×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

DMZ-issue

DMZ-issue

DMZ-issue

(OP)
Hello all,

I've got a weird situation going on with some netgear Dual-WAN/VPN router

As I said it has 2 WAN-ports.
On WAN 1 I've got a static ip (192.168.4.2), Default GW (192.168.4.1 = cisco ISDN router from ISP).
The LAN-interface has the ip of 192.168.1.1 (that is the scope of our LAN).
Between the Cisco and our netgear device I've put a switch with some webservers on them.

I can get from our LAN to our Webservers, from the internet it works also fine. The problem is that I can not get from the webserver to the LAN.
I need to get to the A.D from our LAN, as I need it for authentication.
I tried to put in some static routes but nothing happened.

Any idea's?

Kindest regards,


Stijn

  

RE: DMZ-issue

You need to punch a hole in your Netgear Dual WAN/VPN router to allow traffic originating on it's WAN side to your LAN side of the appliance. It's a basic statefull firewall and probably has it's security to allow all traffic orginating from the LAN to WAN as open (that's why you can access the web server from the LAN), but blocks all traffic originating from the WAN to LAN side. You can access the web server from the Internet because the web server is plugged into your switch off of the Cisco's LAN subnet, does not go through the Netgear, and it either has that port on the Cisco open or is wide open to all ports (when I say ports, I mean TCP/UDP ports).
Like I said, your quick fix is to open up whatever ports you need; however, you really need to take a look at your design better. Having a DMZ zone for web servers is great, but having them tied to your A.D. inside your lan is not due to the ports that have to be opened to allow Kerberos. If someone gains access to the web server, then game over since they now have access to your Active Directory. Also, you are having to double NAT (once through the Cisco and again through your Netgear). There's nothing per say wrong with that, but it's twice the work for you to create static NAT(s).

 

RE: DMZ-issue

(OP)
Thanx for the reply...
What i've changed now (and this works), is that i've made a different LAN ip on a differnet subnet of my LAN on the netgearbox.

I still see the problem with the AD-connection however...
Thing i have to do is make a new AD (new forest, new domain)in the DMZ and make a kind of a trust-relationship between the LAN-AD and the DMZ-AD.

Hopefully i get my hands on some resources so I can tighten the security.

Thanx a lot for the clarification!

Kindest regards,

Stijn

RE: DMZ-issue

I wouldn't even do that. Just make your web servers simple non AD joined servers. Each server will have it's own security with usernames and passwords. Unless you have some particular app you have to run on your web servers that has to have AD access (I'd be looking for another app personally), then this is the best route. Creating another AD and then establishing a trust between the two, you would still have to open ports galore.

 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close