This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External IP on DMZ? TDC Denmark. Picture included.

Hi, I have several UTM 9 at different customers. I am not a network specialist though.

I now have a customer in Denmark that needs a different configuration.

This is the paper TDC in Denmark has sent. I have changed the IP adresses a little though. The thing is that I do not have the router/Switch from TDC. Instead there is an UTM9 there with the WAN-IP 7.7.7.94 and default gateway 7.7.7.93.

I now have a second firewall that is preconfigured, and I can not do any changes to it. It has the adress: 8.8.8.19, and the Default Gateway 8.8.8.18. This is the correct Default GW according to TDC.

TDC in Denmark says that it is pretty easy to configure most Gateways so that I could use the new firewall with adress 8.8.8.19 on one of the Ethernet-ports. They said that I could create a DMZ for this.

Is this the right way? Or how would you have configured it? If possible I would like a step by step instruction, since I do not really know how to proceed.. :)

Best Regards

Andreas

 



This thread was automatically locked due to age.
Parents
  • Hi again,

    Now I have tried a little.

    One thing that may be important is that I have been using the UTM9 with the address 7.7.7.94 on the WAN interface with GW 7.7.7.93 with Masquerading to an Internal Network, and that works. But now when I will be starting to use these new adresses I have disabled Masquerading, as I guess that it is not possible to use all three IP addresses 7.7.7.94, 9.9.9.7 and 8.8.8.19 for reaching the Internet at the same time(?)

    I have now tested the following settings (among others):

    Interface - Configured eth2 with the static adress 8.8.8.18/30, no Default Gateway
    Static Routing - Interface Route, Network: External WAN, Interface: eth2
    Static Routing - Interface Route, Network: eth2, Interface: External WAN
    Firewall rule: Eth2 - Any - External WAN, Allow
    Firewall rule: External WAN - Any - Eth2, Allow

    I set up a test PC with the adress: 8.8.8.19 and Default Gateway 8.8.8.18, DNS: 8.8.8.8

    I am now able to ping IP-adresses on Internet from this PC. I am also able to run a tracrt to any external IP.
    But DNS do not work at all.
    I am also NOT able to ping 8.8.8.18, even though I see it when doing a tracrt.
    I am NOT able to ping 7.7.7.94 but I am able to ping 7.7.7.93

    Am I doing something wrong, or maybe it is TDC that needs to do something different in their configuration?

    Best Regards

    Andreas

  • After alot of reading I realize that what TDC is delivering is something called "Transfer Network"(?)

    And according to this thread:

    https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/41614/multiple-wan-ips-for-hosts

    As BAlfson explains it:

    "...The DMZ interface will use one of the public IPs for "DMZ (Address)" and your servers will use that IP as their default gateway.  Your ISP will simply route the DMZ subnet via the IP of "External (Address)."  Add firewall rules and you're done!..."

    So now I have removed the static routing, and only thing I have configured is:

    Interface - Configured eth2 with the static adress 8.8.8.18/30, no Default Gateway
    Firewall rule: Eth2(network) - Any - External WAN(network), Allow
    Firewall rule: External WAN(network) - Any - Eth2(network), Allow

    But I still have the same problem as above. No Domain names works, but plain IP-addresses does. And I have both tested Googles DNSes and TDCs.

    Probably I have still misunderstood something. Does anyone have any idea what could be wrong?

Reply
  • After alot of reading I realize that what TDC is delivering is something called "Transfer Network"(?)

    And according to this thread:

    https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/41614/multiple-wan-ips-for-hosts

    As BAlfson explains it:

    "...The DMZ interface will use one of the public IPs for "DMZ (Address)" and your servers will use that IP as their default gateway.  Your ISP will simply route the DMZ subnet via the IP of "External (Address)."  Add firewall rules and you're done!..."

    So now I have removed the static routing, and only thing I have configured is:

    Interface - Configured eth2 with the static adress 8.8.8.18/30, no Default Gateway
    Firewall rule: Eth2(network) - Any - External WAN(network), Allow
    Firewall rule: External WAN(network) - Any - Eth2(network), Allow

    But I still have the same problem as above. No Domain names works, but plain IP-addresses does. And I have both tested Googles DNSes and TDCs.

    Probably I have still misunderstood something. Does anyone have any idea what could be wrong?

Children
  • Hi and welcome to the UTM Community!

    If DNS best practice doesn't solve your problem, start with #1 in Rulz.  Any luck with either of those?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you Bob for this and for alot of other good information on this forum! You have saved me several times.

    I realized that the problem was pretty simple actually. The only thing that I did wrong in the last post seams to be the rules. I changed them to

    Firewall rule: Eth2 - Any - Internal Network, Block
    Firewall rule: Eth2 - Any - Any, Allow
    Firewall rule: Any - Any - Eth2, Allow

    Why I realized this was that I disabled the rules, but still where able to ping. Before I thought that because I was able to ping, the rules worked. But it seems that ping and tracert actually works without any rules at all(?) I thought that without rules all the communication between the interfaces would be blocked.

    I do not know if this is the best way of doing it, but it seam to work.

  • Two tricks.  Tracert and Ping are regulated on the 'ICMP' tab of 'Firewall'.  The "All" service only includes TCP and UDP - none of the other IP protocols.

    If your second firewall rule were to "Internet v4" instead of "Any," your first rule would be unnecessary.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA