Sonicwall DMZ/VPN between multiple locations.


Recommended Posts

I run a small I.T. shop and I have a client that I'm getting stumped on how to setup.

 

This client runs 4 pizza shops and opened a small central corp office a few months ago.  I setup a VPN between the corp office and all 4 stores with a Sonicwall TZ 205 at the corp site and TZ 105's at the remote stores.  The VPN and everything is working fine.

 

There is now a new online ordering system that needs to go into place.  The point of sale company is stating we have to have a server that accepts the onine orders on a DMZ.  Then this server on the DMZ needs to talk to the PoS server at each store without breaking PCI compliance.

 

I'm not understanding how to do this if the PoS server at each store is on the private LAN which is also connected to the coporate VPN.  There is only one port open on the DMZ server for communication, but when I call the PoS company to remote in and setup their software, they login to the DMZ server saying they can't see the store PCs on the VPN.  I thought the DMZ server is not supposed to be able to see the computers on the private LAN.  Wouldn't that break the protection and not pass PCI compliance?

 

I have attached a short PDF document from the PoS company that explains what needs to be done.  After trying and trying to get this working, I can't and asking the Neowin community for support.

 

Either I just don't understand, but how can I make this work if we have a site-to-site VPN already in place?  Do they mean we need 2 VPNs?  I have another PDF document I can post if need more information, but it's just a dumbed down version of how to do a DMZ with two Linksys routers.

 

On another note with the alt setup, another way to do this is to have a DMZ server at each store location that handles the online orders.  Then we use two routers to create a DMZ if you want to call it that.  Of course that means the second router is the private LAN at each store and how do I VPN those together if the DMZ computer is the first router at the store with the WAN IP?

 

Focus on the first part for help.  The last paragraph is my last way out if I can figure it out, but thinking I'm going to loose my VPN and then have to purchase more servers.  Thanks!

TRAINING-VPNSetupTrainingGuide-291013-0839-190.pdf

Link to comment
Share on other sites

" if the PoS server at each store is on the private LAN which is also connected to the coporate VPN."

So?

so you have a firewall/router at hq its has 2 network segments lan and dmz, and then internet.

stores have internet and network segment lets say you have this

192.168.1.0/24 hqlan

192.168.2.0/24 hqdmz

192.168.3.0/24 store1

192.168.4.0/24 store2

etc..

So you create a vpn connection via transient network lets call it 10.0.0.0/24

Its quite simple in your firewall rules to say that hqdmz can talk to store1 network, while store network can not talk to hqlan all over the vpn connection.

Not understand what your confused about? Since when does a vpn connection give you an IP address directly in a lan?

Link to comment
Share on other sites

I appreciate the reply and effort in helping me.  I don't understand how to set the rules in the Sonicwall then or maybe I'm not undestanding properly.  A little more on their current setup then to help me understand.

 

192.168.0.0/24 hqlan

10.1.1.0/24 hqdmz

I have 2 static WAN IPs.

I have one static WAN on x1 for corporate internet (192.168.0.0).

I have another static WAN on x2 setup as DMZ with NAT (10.1.1.0).

I have the online ordering server on the DMZ on x2 at 10.1.1.10.

 

This is how you make a DMZ right?  The DMZ network gets it's own internal IP via NAT or each host uses it's own static WAN IP?  So these are setup like two different subnets that can't pass traffic to each other?  Then you have to use port forwarding to access those services like if they were at a different location all together?  This is how I'm understanding a DMZ.  Two subnets that can't talk to each other directly.

 

This is maybe why I'm wrong and confused as how do you get the server on the DMZ to securely talk to the ordering computer within the LAN at each store via the corporate VPN?

 

192.168.1.0/24 store1 -- vpn to 192.168.0.0
192.168.2.0/24 store2-- vpn to 192.168.0.0

192.168.3.0/24 store3-- vpn to 192.168.0.0

192.168.4.0/24 store4-- vpn to 192.168.0.0

Link to comment
Share on other sites

"Then you have to use port forwarding to access those services"

What? why would you be natting between rfc1918 addresses ?

"Two subnets that can't talk to each other directly."

No that is not what a dmz is -- a dmz is just firewalled network segment.

Here is their drawing.. So what do you not understand about the rules and routing? I put up some networks so we can discuss.

post-14624-0-82948600-1384863964.png

So in the hq firewall/router you have rules that dmz can not create traffic into hqlan. But hqlan can create traffic into the dmz.

stores can create traffic into the dmz, and depending since your not letting your stores create traffic into your hqlan you could consider them in the dmz. So your stuff in your hqdmz could create traffic into the stores.

Here is how wiki defines dmz

DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.

Comes down to its just a network segment that is firewalled off from your normal trusted lan.. So for example you might have 20 different network segments on your lan, but nothing can create taffic into them from the internet. Your webservers sit on different segment 21, and there is firewall between your lan and your dmz.. This is all a dmz is.

You would not create port forwards between your local segments, there would be no NAT.. there is only nat between your public ip space and your rfc1918 space.

As to routing - again lost to where you don't understand such a basic setup?? Your Hqfirewall/router would have the routes to these stores networks, and if your wanting to get there he would know what 10.0.0.x address to send it too.

Those store firewall/routers would say oh your coming from the dmz, ok you can talk to X on port Y.. Oh wait your coming from the hqlan - sure ok you can do the same thing.

Buf the hqfirewall/router rules says oh your coming from the store to talk hqlan -- sorry. Oh you want to talk to hqdmz .x and port Y -- sure that is allowed.

There is no nat, you would only nat when you go from rfc1918 to public space (internet)

Link to comment
Share on other sites

This is great, I think I'm getting somewhere.

 

I saw you changed the subnet on the DMZ from 10.0.0.0 to 192.168.4.0 I had in the previous post.  Are you saying I need to create a VPN on 10.0.0.0 or was that just a representation of the Internet?

 

I think where I'm not understanding is how do I get the computers on the VPN to talk to the DMZ server?

If my understanding is correct (maybe I'm wrong and this is where I'm lost) the port forwarding is what gives you protection from connections from the internet.  Meaning that I would host a server on a LAN subnet with NAT and all ports closed.  Then I would port foward the, lets say FTP:21 port, for example without a DMZ.  Then the outside only has access via that port to a service running on the inside.  Then you have to rely on the security of the FTP server application to not have security issues while that port is open.

If this is the correct understanding, when I call Speedline for support after I have setup a DMZ on the Sonicwall, they complain that they can't connect to the store computers from the DMZ server.  I'm figuring if I allow access from the DMZ server to a LAN/VPN computer, then I just broke that security since now if the DMZ server gets hacked, that server now has access to the LAN subnet or at least one of the store subnets since it's able to pass traffic around.  Am I getting this right?

Link to comment
Share on other sites

"I think where I'm not understanding is how do I get the computers on the VPN to talk to the DMZ server?

What? Through your vpn.."

Sounds like you don't have any sort of vpn setup at all. No you don't have to use 10, you can use whatever network you want for your vpn network.

Sounds more like your just port forwarding over the public internet or something.

What network is your vpn?

What is this suppose to mean

192.168.1.0/24 store1 -- vpn to 192.168.0.0

192.168.2.0/24 store2-- vpn to 192.168.0.0

192.168.3.0/24 store3-- vpn to 192.168.0.0

192.168.4.0/24 store4-- vpn to 192.168.0.0

Are you saying you use a vpn network that is the same as the network your on and going too? No wonder your having a hard time understanding then.

No the 10 network I put on the drawing is not the internet - its just different network than your other network segments. Its a simple vpn transient network.

Can you post the route table from your location with the lan and the dmz??

See this updated drawing where your vpn connections are on the 10 -- so this is net segment, this is just basic routing dude..

post-14624-0-10012800-1384954957.png

So you have 3 site to site connections to each store.. You could use all on the 10 network, or you could use all on the different network segments for each site to site vpn.

So at store 1 192.168.1.0/24 And I want to go to dmz -- what is the store ones route table look look?

To he has route table entry like this

192.168.0.0/24 - 10.0.0.1

192.168.4.0/24 - 10.0.0.1

Now if he wants to go to other stores - he still has to route through hq router so

192.168.3.0/24 - 10.0.0.1

Now your HQ router would have these routes

192.168.1.0/24 - 10.0.0.2

192.168.2.0/24 - 10.0.0.3

192.168.3.0/24 - 10.0.0.4

Now stores might have routes to 192.168.0.0/24, but the firewall portion of your router/firewall would not allow that traffic. Or it might only allow specific pinholes.. Like to a printer on 192.168.0.14 on port 9100, etc..

Keep in mind that the above is a simplistic version.. Your vpn connections with a site to site would normally be say a /30 so your 3 connections might be

10.0.0.0/30

10.0.0.4/30

10.0.0.8/30

So you would have

10.0.0.1 - 10.0.0.2

10.0.0.5 - 10.0.0.6

10.0.0.9 - 10.0.0.10

So each store route to other networks would point to the hq endpoint of the their vpn connection.

Link to comment
Share on other sites

Budman,

 

I had to flush my brain on this project for a few days to complete another one.  Now that is done.

 

I have a site to site VPN at each location.  I have reverted everything to the basic setup without the DMZ, but with the corp office to store VPN.

 

I don't know why I'm having such a hard time understanding this.  I'm not new, but maybe this network part is more than I've done.  Just basic Point-2-Point and end-client VPNs.  That's why I like Sonicwall because it's easy (easier than Cisco or Watchguard) and very reliable.

 

Right now I have a site to site VPN between all locations connecting their LANs together.  Are your stating I need to have a VPN that does not link to any office/store LAN, but only to the routers creating that 10.0.0.0 network?  Then I need special privileges to allow the stores internal networks and DMZ network talk to each other?  And right now I just have it straight up point to point.  If this is the case then I don't have a clue how to do that in Sonicwall.  lol

Link to comment
Share on other sites

Dude how do you have point to point without a transient network?

You have network

networkA IP (router) IP --- vpn ---- IP (router)IP networkB

What are the IPs in your setup? Keep in mind that yes there public IPs in use for the internet as well.

Ok lets just say you don't use addresses on the tunnel it self, and just point traffic down the tunnel.. Still done the same way, firewall rules blocking or allowing traffic at the different firewall/routers

All a dmz is a firewalled network segment, that is ALL. What the addresses are on the tunnel or not is not really the point, just easier to show the routing with IPs on the tunnel endpoints vs just tunnel as route, but the tunnel can be the route yes.

So your route table looks like

192.168.1.0/24 - tunnel 1

192.168.2.0.24 - tunnel 2

192.168.3.0/24 - tunnel 3

Now each stores routes would be down their only tunnel to the HQ.

Link to comment
Share on other sites

I got it figured out.  Went in today and re-evaluated everything and spoke with the PoS tech support and spent a few hours and now good to go.  Thanks for the help.  It did help a lot.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.