Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
5
Replies

Is a reverse route needed?

Go to solution
KSVY_KSVY_2
Level 1
Level 1

‎08-12-2013 08:51 AM - edited ‎03-11-2019 07:24 PM

User is going to place a "three leg" 5505 ASA on site's existing LAN.

Two PCs, one in each firewall's DMZ and PCN network will use a NAT'ed IP address that is on site's LAN.

Question is: will the site's core layer-3 device require a "reverse" route pointing both PCs, 10.10.10.10 and 10.10.10.6 back to 5505 ASA?

thank you,

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to KSVY_KSVY_2

‎08-12-2013 09:30 AM

Ah ok,

So we are only talking about CORE to DMZ connectivity?

Well, if the CORE has an interface with the 10.10.10.0/27 subnet and that interface (probably talking about a Vlan interface here) is connected to the ASA which has the NAT IP addresses and interface IP address from the same subnet 10.10.10.0/27 then the L3 switch will naturally see the network as directly connected. And since its directly connected network it will use ARP to determine the MAC address on the ASA to which send traffic destined to the NAT IP address of the DMZ server.

So the L3 switch will determine the route with its connected network/route and determine the destination MAC address with ARP.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
KSVY_KSVY_2
Level 1
Level 1

‎08-12-2013 08:55 AM

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to KSVY_KSVY_2

‎08-12-2013 09:09 AM

Hi,

I imagine you are attempting to have the DMZ and and PCN hosts to connect to eachother using their NAT IP address from 10.10.10.0/27 network?

I don't think this is possible unless you actually do the NAT between these DMZ and PCN interfaces also.

If you only configure the Static NAT from DMZ and PCN to the CORE, the ASA wont let you connect to those NAT IP address from behind PCN or DMZ, only from CORE.

So to my understanding PCN to DMZ needs a Static NAT configuration also.

- Jouni

0 Helpful

Go to solution
KSVY_KSVY_2
Level 1
Level 1
In response to Jouni Forss

‎08-12-2013 09:25 AM

hi Jouni,

I have the NAT policies between DMZ and PCN hosts configured and tested.  It's the remote user outside of the site who is attempting to reach the one DMZ host's 192.168.101.2, NAT'ed to 10.10.10.6, IP address that I am concern about.

Because the 5505 isn't separating site's WAN connectivty, but is "hanging" off site's internal LAN, with its DMZ PC host that needs to be accessed from remote users - how does the site's core layer-3 device know to route to 5505's 10.10.10.6 host?

thanks, kevin 

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to KSVY_KSVY_2

‎08-12-2013 09:30 AM

Ah ok,

So we are only talking about CORE to DMZ connectivity?

Well, if the CORE has an interface with the 10.10.10.0/27 subnet and that interface (probably talking about a Vlan interface here) is connected to the ASA which has the NAT IP addresses and interface IP address from the same subnet 10.10.10.0/27 then the L3 switch will naturally see the network as directly connected. And since its directly connected network it will use ARP to determine the MAC address on the ASA to which send traffic destined to the NAT IP address of the DMZ server.

So the L3 switch will determine the route with its connected network/route and determine the destination MAC address with ARP.

- Jouni

0 Helpful

Go to solution
KSVY_KSVY_2
Level 1
Level 1
In response to Jouni Forss

‎08-12-2013 10:06 AM

Jouni,

Good deal, thanks for the quick replies.

Kevin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card