09-16-2009 01:50 AM - edited 03-11-2019 09:16 AM
server 1(IP add 10.24.112.5 & Gateway is 10.24.112.1) in zone with security 50 needs to access servers (ip add 192.168.3.3 & Gateway is 192.168.3.1)in zone with security 20.
Kindly suggest how to accomplish this.
I have tried putting route in the router
ip route 192.168.3.0 255.255.255.0 10.24.112.1
and permit any any on the firewall but ping stops at the router . kindly suggest ???
Diagram is attached herewith.
09-16-2009 02:05 AM
Hi,
no route is required in the router for accessing server from 10.24.112.0/24 to 192.168.3.0/24. Even you want to add a route the route which you added is wrong.
it should be like: ip route 192.168.3.0 255.255.255.0 10.24.112.254.
For accessing your servers with ip any any statement, you need to apply ip any any statement on both the interfaces of the firewall.
Thanks
AP
09-16-2009 02:12 AM
i have put the same route
ip route 192.168.3.0 255.255.255.0 10.24.112.254 ( mistakenly i put wrong route in post ) .
i have applied any any statement on both interface but still not able to access servers in 192.168.3.0 zone. is this correct that we need natting to access servers in low security zone from high security zone???
when i try to ping 192.168.3.3 ,
i got reply from 10.24.112.254 but RTO onwards.......
any help ???
09-16-2009 02:30 AM
Hi,
natting is not required between routed interfaces. Can post your config so that we can have clarity in the configuration part.
Thanks
AP
09-16-2009 08:46 PM
hi, default rule permits higher security level to lower one, but you to configure access list for accessing lower one to higher.
09-16-2009 09:02 PM
You need to touch the router and the firewall. Below assumes everything is class C subnetted.
In the router you will need a route:
!
ip route 192.168.3.0 255.255.255.0 10.24.112.254
!
Traffic will know how to get from the router to this network, which is behind the firewall. You seem to already have this covered so if you look at the firewall logs you should see an entry that states there is no translation group available.
So in the firewall you will need to allow access, and you will need to create the proper statics.
!
!This permits the traffic via ACL
!
access-list dmzList permit ip 10.24.112.0 255.255.255.0 192.168.3.0 255.255.255.0
!
access-group dmzList in interface dmz
!
!
!This translates the traffic to itself
!
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
!
The above is typed by hand so please forgive any typos :-)
edit:
Obviously after I type the above I notice that I have the security on the interfaces backwards. :-/
What do your firewall logs say?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide