1
21.7 Legacy Series / Migration from Cisco ASA - DMZ challenges
« on: September 07, 2021, 12:58:08 pm »
Hi OpnSense-brains, sorry for the long post.
I am in the process of exchanging an old Cisco ASA for an OpnSense firewall. The most straight forward configuration and features are done and tested.
I do have at one obstacle that I need to address before I can make the switch, let me try and explain:
On our WAN-interface we have a /24 ip-address range, we have subnet’ed the wan range into 4 /26 networks.
Let’s assume that our wan range is 193.234.129.0/24 - it’s not. Our current network looks like this:
193.234.129.1 ISP’s router
193.234.129.2 (OUTSIDE-interface) our firewall
The first /26-address range is used for NAT’ing different services to some RFC1918 VLANs.
193.234.129.64/26 (VLAN-DMZ1), 193.234.129.128/26 (VLAN-DMZ2), 193.234.129.192/26 (VLAN-DMZ3)
Servers on the DMZ-networks have public IP-addresses. Access rules to internet is managed on the VLAN-DMZx interfaces, access to servers/services on the VLAN-DMZx networks from the internet is managed on the OUTSIDE-interface.
Some servers on the VLAN-DMZx networks must have access to servers on our RFC1918-networks, it may be an SQL-database, LDAP, Remote Desktop Host servers and what not.
Some servers on the VLAN-DMZx may for different reasons not be NAT’ed.
Is it possible to replicate the setup, with regards to the VLAN-DMZx-setup mentioned above, on OpnSense? If not, which way would you go about to solve the challenge?
Please advice
Best regards
Elfrom
I am in the process of exchanging an old Cisco ASA for an OpnSense firewall. The most straight forward configuration and features are done and tested.
I do have at one obstacle that I need to address before I can make the switch, let me try and explain:
On our WAN-interface we have a /24 ip-address range, we have subnet’ed the wan range into 4 /26 networks.
Let’s assume that our wan range is 193.234.129.0/24 - it’s not. Our current network looks like this:
193.234.129.1 ISP’s router
193.234.129.2 (OUTSIDE-interface) our firewall
The first /26-address range is used for NAT’ing different services to some RFC1918 VLANs.
193.234.129.64/26 (VLAN-DMZ1), 193.234.129.128/26 (VLAN-DMZ2), 193.234.129.192/26 (VLAN-DMZ3)
Servers on the DMZ-networks have public IP-addresses. Access rules to internet is managed on the VLAN-DMZx interfaces, access to servers/services on the VLAN-DMZx networks from the internet is managed on the OUTSIDE-interface.
Some servers on the VLAN-DMZx networks must have access to servers on our RFC1918-networks, it may be an SQL-database, LDAP, Remote Desktop Host servers and what not.
Some servers on the VLAN-DMZx may for different reasons not be NAT’ed.
Is it possible to replicate the setup, with regards to the VLAN-DMZx-setup mentioned above, on OpnSense? If not, which way would you go about to solve the challenge?
Please advice
Best regards
Elfrom