I know it's possible to advertise from external to internal network and vice-versa but i'm not sure if it's possible from external to DMZ.

d) Servers will use dynamic DNS to update the reference of the IP address they use, as seen from the Internet. Service like DNS-WIZ.

e) Each firewall must have a public IP address corresponding with NT servers independently where are the servers, directly connected DMZ or remote DMZ.

The questions:

Is it possible to advertise routes between the external router, connected directly to the Internet, and the DMZ? Is the firewall will broadcast the advertisement, multicast packet, between external and DMZ?

Is the DMZ must be directly connected to firewall and have only one subnet? Remember, in our case, the firewall sees 4 subnets in DMZ side.

Do you see any problems not identified here?

I know it's tricky... we are open to any suggestions.

Labels:
0 Helpful
2 Replies 2

bstremp
Level 2
Level 2

‎04-19-2001 01:00 PM

The PIX will not actively participate in routing nor will it pass broadcast packets or routing protocols. The PIX will learn routing information passively through RIP but that won’t accomplish what you are looking to do. I think you’ll have to setup a GRE or even IPSEC tunnel through the PIX to the DMZ routers to pass these routing protocols. I’ve never tried it but I understand it’s doable. Anybody ever done this before?

0 Helpful

bdube
Level 2
Level 2
In response to bstremp

‎04-20-2001 07:06 AM

I know, it's easy to pass routing protocol through the PIX between the external & internal sides. But i'm not sure if it's possible to do the same thing between external & DMZ. I think also the GRE or IPSEC solution is a good one, perhaps the only one.

0 Helpful
Customers Also Viewed These Support Documents