cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
2
Replies

Zone-Base-Firewall NAT issue

irvine_iain
Level 1
Level 1

Hi Everyone,

I'm having a big issue with Nat on my 3925 router.

Currently I have 4 interfaces (Internetl, LAN, DMZ & Wifi (which is isolated except for a vew exceptions) on my router which is setup using zone pairs:

Internet -> LAN, Internet -> DMZ,  Internet -> Wi-Fi,

LAN -> Internet, LAN -> DMZ, LAN-> Wi-Fi

DMZ -> Internet,  DMZ -> LAN, DMZ -> Wi-Fi

Wi-Fi -> Internet, Wi-Fi -> LAN, Wi-Fi -> DMZ

NAT is setup to translate some external IP address to internal IP address both in our LAN and DMZ, basically the image below

    NAT-issue.jpg

and all seem to work however when the issue arise when I use a laptop/device in the Wi-Fi network to access a server in the LAN or DMZ by accessing it external IP address, ie Wifi Laptop IP 172.16.10.10 trying to access 150.148.130.52. The device is unable to access but if an external user trys to access 150.148.130.52 they are able to.

I think the issue is maybe due to the NAT/ZBFW rules maybe trying to access across the Wi-Fi -> DMZ zone pair rules instead of going Wi-Fi -> Internet, then Internet -> DMZ and back. but it just seem to trop the traffic?

Has anyone come accross this issue before? Im sure you most be able to do this as people access there webmail fine on internal and external networks with out the need for DNS translations.

Can any one help?

2 Replies 2

irvine_iain
Level 1
Level 1

Anyone able to help with is?

malshbou
Level 1
Level 1

please post your config, or at least:

show run | sec zone

show run | sec policy-map

show run | sec ip nat

show ip nat translations

i suspect it is NAT issue.

Mashal

------------------ Mashal Shboul
Review Cisco Networking for a $25 gift card