cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
600
Views
0
Helpful
3
Replies

Zone based firewall DMZ NAT problem

ggilley
Level 1
Level 1

I have two WANs. WAN1 is the primary interface for my LAN. The WAN2 is the primary interface for my DMZ. I want WAN1 to be able to fail over to WAN2. I want traffic originating in DMZ to always go out WAN2.

Everything seems to be working as expected except for LAN to DMZ access. I can't seem to figure out the right voodoo. I suspect a NAT problem, but I've been unable to figure it out so far. Or it could be my DMZ out to WAN2 hack.

Any suggestions would be greatly appreciated.

Thanks,

     Greg

3 Replies 3

ggilley
Level 1
Level 1

Hehe, I seem to do this to myself a lot. In the process of writing the post, I guessed that it could be the DMZ to WAN2 route that was causing the LAN to DMZ problem. Turns out when I disabled that route-map, the LAN worked.

So, my question has changed to how can I create a route-map for the DMZ such that all traffic goes out WAN2 except for the traffic which should be going back to the LAN?

Thanks,

     Greg

ggilley
Level 1
Level 1

Hmm, without that route map in GigabitEthernet2/0, the return traffic from the DMZ doesn't go back out WAN2. So my solution to the LAN access broke WAN2 access.

      Greg

Okay, looks like I found my solution:

! don't want to route local traffic out WAN2

ip access-list extended dmz-to-wan

  deny   ip 192.168.2.0 0.0.0.255 172.25.36.0 0.0.0.255

  permit ip any any

route-map dmz-map permit 10

  match ip address dmz-to-wan

  set ip next-hop xxx.xxx.xxx.174

Too bad I can't mark my own question as answered ;-)
Thanks to those to took the time to read my question.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: