Firefighting

This is data network day. We removed the SonicWall and replaced it with the Cisco Router and ASA firewall. It's been an interesting morning. This doesn't have to directly have anything to do with phones, just the result of changing network architecture.

The biggest difference is how the DMZ, or demilitarized zone, is handled. We have 3 public servers in the DMZ. The SonicWall and ASA handle DMZs very differently. Using the SonicWall, computers in the DMZ had public IP address. The ASA creates a subnetwork for its DMZ and you have to create NAT to connect the DMZ address. In short, I need to change the IP address of every computer in the DMZ. And then update the internal DNS. No need to worry about external DNS servers since the external IP addresses remain the same.

One temporary complication is that a computer may have the old DNS entry cached. On a Mac you can either restart it or type the following in the terminal:

dscacheutil -flushcache

In some cases dealing with these IP changes can be a pain. Our copier needed to have LDAP and SMTP addresses updated since these servers are in the DNS. Our main mail server had to have a new range of IP addresses added for accepting Mail. And our backup mail server had to have new entries for domains it sends mail to (this is limited to our main mail server). When moving computers to new IP names there is an increased chance of something going wrong because you forget to fix something.

Another change is remote access. The ASA is able to authenticate login against LDAP. The CWPS engineer is looking into a method so we can set who may and may not log in remotely. If we had Active Directory (AD) this would be no problem. LDAP is trickier. If we can't define who may and may not we may just break the connection between the ASA and OD and just enter authorized remote users separately, as we did with the SonicWall.

Which brings me to a gripe about Cisco and LDAP and Open Directory. They provide great support for AD, as they should. But LDAP is the step-child. It should work, but if it breaks don't count on Cisco for support. I am so happy CWPS is trying to figure all of this out for me.