Diverting the traffic through DMZ

Unanswered Question
Jan 29th, 2009
User Badges:

Hi,

I have two networks 1&2. Both have separate internet connections .

ASA1 in network1 has three interfaces (inside/192.168.1.0/24) dmz (172.16.1./24) and outside (56.*.*.*/28). Its DMZ has connectivity to a layer 3 switch of second network network2. Network2 has some servers with public IP 210.*.*.23 .with dns name mywebsite.com and corresponding private IP 10.10.128.121


Right now when a host in 192.168.1.0/24 requests mywebsite.com or 210.*.*.23 server , the traffic routes through the internet causing the wastage of internet bandwidth .

Could anyone please help me to direct this traffic (i e all traffic from 192.168.1.0/24 to mywebsite.com or 210.*.*.23) through the DMZ of the ASA to the layer 3 switch

This layer3 switch in network2 is behind the ASA2 so the traffic to 210.*.*.23 has to be natted to 10.10.128.121 also.


Your help is highly appreciated.

Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Mo'ath Al Rawashdeh Fri, 01/30/2009 - 00:36
User Badges:
  • Bronze, 100 points or more

Hi,


First of all, you need static routes (on both of your ASAs and you layer 3 switches).


You will also need proper access rules to allow this.


One more thing, you will need NAT exclude for packets moving between the 2 networks.


If you need more details, please attach a diagram of your network.


Cheers,


Muath

Jithesh K Joy Fri, 01/30/2009 - 01:58
User Badges:

Hi Mauth,


Thanks for your response. I have added access-list & routes but my concern is how to nat my Destination PublicIP(210.*.*.23) to 10.10.128.121 in ASA1 and divert the that traffic through its DMZ.


Regards

Jithesh


Mo'ath Al Rawashdeh Fri, 01/30/2009 - 02:48
User Badges:
  • Bronze, 100 points or more

Hi Jithesh,


Let me ask u a question, ror the 210.*.*.* network, are the public IP addresses directly assigned to the servers? or they have private IP addresses and statically NATed to public IPs on ASA2?

Jithesh K Joy Fri, 01/30/2009 - 03:01
User Badges:

Hi mauth

They have private IP addresses and statically NATed to public IPs on ASA2.

So can we nat the DestinationIP( 210.*.*.* )to 10.10.128.121 in ASA1 ?

Regards

Jithesh



Mo'ath Al Rawashdeh Fri, 01/30/2009 - 03:13
User Badges:
  • Bronze, 100 points or more

No need,

is simple, do a NAT exclude on both firewalls so that traffic between the 192.168.1.0/24 and 10.10.128.0/24 doesn't get NATed and all traffic and both networks will be able to connect using their private IP addresses.


Cheers,

Jithesh K Joy Fri, 01/30/2009 - 03:19
User Badges:

I am sorry. I could not express myself.

ASA1 is connected to a layer3 switch which is behind the ASA2. So this traffic will not pass throgh ASA2.


Thanks


Mo'ath Al Rawashdeh Fri, 01/30/2009 - 03:31
User Badges:
  • Bronze, 100 points or more

Since traffic will not be passing thru ASA2, then its enough to do NAT exclude on ASA1.


NAT exclude shall look like something this:


access-list nat-exclude-acl line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.128.0 255.255.255.0


nat (inside) 0 access-list nat-exclude-acl


On ASA1, you also need to add a static route that looks something like this:


route DMZ 10.10.128.0 255.255.255.0 X


where X is the ip address of the layer 3 switch (the next hop).


On the layer 3 switch, you will need a static route that looks like this:


IP route 192.168.1.0 255.255.255.0 Y


where Y is the IP address of the DMZ interface on ASA1 (next hop)


Cheers



Actions

This Discussion