# DMZ Setup



## Polymorphism (Dec 28, 2015)

Hello everyone,

I'm relatively new to this site, but have a couple of years of networking experience. I am currently trying to understand how to deploy a DMZ for my companies network. 

I am using a Cisco firewall and have enabled the DMZ setting within the firewall. I am just unsure how to understand the inter-workings of a DMZ. I've researched numerous documentation, but I still feel fuzzy about how its supposed to work. I understand its purpose and the like, but physically/logically deploying it is what I am confused about. 

Here's what I am trying to do, and I could be completely wrong about how I am going about it so feedback is greatly appreciated:

I have a DIR655 router connected to the WAN2/DMZ port on the Cisco Firewall. I figured I could use that router as a DHCP server, that way if I have guests they can use that router to connect to the internet. Along with such I plan to have dedicated FTP, SMTP, and DNS servers statically connected to that network as well. Currently the router shows its fully operational with both WiFi and Ethernet, but I am not getting any internet connectivity, so I'm wondering if there is some setting within my Cisco FW that is obstructing communication. Also since the Cisco FW is going to create the DMZ, my confusion is how do I implement a Router within this DMZ along with other services. 

I am not sure if this is the right way of going about this, or whether or not this even how a DMZ is configured. 

Therefore constructive advice for implementation is greatly appreciated ! opcorn:


----------



## MitchConner (May 8, 2015)

Hi mate.

A DMZ is an area where you allow connections to your network devices to be initiated from outside of your network (from the internet) and is separate from your LAN, whereas LAN traffic would only originate from inside your LAN. So you'll need to allow inbound connections to your applications using NAT on either the router or the firewall itself.

I wouldn't necessarily stick the router behind the firewall (if i understand you), i'd leave the router connected to the WAN and put the firewall behind it and terminate my VLANs on the firewall (or a switch behind it).


----------



## Polymorphism (Dec 28, 2015)

Yes, I understand HOW a DMZ works, but I guess my quandary lays with placement of it, and my apologies if my original post is hard to understand. I see your point about putting the router in front of the firewall instead of behind it, but when I wrote behind I meant specifically in the DMZ. 

Here's my thought that my boss helped me understand. I should connect a switch to my FW via the WAN2/DMZ port, and anything from there should theoretically sit in the DMZ area (allocated within the FW GUI). I'd still like to put a router in the DMZ for guests to use if they decide to login to the company network, but I'm wondering if this is possible? 

I appreciate your feedback and will take it into consideration. :thumb:


----------



## MitchConner (May 8, 2015)

I would have separate interfaces on the firewall for dmz, lan, and connection to the router. The dmz and lan ports should be connected to their own switches. Under no circumstances would I have the router in the dmz. If you want to provide dmz or internet access to guests, offer that service through the router and control access to services through the firewall.


----------



## Polymorphism (Dec 28, 2015)

Hello again Mitch,

Thank you for the suggestions, and I see what you mean about putting a router in the DMZ (not needed). I currently have my FW's DMZ port connected to a switch, and to the switch I've got a connected Laptop. I'm having issues trying to create a DMZ network through my Cisco RV325. Unfortunately after numerous hours of searching online for documentation (including the RV325 manual) I've found practically no explanation of such usage :banghead:. I am not giving up, but I have tinkered with the configurations numerous times and am not understanding how this is should be done. I comprehend the grand scheme of things, but implementation is where I am stack at.

Here's the technical stuff: My Cisco RV325 Firewall is set up to have a DMZ range of private IP addresses from 192.168.4.1 - 192.168.4.149. I have a switch connected to the DMZ/WAN2 port of the RV325. Connected to the switch is Laptop with DHCP assigned (though not working). I've also tried with static configurations of 192.168.4.2 at the laptop with the gateway being both the private address of the Firewall, and trying 192.168.4.1, but nothing seems to be working; connectivity-wise. There is an option to create a DMZ host within the FW GUI, but it won't let me assign any LAN IP's, only IP's ending in X.X.X.0. Access rules on the FW are set to allow ports 53, 21, 80, 443, 143 and 110 from source 192.168.4.1 - 192.168.4.149 --> any destination, with the source interface set as my DMZ. Yet the Laptop on the switch is only being assigned an APIPA at the moment. Still unsure how to go about this. 

Thanks for the feedback!


----------



## MitchConner (May 8, 2015)

Is the router or the firewall acting as the DHCP server? Can you whip up a quick diagram to show the connections?


----------



## Polymorphism (Dec 28, 2015)

Hello again, 

I apologize about the brief hiatus, but I believe I've got something of a DMZ model running now. Unfortunately, I still have not created a full diagrammed topology, but I plan to do so here in the next week, so that way you and readers alike can understand if they have a similar problem.

Therefore I will do my best to explain what I've created. I'm currently working with 2 Cisco RV325 Firewall/Routers along with a couple of switches. The point of this post was for me to understand how to create a working DMZ in between both of those firewalls. 

The specific method I choose was to establish a One-to-One NAT configuration, and assignment of VLANs. There is an option within the RV325 GUID to create a DMZ, but I was unsuccessful with this option being that the user-manual had poor explanation on how to properly implement this design, and all the possible options I choose for enabling the DMZ failed. The next method I choose was to use the One-to-One NAT option (also within the Firewall) in which I could specify ONE private IP address to ONE public IP address. Luckily I had approximately 4 public's to work with, so I could choose any private address to match them. I had two test machines to which I statically assigned both X.X.10.11 and X.X.10.12 for their private settings. Following that I created a VLAN with enabled inter-VLAN routing function and the proper tag/untag frame settings; the gateway on the VLAN was set to X.X.10.1 (once again all on the FW GUID). From this point I connected a third test machine into my second RV325 Firewall, and connected that 2nd FW into 5 port switch. On that same switch I connected my 2 other test machines, and my first firewall where the VLANs and the One-to-One NAT Was configured. 

This was my setup, and I wanted to then see if my test machine #3 plugged into the Firewall number 2 could PING internally and externally to those test machines assigned to the VLAN from Firewall #1, also sitting on the DMZ switch with DMZ assigned public IPs, and internal VLAN assigned IPs. I haven't created any Access Control Rules, but will be doing so this week. 

Once again I will provide a topology once this setup is complete, and so far I've had success on my testing phase! :thumb:

I will also try and clarify my writing with my next post so that its easily understood what has been done. I've reread this post several times, and there are some parts that remain a bit confusing, so if there are any questions I'll do my best to answer them! :dance:


----------



## Polymorphism (Dec 28, 2015)

I also realize there might be some inherent weaknesses in that design, to which I say I am also working on.


----------

