Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Setting Up A DMZ - Issues
  •  
SMKP

Messages: 15
Karma: 0
Send a private message to this user
Hi,

After some assistance from those with greater knowledge than myself please Wink

I'm trying to setup a DMZ to allow one of our staff members to work on behalf of our client but in our office, where he can VPN into their network for data files etc.

The VPN connection works but unfortunately, their German office uses the same 192.168.10.X configuration for their LAN as ours does so data is going missing - it's obviously not an option to rename either our or their LAN addresses.

It has been suggested to create a DMZ on our LAN where their workstation can be configured to use our LAN for internet traffic, but not use our 192.168 10.X naming convention.

I currently have in Kerio Control :

NIC 1

IP - 192.168 10.7
Subnet - 255.255.255.0
No Default Gateway
DNS - 192.168.10.20 - Our SBS 2011 Server

Connected to our LAN switches.



NIC 2

IP - XX.XXX.XXX.XX - External IP to the outside world
Subnet - 255.255.255.252
G/W - XX.XXX.XXX.XX - As provided by ISP
DNS - 2 addresses as provided by ISP

NIC 3 - DMZ

IP - 192.2.2.1
Subnet - 255.255.255.128
G/W - NO DEFAULT GATEWAY
DNS - NO ENTRIES

This NIC is connected to our LAN switches so the laptop below can access it via a wired NIC - Simulating the workstation.


All appears happy and no errors anywhere.

I have configured these rules :

This link (I can't post a link as I've posted less than 5 times) - manuals.kerio.com/control/adminguide/en/sect-dmz.html

With the network mapping in the "Webserver in DMZ" rule set to 192.168.10.7

I have setup a laptop for internal testing :

NIC

IP 192.2.2.5
Subnet - 255.255.255.128
Gateway - 192.2.2.1

NO DNS ENTRIES

Currently I can PING the laptop on 192.2.2.5 from the Kerio Server BUT when trying to ping 192.2.2.1 (Kerio DMZ card) from the laptop all times out.

There is NO internet access from the laptop.

Can someone please give me some pointers as to what I'm doing wrong . . . .

Thanks in advance,

Simon
  •  
SMKP

Messages: 15
Karma: 0
Send a private message to this user
Has anyone any ideas ?

Simon
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
If you have rules already allowing Trusted/Local interfaces access to Control as well as NATing, then you likely just need to make sure NIC 3 is identified as such under "Interface Group" in the Edit properties for that NIC.
  •  
SMKP

Messages: 15
Karma: 0
Send a private message to this user
Do you mean, move it from 'Other Interfaces' to 'Trusted / Local Interfaces' ?

I've tried moving it as above and still no joy - the laptop doesn't see the internet.

Is the mapping to the Kerio Control address correct ?
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Yes, that's what I meant.

However, I just noticed that you are trying to use 192.2.2.1. Do you own that subnet? That's not one of the reserved address spaces. Did you mean to use 192.168.2.0/25?
  •  
SMKP

Messages: 15
Karma: 0
Send a private message to this user
192.2.2.1 was suggested by our client . . . .

How do I set the /25 part ?

When I enter 192.168.2.0 I get a message telling the combination of IP / Subnet is invalid
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Based on the information you have provided, I can't see how 192.2.2.0/25 will work. /25 is the CIDR representation of 255.255.255.128. Just an easier way to write it. Anytime you see the usage of ".0" at the end of an IP, that generally corresponds to the network itself. IP stacks don't always allow the assignment of .0 IPs to a host (first and last IPs are considered reserved).

You should be entering 192.168.2.1/255.255.255.128 on the Control device, and 192.168.2.5/255.255.255.128 on the Laptop.
  •  
SMKP

Messages: 15
Karma: 0
Send a private message to this user
I've changed to NIC 3 to 192.168.0.2 / 255.255.255.128

Laptop to 192.168.0.3 / 255.255.255.128

I can ping the laptop from Firewall but not the reverse.

Please see attached my traffic rules - Do they look right ?

192.168.10.7 is the firewall internal address.

[Updated on: Tue, 04 December 2012 17:17]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
NIC 3 = Trusted/Local Interface?
You have a rule allowing Trusted/Local Interfaces to access the Control device?

Keep in mind, you don't need to be able to ping the firewall for this to work.
  •  
SMKP

Messages: 15
Karma: 0
Send a private message to this user
I've just uploaded our rules - please see my previous post.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
You'll need to add a rule that basically says: "Access to Firewall", Source: "Trusted/Local Interfaces", Destination: "Firewall", Service: "Any", Action: "Allow".

[Updated on: Tue, 04 December 2012 17:28]

  •  
SMKP

Messages: 15
Karma: 0
Send a private message to this user
Still no joy - laptop won't connect to Internet
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Based on your current rules, you may not want the DMZ interface as a Trusted/Local Interface. This isn't a problem. It just means you'll need more rules to describe your network reachability.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
SMKP wrote on Tue, 04 December 2012 11:31
Still no joy - laptop won't connect to Internet


Can the laptop ping the firewall now? The rules I posted will only fix that problem.

Internet is a completely different problem. For one, you didn't list a DNS for the laptop. Are you testing Internet connectivity using DNS names, or are you using remote IPs? If you are using names, I don't believe you'll see much success.
SMKP

Messages: 15
Karma: 0
Send a private message to this user
Would the laptop DNS setting be the same as the rest of our network - ie 192,168.10.20 - Our SBS 2011 server ??

I believe that if the laptop can see the internet, then their VPN setup will work.

I'll get the clients IT Manager to have a read of this thread - hopefully he can offer some assistance as to their requirements better than me - I'm not an IT person as such - just someone with a basic understanding of things.

Thanks for your assistance

Simon
Previous Topic: Multiple Gateways - Warning
Next Topic: Help with a bandwith limit firewall
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Aug 24 08:45:49 CEST 2017

Total time taken to generate the page: 0.00973 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.