Cisco Firewall :: 6509 / Setup Multiple DMZs For Hosting Servers?
Aug 19, 2011
I would like to setup multiple DMZs for our hosting servers. Currently there is a single DMZ in which our reverse proxy servers are connected using a public IP address. The idea is to have the reverse proxy forward the request from the Internet to the hosting servers in another DMZ. The purpose of the hosting DMZ is to protect it from the outside as well as from the inside. There will also be a development DMZ where we can test content prior to going live with the website.
Network: We currently have two Cisco 6509's (Core) with a FWSM in each running active/stanby configuration. There is a 10Gb Fiber connection between each Cisco switch to two Cisco 4948s (Top of Rack Switches). I can either setup OSPF or Trunking between the core and top of rack switches. The Cisco 4948s will support VLAN 7 (hosting DMZ 10.0.7.0/24) and VLAN 8 (development DMZ 10.0.8.0/24). Each webserver is connected to both Cisco 4948 for redundancy.
Question: If I have a single interface connecting both VLANs 7 and 8, either through Layer 2 or 3, then how can pass both DMZ traffic to the appropriate servers? The reason why the servers are in the same rack connected to the same two switches is that we are using Blade Servers and VMWare.
View 3 Replies
ADVERTISEMENT
May 14, 2013
Can we have multiple dmz's on asa 5520 or any other cisco firewall, if so how can we configure them and what would be the security-level for those and how to decide, i mean which one has highest and lowest. another question is what is the purpose of security levels, i mean security-level 100 for lan and 0 for wan and others between 100 to 0. whats the importance of numbers from 0 to 100, what do these numbers tell the firewall. I want to try ids in gns3 but i don't have the ios image, from where can i get it.
View 4 Replies
View Related
Oct 16, 2011
we are planning to use multiple DMZ's in our organization, we are using cisco asa 5585, what is the advantage and disadvantage for using multiple DMZ's?. and which better to use one or two DMZ's or split every service in different DMZ ?
View 7 Replies
View Related
Aug 23, 2011
So 3 days from now im getting comcast cable....12 mbps download and 3mbps upload (something like that)I want to know if I can host servers in online games such as... modern warfare 2 and black ops...pretty much any popular first person shooter. I noticed that every game I play I am not host and I am lagging...my current connection is 2.5 MBPS download and 0.4 MBPS upload.
View 9 Replies
View Related
Feb 21, 2011
Is it possible for Windows 7 to host multiple domains? I have seen that it is available for plenty of other OSs and I am sure that it is. I just wanted to make sure.
View 2 Replies
View Related
Jan 8, 2012
I had setup 2 servers at home. I'm now in need of hosting 4 websites. I have 4 static public ip's. I'm currently using a router with DD-WRT firmware installed. I have setup up as static NAT. X.X.X.27 to 192.168.0.100, X.X.X.28 to 192.168.0.101. This is my current setup for the existing 2 webservers which host a website each. I notice apache allows for multiple websites per server. One of the server's is a dell 2500 with 2 NIC's and will not be a problem assigning two ip's. The second server only has 1 NIC. Should I buy another NIC card for the second server or could I get by using a virtual NIC? The load on the servers isnt heavy. Only bout 20 clients connect to them daily.
View 8 Replies
View Related
Feb 29, 2012
I'm trying to connect to something through an ASA.My traffic is coming in on a DMZ interface (security level 0) and going to something on a DMZ3 interface (security level 50).
From the GUI I configured NAT exemption from the source network (on DMZ) to the destination network (on DMZ3) therefore following the guidelines that the translation is set up from most secure to the least secure interface
I have no network connectivity to the host I need to get to From the GUI I removed the NAT exemption rule and configured a static NAT translation instead, translating the source (on DMZ) to itself (on DMZ3) - still no joy.The ACLs in place are fine, if I use the packet tracer tool, it fails at the NAT stage; [code]
I can't see what's wrong here. I've configured static NAT or NAT exemption between inside and outside or inside and DMZ many times over the last 10 years but can't work this out.the only thing I can thing of is that there might be a bug that affects DMZ to DMZ NATing, as everything between inside to DMZ and DMZ to Outside works fine.
View 1 Replies
View Related
Apr 24, 2013
I have a FTP server at my local network and i have natted the private IP with my Public IP using default FTP Port ( 21) , now i have created Diffrent FTP Account in my server using port 2121 and i am able to login using the private IP with port 2121 , now i want to nat with my public IP with port 2121 and i failed,
1) 125.x.x.x --------- 10.10.1.x : 21 ( Able to access from external network)
2) 125.x.x.x ---------- 10.10.1.x : 2121 ( not able to login from external network and able to login internally )
View 7 Replies
View Related
Jan 8, 2012
i have 6509+FWSM(4.0.4) now i wanna use stite to stite and ez vpn in the fwsm (multiple context) multiple context mode in fwsm support ipsec vpn?
View 2 Replies
View Related
May 9, 2011
I am familiar with the PIX and ASA's. We have two Cisco 6509's with a FWSM installed in both. Our network is shown in the diagram. We use Blue Coat Packetshapers and Barracuda Proxy appliances. I plan on setting up HSRP on both 6509's for traffic coming from our ISP Cisco 2811's as well as use HSRP for our DMZ and internal network. I would like to setup the firewalls for statefull failover. We will be using PAT for our internal users and one-to-one static NAT for our DMZ.
Is it better to setup the firewall's as transparent or routed?
Since the firewall is built into the switch, how do I insert the Barracuda proxies? I can configure them as transparent or routed proxies.
View 2 Replies
View Related
Apr 2, 2011
Are the users' download speeds depend on the hosting company's owner's internet speed? Let say if I was running my own server with my internet speed 1mb and LAN 100mbps, are my clients' download speeds restricted to maximum 1mb of any content from my server?
View 3 Replies
View Related
Mar 9, 2010
Is it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies
View Related
Jun 11, 2013
We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured)
DMZ Segment: 192.168.3.0/24 (This is a future deployment)
LAN Segment: 172.17.0.0/16
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.
View 6 Replies
View Related
Feb 25, 2013
The two servers (red hat) use multicast for their heartbeat. Unrouted vlan 99 (only layer 2) is configured on the VTP Servers (6509).I have read this document [URL]
Switches 1 and 2 have IOS: c2960s-universalk9-mz.122-55.SE3.bin
and the 6509: s72033-advipservicesk9_wan-mz.122-18.SXF17a.bin
IGMP snooping is enabled on the 2960 switches.In order for the heartbeat of the servers to work, I have tried these solutions:disable igmp snooping for vlan 99 on switch-1 & switch-2. (No additional action was taken on the 6509). This didn't work. I expected that the multicast traffic would be sent as broadcast throughout the network, but for some reason it didn't work.on switch-1 & switch-2 configured "ip igmp snooping vlan 99 querier" (no additional actions on 6509). Didn't work either.on switch-1 & switch-2 configured "ip igmp snooping vlan 99 mrouter interface gigabitEthernet 1/0/25" & "ip igmp snooping vlan 99 mrouter interface gigabitEthernet 1/0/26" for the two connections to the 6509. Again no actions taken on 6509. Didn't work. I want static mac entries on the switches to be my last resort, since the number of red hat servers on the network is going to increase and I want to give a more generic solution to the issue.
View 10 Replies
View Related
Mar 13, 2012
I am trying to configure a Cisco 871 router.There are 3 servers on my network that need static public IPs but also still need to communicate on the local network.I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network with that IP which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.I can access those servers internally using the public IPs but not from outside the network. A traceroute from outside the network gets dropped when it gets to my ISP.I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to use static routes? Will that update the next hop's routing table? Do I need to make an ACL to permit any host to the servers? If so, do I use the internal or external address? [code]
View 2 Replies
View Related
Oct 3, 2012
I am attempting to block all FTP traffic on port 21 from the servers in my network, and only allow FTP from one server to go out.
I have created the following ACL
access-list 101 Permit ip any any
access-list 101 Permit 21 1.1.1.1 0.0.0.0 any
access-list 101 Deny 21 any any
and have applied it to my truck VPN that goes up to my firewall
int Vlanxxx
ip access-group 101 out
But when i test ftp is still allowed by all servers.
View 6 Replies
View Related
Jul 19, 2011
Our 6509 has seen better days and we know it's past time to replace it... Question is - go with similar or just use multiple 48 port switches? Then we have old Cisco 2800s in our 9 IDFs that would need updated as well.
We have a mixed environment with about 300 active clients along with about 15 servers and an EMC AX4 over 4GB fibre brocades for backup.
View 19 Replies
View Related
May 2, 2011
i have the following scenario that i'm requesting you guys verify if it will work.I have a 3550 catalyst switch running EMI and an auotomous 1131AG aironet ap, i have two dhcp pools already setup on the switch one for the LAN and the other for the wireless clients.There are two vlans on both the switch and ap for LAN and wireless clients.I have already setup multiple SSID's to be broadcasted from the AP, is there a way i can bind one SSID to the lan dhcp pool and the other to the wireless clients dhcp pool?
View 1 Replies
View Related
May 22, 2013
I am struggling to get our 887VA setup for our config.
We have a public IP range from our ISP and we have multiple servers behind our router. One of the servers need large ranges of ports open so I have ended up trying to use a ‘rotary’ nat pool which works fine but I cannot get the other servers to NAT correctly on their ports. It seems the rotary takes over.
Here is a snip of my config.
interface Ethernet0no ip addressshutdown!interface ATM0no ip addressno atm ilmi-keepalive!interface ATM0.1 point-to-pointpvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1!!interface FastEthernet0description Private LANno ip
[Code].....
View 1 Replies
View Related
Apr 2, 2012
we use LMS 3.2 in our network. We have a couple of 6509-V-E Switches with mutiple interfaces (VLAN interfaces and Layer 3 interfaces) The problem is, campus manager discovers the switch by a interface randomly...one time its a lay3 Interface and another one its a vlan interface which none of them are in DNS hence no name resolution can be made.
Is there a way to "tell" CM to us for instance the VLAN Management IP of the switch?
View 2 Replies
View Related
Sep 25, 2012
when I try to enable a WLAN that is using the same SSID as another WLAN I get this message
The following errors occurred while updating the WLAN:
WLAN with duplicate SSID and L2 security policy found.
each location has its own interface because each site is setup on our 6509 with a different VLAN. What is the best way to work around this.
View 10 Replies
View Related
Sep 25, 2012
I have a list of servers that will be migrated from one subnet to another. Is there a script that can take my file that has the server name and the new IP address and modify the existing servers' network from the list? I want to place the script on the servers before I am ready to change subnets for preparation.
View 1 Replies
View Related
Mar 14, 2012
When I'm pinging my mail server, it gave me different IP's at different times. As the mail server is actually owned by us, I would like to know if that is possible without the IP actually being changed by someone.
View 8 Replies
View Related
Aug 19, 2012
Redirecting a Domain to a IP:Port I host game servers for friends and strangers alike, but i'd like to make it easier for them all and give them dedicated IPs. Right now I include domain redirecting, but to connect to their server, they have to put in "example.com:xxxxx", x meaning their servers dedicated port. Is there any way that I can redirect a domain directly to "IP:Port"?
View 3 Replies
View Related
Dec 20, 2010
We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN). We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall. The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.
I.E.
static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0
[Code]....
because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work? Do I have to reconfigure my network and access-list? Do I need to add more ports between the 6509 and 3750? I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.
I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access.
View 4 Replies
View Related
May 28, 2013
I recently changed the entire configuration on two 6509 switches, and the fibre modules on slot 7 and 8 have gone down on BOTH switches. It would be easy to say that its a hardware fault but I cannot understand how module 7 and 8 can go down on both switches. Initially I thought it maybe due to IOS bug 22-33.SXI2a.bin" so I upgraded it to s72033-advipservicesk9_wan-mz.122-18.SXF12a.bin but it still down.These are the actions I have carrried out to try resolve the issue:
- Reverted back to orginal configs but no luck
- Tried to use "power enable" command but the status light on both modules seems to turn red and then go off again.
- I have also tried to put one of the fibre modules into a different slot but no joy
- Upgraded the IOS from 22-33.SXI2a. to 122-18.SXF12a
I am sure that hardware fault cannot occur on BOTH modules 7 & 8 on BOTH switches after config change.The error in the log shows that modules "failed to bring online because of registration timer event". I understand this means that it is unable to download the image within the allocated time. [code]
View 7 Replies
View Related
Jan 30, 2012
Our Exchange 2010 hub servers run multiple services/ports: smtp, www, pop3,135, 143, https, 993, 995, 6001,6002,6003,60200,60201,8400, and 8402 what is the best way of balancing these servers so that if only one of the services failed on a server, it would switch only the failed service to remaining servers. At present I only use an smtp probe, so as log as that sevrice is running the server is marked good.
View 3 Replies
View Related
Feb 10, 2011
I have a WPA2/AES network with PEAP MsChapv2 authentication. I have 2 ACS servers for authentication. The problem I have is dropped clients. Both ACS servers are setup identical. The database replcation has been preformed.A series of 10 clients connects wirelessly and they are all successful. ACS server 1 is the primary and ACS server 2 is the backup. We verified that the 10 users authenticated to the primary ACS. My time out to reauth is 30 minutes on the WiSM. 10 minutes into the test we took down the Primary server. This should have had no impact on the clients. 5 minutes later the clients lost thier authentication and were dropped from the network. They were able to reconnect by shutting down thier wireless client and reconnecting. The authentications were seen on the Backup ACS server.on a test of falling back to the primary the same thing happened again to the clients.
View 2 Replies
View Related
Jan 23, 2012
I am working with MS Windows 2008 R2 and a Belkin F5D8635-4v1 router.
I have already set up a dynamic IP address which points to my router at home. In my home network I have multiple PC's that I would like to access from the internet. I would like to achieve this without needing to change my port forwarding rules on my router each time...
My thoughts are that I use a single dynamic IP address pointed to my router. My router then forwards to a server with some sort of software that can then forward to the correct PC based on the host name.
So I have 3 domains set up all pointing to the router's IP address:
dest1.domain.com -> 41.xxx.xxx.45
dest2.domain.com -> 41.xxx.xxx.45
dest3.domain.com -> 41.xxx.xxx.45
The router is not smart enough to redirect by host name, so it will just forward everything to 10.0.0.20 The server based at 10.0.0.20 must then have software to now redetermine the target based on the host name. The rules would be set up as follows:
dest1.domain.com -> 10.0.0.22
dest2.domain.com -> 10.0.0.24
dest3.domain.com -> 10.0.0.26
View 1 Replies
View Related
Jul 30, 2012
I've got a digital phone system but it goes VoIP across our P2P T1's. I am having quality issues between our 2 sites only and have decided to setup QoS on the Cisco 1841 P2P routers. each side that does the voice traffic, I would like to do QoS by IP address, instead of by protocol.I will need an access-list, a class-map and a policy-map and need to point the interface to the policy-map
View 19 Replies
View Related
May 19, 2011
Need step by step instructions for setting up trust between two domains
View 1 Replies
View Related
Jun 24, 2011
I have a LAN running Window server 2000 as domain controller and having 40 client PCs.i want to configure my server as a mail server which is for the time being only a file server. i dont want to use POPS, IMAP or Exchange server.instead i want to use Microsoft Mail to configure my client computers.i have only heard about "Microsoft Mail" mail so far.
View 2 Replies
View Related
Apr 27, 2012
How do i setup a network printer on server 2003 .
View 1 Replies
View Related
