General discussion

Locked

DMZ-SONICWALL

By aben16 ·
Hi everybody and happy new year,
I have a question about DMZ in NAT mode.SONICWALL (PRO-VX 6.3.1.4).
We would like to put the web server and the ftp server in the DMZ for security reasons using NAT mode.
The questions are: How to do that?
Is it possible to redirect public addresses to the DMZ? maybe with routes or one-to-one NAT?
if so how to configure it?
The reason of my question is that we would like to be able to have access to the LAN from the DMZ to get to the database servers. For example, in the DMZ, we would have an IIS server in which there would be an ASP page that acts as middle-tiers between the client and the database.
This page would be configured to join an address in the LAN with a specific port such as 5000.
if we don't use NAT mode in the DMZ, would it be possible to simply create a rule DMZ-LAN between the IIS public address and the LAN address of the database?
Thanks a lot

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

Point value changed by question poster.

Collapse -

DMZ-SONICWALL

by sgt_shultz In reply to DMZ-SONICWALL

well, nobody is answering this so i'll take a swing at it. have not set up a dmz myself. think if i were you i'd get a book. in the meantime, here are my thoughts. am sure they are not worth your points so don't worry. this is mostly stuff i picked up browsing thru www.cert.org....
as you probably know, dmz's take (at least) two routers, a public one and a private one. between the two, you place the resources that you want available to the public. this buffers your internal network from the public. it goes like this, router (with public ip address, your web sites address?) then database server, then router with private (lan) ip address. on the public router, you set it up so that web page incoming and outgoing traffic(always port 80) get sent to your database server. so let's say your web site is at 65.128.32.4 and your database server in the dmz is at 192.168.1.11. you configure the 'public' router with an ip address of 65.128.32.4 and the its nat to send everything coming in and going out on port 80 to 192.168.1.11, see? on the private router side, you'd configure the router with an appropriate ip address for your lan, like 192.168.1.1, and fix the its nat so any traffic on port 5000 gets routed to 192.168.1.11 (the database server).
important point, all other ports on should be 'closed' only traffic allowed is the specific ports you need, 80 on the public side and 5000 on the private side, if I understand you correctly...hope this helps

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

Thanks for the try but it didn't help me much.

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

It looks like nobody understood my question or may I say my questions because there are more than one.
I'm going to try to be more clear and would ask one question at a time.
Like I said before I have a sonicwall pro-vx and I would like to put the web server and the Ftp server in the DMZ (two servers running win2k).I have did this for one server and it works:
"DMZ in NAT Mode" is enabled, with the following settings:
DMZ Private Address: 192.168.22.1
DMZ Subnet Mask: 255.255.255.0
DMZNAT Many to One Public Address (Optional): 209.9.9.140

you have a webserver with these settings: IP address 192.168.22.2 / 255.255.255.0 ; default gateway = 192.168.22.1 ; go to the Access - Rules screen and write this rule:

Allow web (HTTP)
source: WAN *
destination: DMZ 192.168.22.2

What do I have to add for the other server ( FTP )?

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

i found the answer for the first question.
With one-to-one NAT and by adding a rule
allow source WAN *

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

I did not finish the first answer concerning the rule. It's
allow web (http) Source WAN *
Destination DMZ 192.168.22.3

The second question and the most important one is: How can I authenticate users in the LAN from DMZ servers. For example I would like to restrict some users to use FTP server. How can I do that?
By adding this rule
allow default source DMZ *
destination LAN *
I was able to do that but It's not a safe thing to dobecause I open all the ports from public network to the private one.
Maybe there is a configuration to do in the server and the domain controller and not in the firewall. If so how?
Thanks alot

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

It seems like I have to open some ports from DMZ to the LAN
the ports are : 445/tcp and udp, 88/tcp and udp, 389/udp and 53/tcp and udp.
I've tried that, even though I was not convinced because I don't want to open any ports if that is risky enough, and yet didn't work.
I still cannot manage users in the LAN from the DMZ server.
Any help would be very much appreciated.
Thank you

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

Point value changed by question poster.

Collapse -

DMZ-SONICWALL

by aben16 In reply to DMZ-SONICWALL

Point value changed by question poster.

Collapse -

DMZ-SONICWALL

by isys In reply to DMZ-SONICWALL

If you set up the DMZ with the many-to-one option you will have to redirect ports 21 and 80 to the FTP and web servers, which will make them inaccessible to people inside. One of the reasons I bought a Pro-VX is because of the VPN option. It mightbe easier to do that than what you are trying to do.

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums