HPE Community
Switches, Hubs, and Modems
1752340 Members
6467 Online
108787 Solutions
New Discussion юеВ

DMZ setup through Procurve to catalyst to pix

 
Tibbys96Z
New Member

тАО02-17-2009 08:46 PM

тАО02-17-2009 08:46 PM

DMZ setup through Procurve to catalyst to pix

I'm researching how to setup a secure webserver. This is just something I've never done with secure data so want to make sure it is correct.
My goal is to setup a vlan_2 (172.16.1.1)on an HP ProCurve 2510G-24 with a single server running my website (webserver (172.16.1.2)). The HP also contains all other servers (dhcp, dns, ftp, backup) on the default vlan_1 (192.168.0.12). This switch is connected directly to a Cisco Catalyst 2960G-48 (192.168.0.10) running default setup. This connects to the PIX 506e. I've got the pix setup ready with an acl and static route to my desired 172.16.1.2 ip for the server. I just can't seem to get the switches to work for me.
I would like to be able to access the webserver from any internal server or workstation, but not from the webserver to the other servers or workstations. I just want better protection from outside by putting the webserver in a vlan on a different subnet.
Am I way off base with my goal?
This will be a webserver for a secure application I've been building. I've never setup the network side.

0 Kudos
2 REPLIES 2
Pieter 't Hart
Honored Contributor

тАО02-19-2009 01:42 AM

тАО02-19-2009 01:42 AM

Re: DMZ setup through Procurve to catalyst to pix

>>> Cisco Catalyst 2960G-48 (192.168.0.10) running default setup <<<
So this switch only knows about vlan-1!

The hp and cisco don't communicate what vlans are used (like cisco's vtp protocol).
So you must manually add vlan-2 on the cisco and configure the connecting ports to pass both vlan's (vlan-trunk).

on cisco :
interface GigabitEthernet2/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,2 (or all)
on hp something like:
vlan 1
tagged 24
vlan 2
tagged 24

another tip:
Connect the pix to the cisco as vlan-trunk(switchport like above).
create a subinterface on the inside interface for vlan-2 with security level between inside and outside.

then it will look like the pix has a "third NIC" connected to the dmz.
0 Kudos
Tibbys96Z
New Member

тАО02-19-2009 06:22 AM

тАО02-19-2009 06:22 AM

Re: DMZ setup through Procurve to catalyst to pix

Excellent! Thank you!
So to recap..
HP switch:
Ports 2-22,24: Vlan_1 untagged,Vlan_2 tagged or no??(for all stations on those ports).
Port 23: Vlan_2 untagged, Vlan_1 no (for webserver)
Port 1: Vlan_1 untagged, Vlan_2 tagged (going to trunked port on Catalyst)

Caltlyst Switch:
Create Vlan_2, leave the default vlan_1 as is
Port GE47: trunked port allowing all vlans using dot1q. vlan_2 logical tagged, vlan_1 physical untagged(the port hp switch goes to). Can I enable PDM here to take care of this for me??
Port GE48: trunked port to pix

Pix:
I'm not sure how to creat a subinterface. Any help here is appreciated of course.
I was going to create a static entry from the outside to the DMZ. With an access list to all www.
And allow the inside to access the DMZ with another static command.

Do I understand everything correctly??
Thanks again for the help!!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.