Zone-Base-Firewall NAT issue

irvine_iain — Tue, 12 Mar 2019 01:00:57 GMT

Hi Everyone,

I'm having a big issue with Nat on my 3925 router.

Currently I have 4 interfaces (Internetl, LAN, DMZ & Wifi (which is isolated except for a vew exceptions) on my router which is setup using zone pairs:

Internet -> LAN, Internet -> DMZ, Internet -> Wi-Fi,

LAN -> Internet, LAN -> DMZ, LAN-> Wi-Fi

DMZ -> Internet, DMZ -> LAN, DMZ -> Wi-Fi

Wi-Fi -> Internet, Wi-Fi -> LAN, Wi-Fi -> DMZ

NAT is setup to translate some external IP address to internal IP address both in our LAN and DMZ, basically the image below

and all seem to work however when the issue arise when I use a laptop/device in the Wi-Fi network to access a server in the LAN or DMZ by accessing it external IP address, ie Wifi Laptop IP 172.16.10.10 trying to access 150.148.130.52. The device is unable to access but if an external user trys to access 150.148.130.52 they are able to.

I think the issue is maybe due to the NAT/ZBFW rules maybe trying to access across the Wi-Fi -> DMZ zone pair rules instead of going Wi-Fi -> Internet, then Internet -> DMZ and back. but it just seem to trop the traffic?

Has anyone come accross this issue before? Im sure you most be able to do this as people access there webmail fine on internal and external networks with out the need for DNS translations.

Can any one help?

Re: Zone-Base-Firewall NAT issue

irvine_iain — Mon, 18 Feb 2013 11:40:35 GMT

Anyone able to help with is?

Re: Zone-Base-Firewall NAT issue

malshbou — Mon, 18 Feb 2013 18:24:14 GMT

please post your config, or at least:

show run | sec zone

show run | sec policy-map

show run | sec ip nat

show ip nat translations

i suspect it is NAT issue.

Mashal

topic Re: Zone-Base-Firewall NAT issue in Network Security

Zone-Base-Firewall NAT issue

Re: Zone-Base-Firewall NAT issue

Re: Zone-Base-Firewall NAT issue