Solved: Cannot connect to internet from DMZ

rweir0001 · ‎07-14-2015

We have set up a new DMZ at a COLO but are unable to reach the internet from the DMZ servers. The COLO manages their own firewall and have opened up all the necessary ports for us. Our DMZ is on the 192.168.15.0/24 subnet. We also have servers on the 10.128.1.0/24 subnet that can connect to the internet without issue. All traffic from both subnets is passing through the same switch. From the switch I can ping all servers in both subnets, and all servers can ping the VLAN interfaces on the switch. The COLO can't figure out why the 192.168.15.0/24 servers cannot reach the internet and that traffic only makes it as far as the Interface VLAN on the switch which is 192.168.15.82.

This is our configuration on the switch:

Gateway of last resort is 10.128.1.254 to network 0.0.0.0

C 192.168.15.0/24 is directly connected, Vlan15
C 192.168.10.0/24 is directly connected, Vlan192
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C 10.128.212.0/25 is directly connected, Vlan30
C 10.128.1.0/24 is directly connected, Vlan10
C 10.55.254.0/26 is directly connected, Vlan40
192.168.1.0/28 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Vlan50
S* 0.0.0.0/0 [1/0] via 10.128.1.254

interface Vlan15
ip address 192.168.15.82 255.255.255.0

I believe that the traffic from 192.168.15.0/24 is being lost as soon as it leaves the switch heading towards the next hop on the firewall which is 10.128.1.254, but can anyone notice if I'm missing something critical by looking at my switch configuration?

Jon Marshall · ‎07-14-2015

Rick

I'm a little confused ie. you say you do have a DMZ interface on the firewall but then you say you haven't run a second cable from the firewall to the switch.

Unless the existing connection is a trunk link and the DMZ interface is a subinterface then I don't understand the above.

If it is a separate interface on the firewall then you have to also run a cable to the switch. You would then have the new vlan in the vlan database but no SVI for it on the switch ie. the default gateway of clients would be the interface IP on the firewall.

If you can't run a second cable then there is no point in having a separate interface on the firewall.

If you can only use the existing connection then it may well not be working because the firewall needs a route back for the new subnet ie. they need to add a route for the new IP subnet pointing to the 10.128.1.x IP address at your end.

Just to make the point again though, this would not be a proper DMZ because if you route the new subnet on your switch then that means your servers in the new vlan can route to other vlans on the switch without going via the firewall.

If I have misunderstood please clarify.

Jon

View solution in original post

Jon Marshall · ‎07-14-2015

You need to remove the SVI on the switch for the vlan ie. "no interface vlan 15" and you set the default gateway of the servers to be the 192.168.15.254 IP address.

And make sure the port on the switch that is connected to the firewall for this connection (ie. the second cable) is in vlan 15.

Basically you don't route the new vlan on your switch so it doesn't matter what the default route is on your switch.

Jon

View solution in original post

Jon Marshall · ‎07-14-2015

You haven't included your switch configuration but the more important question is how the firewall is connected to your switch.

If this is meant to be a DMZ then it should have a separate interface on the firewall and the default gateway for the servers should be the interface IP address on the firewall ie. you would not have an SVI on the switch for this vlan.

If you are trying to connect via another interface on the firewall ie. 10.128.1.254 then it isn't really a DMZ as such.

Can you confirm the connectivity between the devices ?

Jon

rweir0001 · ‎07-14-2015

Hi John,

This is our switch configuration as it applies to the IP routing table and the Interface VLAN. I realize that I did not paste my entire configuration:

Gateway of last resort is 10.128.1.254 to network 0.0.0.0

C 192.168.15.0/24 is directly connected, Vlan15
C 192.168.10.0/24 is directly connected, Vlan192
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C 10.128.212.0/25 is directly connected, Vlan30
C 10.128.1.0/24 is directly connected, Vlan10
C 10.55.254.0/26 is directly connected, Vlan40
192.168.1.0/28 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Vlan50
S* 0.0.0.0/0 [1/0] via 10.128.1.254

interface Vlan15
ip address 192.168.15.82 255.255.255.0

We do have a DMZ interface on the firewall which is supposed to be 192.168.15.254, but our default gateway to the internet is 10.128.1.254. As far as I know I can't create a second default route, correct? We only have the one route to the internet.

I did try to create a PBR routing policy that pointed to 192.168.15.254, but it still wouldn't work:

access-list 10 permit 192.168.15.0 0.0.0.255

route-map toTierpointFirewallVlan15Interface permit 10
match ip address 10
set ip next-hop 192.168.15.254

interface Vlan15
ip address 192.168.15.82 255.255.255.0
ip policy route-map toTierpointFirewallVlan15Interface

I believe that the COLO firewall should be able to send the traffic where it needs to be once we send it to our next hop, which is 10.128.1.254, correct? I realize that this isn't a true DMZ but the COLO isn't giving us many options. What would be your suggestion? They should have a second cable going from the switch to the firewall and connecting to the 192.168.15.254 interface, right? I have told them that but they are telling me that sending it to the default gateway of last resort should work.

Any suggestions would be appreciated.

Thanks,

Rick

Jon Marshall · ‎07-14-2015

Rick

I'm a little confused ie. you say you do have a DMZ interface on the firewall but then you say you haven't run a second cable from the firewall to the switch.

Unless the existing connection is a trunk link and the DMZ interface is a subinterface then I don't understand the above.

If it is a separate interface on the firewall then you have to also run a cable to the switch. You would then have the new vlan in the vlan database but no SVI for it on the switch ie. the default gateway of clients would be the interface IP on the firewall.

If you can't run a second cable then there is no point in having a separate interface on the firewall.

If you can only use the existing connection then it may well not be working because the firewall needs a route back for the new subnet ie. they need to add a route for the new IP subnet pointing to the 10.128.1.x IP address at your end.

Just to make the point again though, this would not be a proper DMZ because if you route the new subnet on your switch then that means your servers in the new vlan can route to other vlans on the switch without going via the firewall.

If I have misunderstood please clarify.

Jon

rweir0001 · ‎07-14-2015

I'm trying to communicate with the COLO remotely, but they are telling me that there is a second cable going from the switch to the firewall and connecting to the DMZ interface of 192.168.15.254. If our default gateway from the switch to the firewall is 10.128.1.254, how do I configure the 192.168.15.0/24 traffic to go to the 192.168.15.254 interface on the firewall?

Jon Marshall · ‎07-14-2015

You need to remove the SVI on the switch for the vlan ie. "no interface vlan 15" and you set the default gateway of the servers to be the 192.168.15.254 IP address.

And make sure the port on the switch that is connected to the firewall for this connection (ie. the second cable) is in vlan 15.

Basically you don't route the new vlan on your switch so it doesn't matter what the default route is on your switch.

Jon

rweir0001 · ‎07-15-2015

Thanks for your help, Jon. It turns out that the COLO was having some cabling and policy issues on their side. It is resolved now.

However, I did take your advice to configure the set up as a true DMZ by removing the "Interface VLAN 15" command from the switch, assigning the two ports that are connected to the 192.168.15.254 interface on the firewall to VLAN 15, and changed the default gateway on the servers to 192.168.15.254.

The DMZ is now able to ping the firewall at 192.168.15.254, and route to the internet.

The switch is no longer able to ping the servers in the DMZ or the 192.168.15.254 interface on the firewall. I'm assuming that this is the way it is supposed to be, right, because the DMZ VLAN is now isolated on the switch? I mean the DMZ is passing traffic through the switch to the firewall without issue, so I know it is working.

Jon Marshall · ‎07-15-2015

The switch is no longer able to ping the servers in the DMZ or the 192.168.15.254 interface on the firewall. I'm assuming that this is the way it is supposed to be, right,

Yes, the switch itself or any other devices in other vlans should not be able to ping the servers in the DMZ.

If you did need communication between an internal vlan or vlans and the DMZ vlan you would need to allow it via the firewall which is the way it should be for a DMZ setup.

Glad to hear you got it working.

Jon

rweir0001 · ‎07-15-2015

Thanks, Jon!