Zone based firewall DMZ NAT problem

Unanswered Question

I have two WANs. WAN1 is the primary interface for my LAN. The WAN2 is the primary interface for my DMZ. I want WAN1 to be able to fail over to WAN2. I want traffic originating in DMZ to always go out WAN2.

Everything seems to be working as expected except for LAN to DMZ access. I can't seem to figure out the right voodoo. I suspect a NAT problem, but I've been unable to figure it out so far. Or it could be my DMZ out to WAN2 hack.

Any suggestions would be greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Hehe, I seem to do this to myself a lot. In the process of writing the post, I guessed that it could be the DMZ to WAN2 route that was causing the LAN to DMZ problem. Turns out when I disabled that route-map, the LAN worked.

So, my question has changed to how can I create a route-map for the DMZ such that all traffic goes out WAN2 except for the traffic which should be going back to the LAN?



Okay, looks like I found my solution:

! don't want to route local traffic out WAN2

ip access-list extended dmz-to-wan

  deny   ip

  permit ip any any

route-map dmz-map permit 10

  match ip address dmz-to-wan

  set ip next-hop

Too bad I can't mark my own question as answered ;-)
Thanks to those to took the time to read my question.


This Discussion