Zone based firewall DMZ NAT problem

ggilley · ‎07-26-2010

I have two WANs. WAN1 is the primary interface for my LAN. The WAN2 is the primary interface for my DMZ. I want WAN1 to be able to fail over to WAN2. I want traffic originating in DMZ to always go out WAN2.

Everything seems to be working as expected except for LAN to DMZ access. I can't seem to figure out the right voodoo. I suspect a NAT problem, but I've been unable to figure it out so far. Or it could be my DMZ out to WAN2 hack.

Any suggestions would be greatly appreciated.

Thanks,

Greg

ggilley · ‎07-26-2010

Hehe, I seem to do this to myself a lot. In the process of writing the post, I guessed that it could be the DMZ to WAN2 route that was causing the LAN to DMZ problem. Turns out when I disabled that route-map, the LAN worked.

So, my question has changed to how can I create a route-map for the DMZ such that all traffic goes out WAN2 except for the traffic which should be going back to the LAN?

Thanks,

Greg

ggilley · ‎07-27-2010

Hmm, without that route map in GigabitEthernet2/0, the return traffic from the DMZ doesn't go back out WAN2. So my solution to the LAN access broke WAN2 access.

Greg

ggilley · ‎07-27-2010

Okay, looks like I found my solution:

! don't want to route local traffic out WAN2

ip access-list extended dmz-to-wan

deny ip 192.168.2.0 0.0.0.255 172.25.36.0 0.0.0.255

permit ip any any

route-map dmz-map permit 10

match ip address dmz-to-wan

set ip next-hop xxx.xxx.xxx.174

Too bad I can't mark my own question as answered ;-)

Thanks to those to took the time to read my question.