Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Diverting the traffic through DMZ

Hi,

I have two networks 1&2. Both have separate internet connections .

ASA1 in network1 has three interfaces (inside/192.168.1.0/24) dmz (172.16.1./24) and outside (56.*.*.*/28). Its DMZ has connectivity to a layer 3 switch of second network network2. Network2 has some servers with public IP 210.*.*.23 .with dns name mywebsite.com and corresponding private IP 10.10.128.121

Right now when a host in 192.168.1.0/24 requests mywebsite.com or 210.*.*.23 server , the traffic routes through the internet causing the wastage of internet bandwidth .

Could anyone please help me to direct this traffic (i e all traffic from 192.168.1.0/24 to mywebsite.com or 210.*.*.23) through the DMZ of the ASA to the layer 3 switch

This layer3 switch in network2 is behind the ASA2 so the traffic to 210.*.*.23 has to be natted to 10.10.128.121 also.

Your help is highly appreciated.

Regards

7 REPLIES

Re: Diverting the traffic through DMZ

Hi,

First of all, you need static routes (on both of your ASAs and you layer 3 switches).

You will also need proper access rules to allow this.

One more thing, you will need NAT exclude for packets moving between the 2 networks.

If you need more details, please attach a diagram of your network.

Cheers,

Muath

New Member

Re: Diverting the traffic through DMZ

Hi Mauth,

Thanks for your response. I have added access-list & routes but my concern is how to nat my Destination PublicIP(210.*.*.23) to 10.10.128.121 in ASA1 and divert the that traffic through its DMZ.

Regards

Jithesh

Re: Diverting the traffic through DMZ

Hi Jithesh,

Let me ask u a question, ror the 210.*.*.* network, are the public IP addresses directly assigned to the servers? or they have private IP addresses and statically NATed to public IPs on ASA2?

New Member

Re: Diverting the traffic through DMZ

Hi mauth

They have private IP addresses and statically NATed to public IPs on ASA2.

So can we nat the DestinationIP( 210.*.*.* )to 10.10.128.121 in ASA1 ?

Regards

Jithesh

Re: Diverting the traffic through DMZ

No need,

is simple, do a NAT exclude on both firewalls so that traffic between the 192.168.1.0/24 and 10.10.128.0/24 doesn't get NATed and all traffic and both networks will be able to connect using their private IP addresses.

Cheers,

New Member

Re: Diverting the traffic through DMZ

I am sorry. I could not express myself.

ASA1 is connected to a layer3 switch which is behind the ASA2. So this traffic will not pass throgh ASA2.

Thanks

Re: Diverting the traffic through DMZ

Since traffic will not be passing thru ASA2, then its enough to do NAT exclude on ASA1.

NAT exclude shall look like something this:

access-list nat-exclude-acl line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.128.0 255.255.255.0

nat (inside) 0 access-list nat-exclude-acl

On ASA1, you also need to add a static route that looks something like this:

route DMZ 10.10.128.0 255.255.255.0 X

where X is the ip address of the layer 3 switch (the next hop).

On the layer 3 switch, you will need a static route that looks like this:

IP route 192.168.1.0 255.255.255.0 Y

where Y is the IP address of the DMZ interface on ASA1 (next hop)

Cheers

209
Views
9
Helpful
7
Replies