Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
5
Replies

Accessing low security zone

csc010854800
Level 1
Level 1

‎09-16-2009 01:50 AM - edited ‎03-11-2019 09:16 AM

server 1(IP add 10.24.112.5 & Gateway is 10.24.112.1) in zone with security 50 needs to access servers (ip add 192.168.3.3 & Gateway is 192.168.3.1)in zone with security 20.

Kindly suggest how to accomplish this.

I have tried putting route in the router

ip route 192.168.3.0 255.255.255.0 10.24.112.1

and permit any any on the firewall but ping stops at the router . kindly suggest ???

Diagram is attached herewith.

Labels:
Preview file
92 KB
0 Helpful
5 Replies 5

apdatasoft
Level 1
Level 1

‎09-16-2009 02:05 AM

Hi,

no route is required in the router for accessing server from 10.24.112.0/24 to 192.168.3.0/24. Even you want to add a route the route which you added is wrong.

it should be like: ip route 192.168.3.0 255.255.255.0 10.24.112.254.

For accessing your servers with ip any any statement, you need to apply ip any any statement on both the interfaces of the firewall.

Thanks

AP

0 Helpful

csc010854800
Level 1
Level 1
In response to apdatasoft

‎09-16-2009 02:12 AM

i have put the same route

ip route 192.168.3.0 255.255.255.0 10.24.112.254 ( mistakenly i put wrong route in post ) .

i have applied any any statement on both interface but still not able to access servers in 192.168.3.0 zone. is this correct that we need natting to access servers in low security zone from high security zone???

when i try to ping 192.168.3.3 ,

i got reply from 10.24.112.254 but RTO onwards.......

any help ???

0 Helpful

apdatasoft
Level 1
Level 1
In response to csc010854800

‎09-16-2009 02:30 AM

Hi,

natting is not required between routed interfaces. Can post your config so that we can have clarity in the configuration part.

Thanks

AP

0 Helpful

kumar
Level 1
Level 1

‎09-16-2009 08:46 PM

hi, default rule permits higher security level to lower one, but you to configure access list for accessing lower one to higher.

0 Helpful

w-schultz
Level 1
Level 1

‎09-16-2009 09:02 PM

You need to touch the router and the firewall. Below assumes everything is class C subnetted.

In the router you will need a route:

!

ip route 192.168.3.0 255.255.255.0 10.24.112.254

!

Traffic will know how to get from the router to this network, which is behind the firewall. You seem to already have this covered so if you look at the firewall logs you should see an entry that states there is no translation group available.

So in the firewall you will need to allow access, and you will need to create the proper statics.

!

!This permits the traffic via ACL

!

access-list dmzList permit ip 10.24.112.0 255.255.255.0 192.168.3.0 255.255.255.0

!

access-group dmzList in interface dmz

!

!

!This translates the traffic to itself

!

static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

!

The above is typed by hand so please forgive any typos :-)

edit:

Obviously after I type the above I notice that I have the security on the interfaces backwards. :-/

What do your firewall logs say?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card