Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
757 Views 3 Replies Latest reply: Nov 19, 2012 11:35 AM by mtuma RSS
ralzaga Apprentice 55 posts since
Apr 13, 2012
Currently Being Moderated

Nov 15, 2012 9:49 PM

Route and Network objects

Hi,

     My client has 3 networks, DMZ, Network A and a Network B behind another firewall. I created three zones for the said networks. The MFE firewall and DMZ needs to be accessed by Network A and B.

 

 

1.) Do I need to create a static route on the firewall or just simply create a rule that allow Network A and B to access the firewall and DMZ?.

2.) How do I add static routes, what should i put in

a.) Destination

b.) Gateway

 

3.) How do I add Host in network objects what should be in:

Host:

DNS

and do I need to create an IP address for the Host?

Attachments:
  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    1. Nov 16, 2012 2:34 AM (in response to ralzaga)
    Re: Route and Network objects

    Assumming that the hosts on DMZ and Network A are using the local MFE interface IP address as their default gateway then the only static route you should need to create on MFE is one which allows traffic to be routed back to network B via the "other" Firewall.

     

    When creating the route the destination would be 10.0.0.0/24 and the gateway would be the external IP address of the other Firewall.

     

    Any traffic between network A and the DMZ shouldn't require any additional routes as both are connected directly to MFE (just as long as MFE is either the configured defautl gateway or the router being used as the default gateway sends all non-local traffic to MFE).

     

    As far as network objects are concerned, they are only really used in the access control rules. So if you want to create rules with restricted sources and/or destinations then you will need to create appropriate network object entries.

     

    Whether you should created "Host" network objects is a different question. Host objects will obviously need access to DNS in order to forward and reverse resolve themselves to the correct IP addresses. So, success or failure is really down to how you have configured DNS and how reliable it is. Ultimately, when I was trained on this product back at version 5, I was advised to avoid using host (or domain) objects unless it was absolutely necessary to do so - use IP address object instead.

     

    At the end of the day (as he always said) "If DNS breaks, then everything breaks!".

     

    -Phil.

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Nov 19, 2012 11:35 AM (in response to ralzaga)
    Re: Route and Network objects

    Hello,

     

    1) Yes, an ACL should be all you need here.

    2) You do need a static route so that the McAfee Firewall knows how to get to Network B. The route should essentially say, to get to Network B, go to "Other Firewall"

     

    -Matt

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points