workstation 7 - server 2003 dmz

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi,

I had a setup working but have decided to now add a dmz to host a member server that will be a non-dc multihomed. Because apparently a multihomed dc controller is very bad.

I only have 1 physical router but i need another one to separate the local and perimiter network. How do I simulate this in vmware?

This probably sounds ridiculous but here is my current thinking:

vmware LAN seg 1 kensoft.local - private network single-homed DC - subnet 192.168.2.x
vmware LAN seg 2 kensoft.com - DMZ network multi-homed non-dc - subnet 192.168.1.x (vmware bridged to host pc and router)

DMZ.SRV2003
NIC 1 : connected to LAN 1 (192.168.2.x)
NIC 2 : vmware bridge to host and router(NAT), (192.168.1.x)

I would need a dns server on kensoft.local and one on the perimiter network kensoft.com (public)?

Here is a pic of a medium sized business setup from nuggetlabs that I am basing this on:

But i dont have the router between the private and perimeter net.



Is this the imagining of a madman? Or is this ok?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What exactly is it you're trying to accomplish with this?

 

I want to implement a dmz and remove multi-homing from my dc.

This is how it is now setup.




I can ping the dmz server from my host pc (but not the dmz nic internal net)

I can ping the dmz server from my dc (but not the outbound nic)

Which is ok cos I havent set anything else up yet. Just the static ip adressing.

Is this the logical way to do it?

 

Why do you want to create a DMZ? In a test environment I see no issues with having a multi-homed server that acts as your internet gateway, going further then that can and will over complicate things for you (in my opinion).

Other then that, yes that is the way you would want to do it, although to be honest it's not a DMZ you're creating just a multi-homed network.

A true DMZ would entail having a network isolated from your corporate network (on their own network segment) with something like Microsoft TMG or UAG acting as a gateway into your corporate environment from the otherside of the DMZ.

 

Right thanks.

I read at microsoft to have 3 cards in the dmz server.

Network A = Internet
Network B = DMZ
Network C = Private intranet

I was going to do this initaily, but I homologised the Internet and dmz zones.

I might actually do this though and have 3 subnets when I have a bit more knowledge. I will get a proxy server software that can all the ip trafficking.

I might seem like I'm pointlessly over-complicating things but thats the point, I will learn more doing it the hard way.

It's a bit dissapointing that there isnt a more elegant/simple way to emulate a router in workstation 7. Why could'nt they just have a router as an add-in device like a nic?

 

Ken

I'm beginning to think you're on a wind-up here! We've told you how to set your test environment up, but you continue to put some ridiculous configurations in place. You're supposed to be using this for leanring, but quite honestly you're attempting to run before you can walk. Go back to the basics, set your LAN up like you;ve been advised. Once you've got all that sorted, then you can move onto the harder stuff

BTW, this isn't meant to sound lharsh - it's awesome that you want to learn things and bodes well for your future development. It's just that you need to concentrate on setting everything up properly before overcomplicating things.

 

If you are determined to complicate things and want an extra router, just set up a new server with 2 NIC's and configure RRAS on it. Then you have a router ....

 

Right I got that sorted.

Now I have (almost) setup the basic framework for a 3 subnet group with a dmz.

I do this now because I dont want to have to change names and configs later which can cause problems, so I want to setup a framework that will allow me to look at any aspect of corporate it if i need/want to.

Like I have called the private net as .local and later I will make the dmz .com and have a web relay and webpage and stuff. But thats for if/when.

so:

ZONE A = INTERNET

ISP to a cable modem, to a physical router 192.168.1.1. PC is 192.168.1.2

Host PC running vmware workstation 7


ZONE B = DMZ

server 2003 (no roles defined) with 3 nics.

NIC 1 = 192.168.1.5 - vmware bridge to host pc network card.
NIC 2 = 192.168.2.5 - vmware LAN seg 1
NIC 3 = 192.168.3.6 - vmware LAN seg 2


ZONE C = PRIVATE

2003 server DC controller ad/dns/dhcp

1 NIC = 192.168.3.5 - vmware LAN seg 2

----------------------------------------------------------------------

I will install a web proxy but for now I just want to get the different networks connected to eachother.

So i just made rras the LAN router on the dmz 3 nic server.

I set the default gateway of the NIC 1 = 192.168.1.5 - vmware bridge to host pc network card to my physical router(192.168.1.1).

So from the dmz server I have internet access, fine.

I set the default gateway on the dc controller on subnet 3 to point to NIC 3 = 192.168.3.6 - vmware LAN seg 2 on the dmz server.

So now from the dc on subnet 3 I can ping:

(DMZ) NIC 1 = 192.168.1.5 - vmware bridge to host pc network card.
(DMZ) NIC 2 = 192.168.2.5 - vmware LAN seg 1

But the problem now is that I cannot ping the physical router 192.168.1.1 or get out to the internet from the dc on subnet 3.

so all I've actually done is:

* to install rras LAN routing

* enter 192.168.1.1 as the default gway on NIC 1 of the dmz svr.

* enter 192.168.3.6 as the default gway on the private DC on subnet 3.

I can ping the public card in the dmz which has a default gateway of my physical router, so i dont understand why it stops at at the public card in the dmz!

can anyone shed some light on this please?

dodgy visio:

 

I am sorry but your design makes no sense. What exactly is the 192.168.2.x network doing.. exactly??? All you have done is add a layer of complexity that doesn't need to be there. Your DMZ server is still actually only a multi-homed server utilising two networks, it's not a perimeter network so to speak. A perimeter network would require you to have a Firewall on the segment that would block off that network segment which would be on a different network segment but it wouldn't be accessable directly from your DMZ server (not as such).

Ideally you would have something like.

ISP (public IP address) - (public IP address)Firewall(DMZ - Private IP address) - (DMZ - Private IP address)UAG\TMG servers(Internal - Private IP address) - Internal servers.

Your DMZ is just that, a zone that your internet facing servers sit in with firewalls at both edges to ensure that no unauthorised traffic can traverse the networks, in your diagram the 192.168.2.x network does absolutely nothing at the moment.

 

I will install a firewall later on the dmz server(firewall).

I probably used the wrong terminology, by dmz server I mean firewall.

The .2 subnet will host the .com domain, web server and whatever else later if I want. Its just a work-in-progress framework at the moment.

But all the diagrams I have seen have the three differnt networks connecting to the firewall which has the internal net prescribed as PRIVATE.

So I should've renamed dmz server to firewall in the visio.

I just at this stage want to get the connectivity between networks because I wont install the firewall for a few weeks. But yes, there is nothing on the .2 subnet.

So I still need to get subnet .3 tlaking to my router. because the firewall will come later.

 

You need to ensure that your routing table on the DMZ server and DC1 knows which route out all the traffic needs to take, also worth noting is that the DMZ server needs the 192.168.1.1 address as it's ONLY gateway.

Have a look at the Route Add command on the server because you will need to do it on both servers (different gateways).

You really are making things far more complicated for yourself, especially as this is all being done out of Workstation 7.

 

*facepalm*

 

Thanks

 

So on the rras router I added:

Interface: NIC 3 PRIVATE 192.168.3.6 (vmware LAN 2)
Destination: 192.168.1.0
Mask: 255.255.255.0
Gateway: 192.168.1.5

Does that not say to the router that, if any ip request comes in from this (192.168.3.x) subnet, for the 192.168.1.x subnet, that 192.168.1.5 knows where to go?


Still not working...

NIC 1 is the only card with a gateway (192.168.1.1) Its dns server is also (192.168.1.1)

 

...Kobem...?

That you...?

 

Hmm...

I removed all static routes I'd made on the rras.

I then setup 2 static routes on my physical router.

Now All connectivety is ok

Everything can ping each other and access the net.

How can this be...?

 

After thinking about it I reckon that before I added the .2 and .3 subnets to the physical router, that the vm subnets could still actually ping the router, but because the router didn't know about them they could not get the reply.

After i added them to the router via the (192.168.1.5 as gateway) that they can receive the reply.

All's well that ends well. Onto the next stumbling block.