I have dual firewalls on either end of my DMZ and would like for my DMZ hosts to serve up content to both internal and public users. My issue is that I'm not sure how to simplify the routing.
I have my DMZ host with a default gateway of the public firewall (192.168.2.1, per the diagram) which allows it to serve up pages externally. I am currently using static routes defined on the DMZ host (ie. route 192.168.1.0/24 has a gateway of 192.168.2.251) which works fine. I'd like to do away with static routes and have the public firewall reroute the traffic. Traffic from the DMZ host to the internal network should, in my mind, travel: DMZ Host (192.168.2.10) Default Gateway (192.168.2.1 / public firewall)
To be able to allow the ASA to reroute traffic backout the same interface in which it received it you need this:
same-security-traffic permit intra-interface
If routing is correct, then when the internet-facing firewall receives from the ''inside'' interface traffic intended to the internal LAN, then it will u-turn the traffic and reroute it back to the ''inside'' interface (same interface in which it received the traffic).
Thanks for your comment on the u-turning not working properly. No matter which NAT rule I write, the rpf-check drops me everytime. I'm using 8.2.2 and I'll just leave in the static route entries for now.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...