Diverting the traffic through DMZ

Unanswered Question
Jan 29th, 2009

Hi,

I have two networks 1&2. Both have separate internet connections .

ASA1 in network1 has three interfaces (inside/192.168.1.0/24) dmz (172.16.1./24) and outside (56.*.*.*/28). Its DMZ has connectivity to a layer 3 switch of second network network2. Network2 has some servers with public IP 210.*.*.23 .with dns name mywebsite.com and corresponding private IP 10.10.128.121

Right now when a host in 192.168.1.0/24 requests mywebsite.com or 210.*.*.23 server , the traffic routes through the internet causing the wastage of internet bandwidth .

Could anyone please help me to direct this traffic (i e all traffic from 192.168.1.0/24 to mywebsite.com or 210.*.*.23) through the DMZ of the ASA to the layer 3 switch

This layer3 switch in network2 is behind the ASA2 so the traffic to 210.*.*.23 has to be natted to 10.10.128.121 also.

Your help is highly appreciated.

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Mo'ath Al Rawashdeh Fri, 01/30/2009 - 00:36

Hi,

First of all, you need static routes (on both of your ASAs and you layer 3 switches).

You will also need proper access rules to allow this.

One more thing, you will need NAT exclude for packets moving between the 2 networks.

If you need more details, please attach a diagram of your network.

Cheers,

Muath

Jithesh K Joy Fri, 01/30/2009 - 01:58

Hi Mauth,

Thanks for your response. I have added access-list & routes but my concern is how to nat my Destination PublicIP(210.*.*.23) to 10.10.128.121 in ASA1 and divert the that traffic through its DMZ.

Regards

Jithesh

Mo'ath Al Rawashdeh Fri, 01/30/2009 - 02:48

Hi Jithesh,

Let me ask u a question, ror the 210.*.*.* network, are the public IP addresses directly assigned to the servers? or they have private IP addresses and statically NATed to public IPs on ASA2?

Jithesh K Joy Fri, 01/30/2009 - 03:01

Hi mauth

They have private IP addresses and statically NATed to public IPs on ASA2.

So can we nat the DestinationIP( 210.*.*.* )to 10.10.128.121 in ASA1 ?

Regards

Jithesh

Mo'ath Al Rawashdeh Fri, 01/30/2009 - 03:13

No need,

is simple, do a NAT exclude on both firewalls so that traffic between the 192.168.1.0/24 and 10.10.128.0/24 doesn't get NATed and all traffic and both networks will be able to connect using their private IP addresses.

Cheers,

Jithesh K Joy Fri, 01/30/2009 - 03:19

I am sorry. I could not express myself.

ASA1 is connected to a layer3 switch which is behind the ASA2. So this traffic will not pass throgh ASA2.

Thanks

Mo'ath Al Rawashdeh Fri, 01/30/2009 - 03:31

Since traffic will not be passing thru ASA2, then its enough to do NAT exclude on ASA1.

NAT exclude shall look like something this:

access-list nat-exclude-acl line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.128.0 255.255.255.0

nat (inside) 0 access-list nat-exclude-acl

On ASA1, you also need to add a static route that looks something like this:

route DMZ 10.10.128.0 255.255.255.0 X

where X is the ip address of the layer 3 switch (the next hop).

On the layer 3 switch, you will need a static route that looks like this:

IP route 192.168.1.0 255.255.255.0 Y

where Y is the IP address of the DMZ interface on ASA1 (next hop)

Cheers

Actions

This Discussion