cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
980
Views
0
Helpful
5
Replies

Accessing low security zone

csc010854800
Level 1
Level 1

server 1(IP add 10.24.112.5 & Gateway is 10.24.112.1) in zone with security 50 needs to access servers (ip add 192.168.3.3 & Gateway is 192.168.3.1)in zone with security 20.

Kindly suggest how to accomplish this.

I have tried putting route in the router

ip route 192.168.3.0 255.255.255.0 10.24.112.1

and permit any any on the firewall but ping stops at the router . kindly suggest ???

Diagram is attached herewith.

5 Replies 5

apdatasoft
Level 1
Level 1

Hi,

no route is required in the router for accessing server from 10.24.112.0/24 to 192.168.3.0/24. Even you want to add a route the route which you added is wrong.

it should be like: ip route 192.168.3.0 255.255.255.0 10.24.112.254.

For accessing your servers with ip any any statement, you need to apply ip any any statement on both the interfaces of the firewall.

Thanks

AP

i have put the same route

ip route 192.168.3.0 255.255.255.0 10.24.112.254 ( mistakenly i put wrong route in post ) .

i have applied any any statement on both interface but still not able to access servers in 192.168.3.0 zone. is this correct that we need natting to access servers in low security zone from high security zone???

when i try to ping 192.168.3.3 ,

i got reply from 10.24.112.254 but RTO onwards.......

any help ???

Hi,

natting is not required between routed interfaces. Can post your config so that we can have clarity in the configuration part.

Thanks

AP

kumar
Level 1
Level 1

hi, default rule permits higher security level to lower one, but you to configure access list for accessing lower one to higher.

w-schultz
Level 1
Level 1

You need to touch the router and the firewall. Below assumes everything is class C subnetted.

In the router you will need a route:

!

ip route 192.168.3.0 255.255.255.0 10.24.112.254

!

Traffic will know how to get from the router to this network, which is behind the firewall. You seem to already have this covered so if you look at the firewall logs you should see an entry that states there is no translation group available.

So in the firewall you will need to allow access, and you will need to create the proper statics.

!

!This permits the traffic via ACL

!

access-list dmzList permit ip 10.24.112.0 255.255.255.0 192.168.3.0 255.255.255.0

!

access-group dmzList in interface dmz

!

!

!This translates the traffic to itself

!

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

!

The above is typed by hand so please forgive any typos :-)

edit:

Obviously after I type the above I notice that I have the security on the interfaces backwards. :-/

What do your firewall logs say?

Review Cisco Networking for a $25 gift card