Wednesday, November 11, 2009

More Demilitarized Zones on VMware


You may have a requirement to maintain more than one DMZ zones due to high security situations. In this easy example you can get a basic idea of deploying many DMZs.(as much as your hardware supports). Since VMware VSphere came to the picture there will be many scenarios of performing this but here I used Cisco ASA series firewall (you can use even ASA 5505 or with old PIX series), HP ProCurv manageable switch and VMware ESXi host.

Let's start form the Firewall. You need to have minimum of three interfaces to perform this operation, and one interface will be your DMZ interface and for that interface I used following Trunking configuration on "Ethernet0/2" ;
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.1
vlan 10
nameif dmz1
security-level 50
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2.2
vlan 20
nameif dmz2
security-level 50
ip address 192.168.20.254 255.255.255.0
!

And now you need to acknowledge your switch about this VLAN tagging in order to correct switching the same tagged packets. Configuration will be easy and I did as following;

vlan 20
name "VLAN20"
tagged 13,15
no ip address
exit
vlan 10
name "VLAN10"
tagged 13,15
no ip address
exit
And now you need to create a Vswitch in the VMware host, binding the external interface you planing use for this deployment. Check below example diagram;


Now you are almost done, basically you can control the internal access (security) using a third party firewall as shown like following digram.


I have assigned a easy IP structure for you to understand this setup easily.

No comments: