07-26-2010 11:00 PM - edited 03-04-2019 09:11 AM
I have two WANs. WAN1 is the primary interface for my LAN. The WAN2 is the primary interface for my DMZ. I want WAN1 to be able to fail over to WAN2. I want traffic originating in DMZ to always go out WAN2.
Everything seems to be working as expected except for LAN to DMZ access. I can't seem to figure out the right voodoo. I suspect a NAT problem, but I've been unable to figure it out so far. Or it could be my DMZ out to WAN2 hack.
Any suggestions would be greatly appreciated.
Thanks,
Greg
07-26-2010 11:09 PM
Hehe, I seem to do this to myself a lot. In the process of writing the post, I guessed that it could be the DMZ to WAN2 route that was causing the LAN to DMZ problem. Turns out when I disabled that route-map, the LAN worked.
So, my question has changed to how can I create a route-map for the DMZ such that all traffic goes out WAN2 except for the traffic which should be going back to the LAN?
Thanks,
Greg
07-27-2010 08:59 AM
Hmm, without that route map in GigabitEthernet2/0, the return traffic from the DMZ doesn't go back out WAN2. So my solution to the LAN access broke WAN2 access.
Greg
07-27-2010 08:23 PM
Okay, looks like I found my solution:
! don't want to route local traffic out WAN2
ip access-list extended dmz-to-wan
deny ip 192.168.2.0 0.0.0.255 172.25.36.0 0.0.0.255
permit ip any any
route-map dmz-map permit 10
match ip address dmz-to-wan
set ip next-hop xxx.xxx.xxx.174
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide