Zone based firewall DMZ NAT problem

Unanswered Question

I have two WANs. WAN1 is the primary interface for my LAN. The WAN2 is the primary interface for my DMZ. I want WAN1 to be able to fail over to WAN2. I want traffic originating in DMZ to always go out WAN2.

Everything seems to be working as expected except for LAN to DMZ access. I can't seem to figure out the right voodoo. I suspect a NAT problem, but I've been unable to figure it out so far. Or it could be my DMZ out to WAN2 hack.

Any suggestions would be greatly appreciated.

Thanks,

     Greg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hehe, I seem to do this to myself a lot. In the process of writing the post, I guessed that it could be the DMZ to WAN2 route that was causing the LAN to DMZ problem. Turns out when I disabled that route-map, the LAN worked.

So, my question has changed to how can I create a route-map for the DMZ such that all traffic goes out WAN2 except for the traffic which should be going back to the LAN?

Thanks,

     Greg

Okay, looks like I found my solution:

! don't want to route local traffic out WAN2

ip access-list extended dmz-to-wan

  deny   ip 192.168.2.0 0.0.0.255 172.25.36.0 0.0.0.255

  permit ip any any

route-map dmz-map permit 10

  match ip address dmz-to-wan

  set ip next-hop xxx.xxx.xxx.174

Too bad I can't mark my own question as answered ;-)
Thanks to those to took the time to read my question.

Actions

This Discussion