Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Dual Firewall and VPN access?
New Posts  All Forums:Forum Nav:

Dual Firewall and VPN access?

post #1 of 5
Thread Starter 
So, I am a third year computing student, i am currently doing a module called internet security. For the final part of the module we have to implement a small network, this network uses 5 servers running windows server 2008, we have 3 switches, one for the local network, one for the demilitarized zone and one to simulate the internet, we also have two windows 7 computers to simulate the internal and external employees of the company.
We are very close to completing,
we have a server located on the internal network which holds files with permissions and what not, it also has a dns server and domain controller,
there is a firewall between the DMZ and the LAN which allows web traffic from internal to external and from vpn users to internal.(btw we use Microsoft threat management firewall) Email is allowed and so is pptp, this firewall also has the windows vpn installed on it which contacts the Domain controller in order to verify the users.
The Server located in the DMZ simply hosts the "company's" external website and email server.
The server which acts as a firewall and router(using NAT) between the DMZ and Internet(WAN) allows web traffic in both directions and email in both directions, it also allows PPTP from external to internal.
The external server hosts a website called Tinternet.com(we didnt get to chose the name...) and a dns server which the local dns server looks to. This server is meant to simulate the internet.
the external client has windows vpn client set up in order to connect to the external firewalls ip address as it is configured to not be able to see anything else, it can still connect to the DMZ servers website and ping(however ping is disabled now). However this is unable to connect, i asked our technician however he has not set up a dual firewall network as he is only one of the PHD students, So my question to OCN, is there anyone out there that has configured a VPN connection through two firewalls in order to access the files on the LAN Server. If so would they be able to give clear instructions on how to do this? i have attached a network map below


Thankyou biggrin.gif
Main PC
(18 items)
 
Kids PC
(11 items)
 
Server
(12 items)
 
CPUMotherboardGraphicsRAM
intel i5 2500k Asrock Z75 Pro3 Powercolor 7950 8gb 1600 vengence 
Hard DriveHard DriveCoolingCooling
sandisk extreme samsung f3  Corsair h100 Stock Enermax T.B.Vegas Trio 
OSMonitorMonitorMonitor
windows 7 ultimate 64 hanns g 22" monitor hanns g 22" monitor Dell U2913WM 
PowerCase
Corsair 750W CXM Builder Modular 80 Plus Bronze Casecom CS-13 Full Tower 
CPUMotherboardGraphicsRAM
intel Core i3 3220 ASUS P8H67-M PR0 XFX HD 6870 XMS3 CLASSIC 
Hard DriveOSMonitorKeyboard
Samsung f3 Windows 7 ultimate Samsung SyncMaster S22B300H 22" Emprex 6310U Chiclet Ultra Slim USB Keyboard 
PowerCaseAudio
650W POWERCOOL modular ASUS TA8J1 BLACK MID CASE Trust Remo 2.0 Speaker Set - 8W RMS 
CPUMotherboardGraphicsRAM
Core 2 Duo Dell Precision T3400 power color 7870 Generic DDR 2 
Hard DriveOptical DriveOSMonitor
Generic 80gb Sata HDD Generic DVD reader Windows 7 Home Prem Old converted laptop screen 
MonitorKeyboardPowerCase
32Inch TV Emprex 6310U Chiclet Ultra Slim USB Keyboard Corsair 500W CXM Builder Modular 80+ Bronze PSU Dell precision T3400 
  hide details  
Reply
Main PC
(18 items)
 
Kids PC
(11 items)
 
Server
(12 items)
 
CPUMotherboardGraphicsRAM
intel i5 2500k Asrock Z75 Pro3 Powercolor 7950 8gb 1600 vengence 
Hard DriveHard DriveCoolingCooling
sandisk extreme samsung f3  Corsair h100 Stock Enermax T.B.Vegas Trio 
OSMonitorMonitorMonitor
windows 7 ultimate 64 hanns g 22" monitor hanns g 22" monitor Dell U2913WM 
PowerCase
Corsair 750W CXM Builder Modular 80 Plus Bronze Casecom CS-13 Full Tower 
CPUMotherboardGraphicsRAM
intel Core i3 3220 ASUS P8H67-M PR0 XFX HD 6870 XMS3 CLASSIC 
Hard DriveOSMonitorKeyboard
Samsung f3 Windows 7 ultimate Samsung SyncMaster S22B300H 22" Emprex 6310U Chiclet Ultra Slim USB Keyboard 
PowerCaseAudio
650W POWERCOOL modular ASUS TA8J1 BLACK MID CASE Trust Remo 2.0 Speaker Set - 8W RMS 
CPUMotherboardGraphicsRAM
Core 2 Duo Dell Precision T3400 power color 7870 Generic DDR 2 
Hard DriveOptical DriveOSMonitor
Generic 80gb Sata HDD Generic DVD reader Windows 7 Home Prem Old converted laptop screen 
MonitorKeyboardPowerCase
32Inch TV Emprex 6310U Chiclet Ultra Slim USB Keyboard Corsair 500W CXM Builder Modular 80+ Bronze PSU Dell precision T3400 
  hide details  
Reply
post #2 of 5
http://www.openbsd.org/faq/pf/carp.html
http://www.kernel-panic.it/openbsd/carp/
Edited by CaptainBlame - 4/7/14 at 10:25pm
post #3 of 5
Two firewalls gives you nothing etxtra at all, you can just use one and have it hultihomed, kind of liek the below
Code:
  |                                      
 Internet                                   
     |                                      
     |                                      
     |                                      
+---------+            In=25,     In=80,    
|         | DMZ                             
|Firewall |----------------+----------+     
|         |            Out=25     443 |     
+---------+                |          |     
     |                +---------++---------+
 Intranet             |Email    ||Web      |
     |                |server   ||server   |
     |                |         ||         |
     |                +---------++---------+
     |     +---------+                      
     |     |Web proxy|                      
     +-----|server   |                      
     |     |         |                      
     |     +---------+


Also PPTP is bad smile.gif, id suggest putting down to use open vpn intead wink.gif!

Is this a therotical excercise or a lab one? (so i know which hat to put on!)
Edited by Ulquiorra - 4/8/14 at 10:57am
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #4 of 5
Thread Starter 
Weird, the network map didnt upload...
The firewalls are not set for redundancy, which without the network map you would think they where, my bad.
with regards to pptp sucking super bad, i know but i tried open vpn, came into an issue and the tech told me to use the one the rest of the class are using because he knows how to hep with that.
Main PC
(18 items)
 
Kids PC
(11 items)
 
Server
(12 items)
 
CPUMotherboardGraphicsRAM
intel i5 2500k Asrock Z75 Pro3 Powercolor 7950 8gb 1600 vengence 
Hard DriveHard DriveCoolingCooling
sandisk extreme samsung f3  Corsair h100 Stock Enermax T.B.Vegas Trio 
OSMonitorMonitorMonitor
windows 7 ultimate 64 hanns g 22" monitor hanns g 22" monitor Dell U2913WM 
PowerCase
Corsair 750W CXM Builder Modular 80 Plus Bronze Casecom CS-13 Full Tower 
CPUMotherboardGraphicsRAM
intel Core i3 3220 ASUS P8H67-M PR0 XFX HD 6870 XMS3 CLASSIC 
Hard DriveOSMonitorKeyboard
Samsung f3 Windows 7 ultimate Samsung SyncMaster S22B300H 22" Emprex 6310U Chiclet Ultra Slim USB Keyboard 
PowerCaseAudio
650W POWERCOOL modular ASUS TA8J1 BLACK MID CASE Trust Remo 2.0 Speaker Set - 8W RMS 
CPUMotherboardGraphicsRAM
Core 2 Duo Dell Precision T3400 power color 7870 Generic DDR 2 
Hard DriveOptical DriveOSMonitor
Generic 80gb Sata HDD Generic DVD reader Windows 7 Home Prem Old converted laptop screen 
MonitorKeyboardPowerCase
32Inch TV Emprex 6310U Chiclet Ultra Slim USB Keyboard Corsair 500W CXM Builder Modular 80+ Bronze PSU Dell precision T3400 
  hide details  
Reply
Main PC
(18 items)
 
Kids PC
(11 items)
 
Server
(12 items)
 
CPUMotherboardGraphicsRAM
intel i5 2500k Asrock Z75 Pro3 Powercolor 7950 8gb 1600 vengence 
Hard DriveHard DriveCoolingCooling
sandisk extreme samsung f3  Corsair h100 Stock Enermax T.B.Vegas Trio 
OSMonitorMonitorMonitor
windows 7 ultimate 64 hanns g 22" monitor hanns g 22" monitor Dell U2913WM 
PowerCase
Corsair 750W CXM Builder Modular 80 Plus Bronze Casecom CS-13 Full Tower 
CPUMotherboardGraphicsRAM
intel Core i3 3220 ASUS P8H67-M PR0 XFX HD 6870 XMS3 CLASSIC 
Hard DriveOSMonitorKeyboard
Samsung f3 Windows 7 ultimate Samsung SyncMaster S22B300H 22" Emprex 6310U Chiclet Ultra Slim USB Keyboard 
PowerCaseAudio
650W POWERCOOL modular ASUS TA8J1 BLACK MID CASE Trust Remo 2.0 Speaker Set - 8W RMS 
CPUMotherboardGraphicsRAM
Core 2 Duo Dell Precision T3400 power color 7870 Generic DDR 2 
Hard DriveOptical DriveOSMonitor
Generic 80gb Sata HDD Generic DVD reader Windows 7 Home Prem Old converted laptop screen 
MonitorKeyboardPowerCase
32Inch TV Emprex 6310U Chiclet Ultra Slim USB Keyboard Corsair 500W CXM Builder Modular 80+ Bronze PSU Dell precision T3400 
  hide details  
Reply
post #5 of 5
something like this would be better, more secure (less likey to make mistakes in it), and easiter to set up





if you want to keep two firewalls, the easiest way of getting it to work how you want is to pass though PPTP to the back end sever and not terminate it on the internet facing one, just route it though, the the traffic will pop ou on the back end and you can firewall and route it from there,


failing even that, all you should need to do is add the route on the ext firewall to point 192.168.2.1/24 via ext 1 (assuming thats the dmz facing one), then a firewall rule to snat the traffic on the internal firewall to the 192.168.2.1 adress (to aviod martian sourcing), then this should bring it up
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Dual Firewall and VPN access?