cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4785
Views
0
Helpful
7
Replies

RV042 Connecting between LAN and DMZ using private IPs

bradummer
Level 1
Level 1

I'm tryig to put a computer into the DMZ and then access it from computers on the LAN using a local IP address. My reason for doing this is that I'd like my DMZ computer to be a locked down web server (just ports 80 and 443 open to the outside), but I need to be able to have more access to it from inside my LAN (e.g. I want to be able to SSH into it from the LAN).

Thus far I've been able to get a computer set up in the DMZ and can access the Internet from the DMZ computer. And I can access the DMZ computer from the LAN computers using the public address for the DMZ computer. But I can't access the DMZ computer from the LAN computers using a private address for the DMZ computer. Please see the attached file for a diagram of our current settings. A few descriptions:

- Verizon provides us with a number of static IP addresses, i.e. 71.123.123.10-12 (note these aren't actually the addresses, but representative).

-- In the RV042, I have the following configurations made:

- Setup > Network > LAN Setting

- Device IP Address = 10.4.20.1

- Subnet Mask = 255.255.255.0

- Setup > Network > Edit WAN Connection

- Specify WAN IP Address = 71.123.123.10

- Subnet Mask = 255.255.255.0

- Default Gateway Address = 71.123.123.1

- Setup > Network > Edit DMZ Connection

- Interface = Range

- IP Range for DMZ port = 71.123.123.11 to 71.123.123.11

- Setup > DMZ Host

- DMZ Private IP Address = 10.4.20.71 (NOTE: I have no idea if this is necessary or correct)

-- Computer network settings:

- For computers on the LAN (i.e. computers A and B), I have the following set:

- IP Address = 10.4.20.100 (for A) and 10.4.20.110 (for B)

- Subnet Mask = 255.255.255.0

- Default Gateway Address = 10.4.20.1

- For the computer on the DMZ (i.e. computer C), I have the following set:

- IP Address = 71.123.123.11

- Subnet Mask = 255.255.255.0

- Default Gateway Address = 71.123.123.1

As I mentioned above, this is all working great:

- I can ping from A to B using the private address (i.e. ping 10.4.20.110)

- I can ping from B to A using the private address (i.e. ping 10.4.20.100)

- I can ping from A or B to any outside public address (e.g. google.com)

- I can ping from A to C using the public address (i.e. ping 71.123.123.11)

- I can ping from C to any outside public address (e.g. google.com)

What I can't do:

- I can't ping from C to A using the private address (i.e. ping 10.4.20.110)

- I can't ping from C to the router using the private address (i.e. ping 10.4.20.1)

- I can't ping from C to the router using the public address (i.e. ping 71.123.123.10)

- I can't ping from A to C using the private address (i.e. ping 10.4.20.71)

Is there a way to create a path so that I can connect from the LAN computers (A and B) to the DMZ computer (C) using just the private address? Once I figure this out, my next step is going to be locking down the firewall on the DMZ computer to just 80 and 443 from the public WAN (outside), but opening up some additional ports when connecting from the private LAN (inside). Thanks for any help you can provide.

7 Replies 7

Te-Kai Liu
Level 7
Level 7

Your understanding of the DMZ Port of RV042 is correct. By default a computer in LAN can access the PCs connected to the DMZ Port. There is no need to configure DMZ Host, which is to expose a LAN PC to the internet.

You might want to give a call to the Support Center to seek more assistance.

When you say that my understanding is correct, do you mean that I should be able to do what I'm trying to do (access the computer in the DMZ from a computer on the LAN using a local IP for the DMZ computer), but I just don't have things configured correctly? In other words, are you saying it is possible to do this but I just need different settings? Or do you mean that I have things set up the only way they can be set up, and it's just not possible for a LAN computer to access a DMZ computer using a local IP? Please clarify.

Also, how do I go about contacting the Support Center? Thanks.

Your settings look correct to me, thus a LAN computer should be able to access a DMZ computer.

However, I'm not sure what you meant by "using a local IP", as the packets from LAN to DMZ are NAT'ed.

The contacts of the small business support center can be found at:

https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

Sorry if I wasn't clear. Please see the attached updated network diagram. I created a firewall rule that allows all traffic from any WAN1 source to my 71.123.123.11 destination. Thus if I'm sitting at Outside computer S, I can connect (via SSH) to DMZ computer C using the address (71.123.123.11). Likewise, if I'm sitting at LAN computer A, I can connect (via SSH) to DMZ computer C using the address (71.123.123.11). So far so good. I'd like to add a firewall rule that blocks all connections "from the outside" except for port 80. (Basically I want to lock down the DMZ computer C so that it only serves web pages to the outside.) Thus SSH connections from computer Outside computer S to DMZ computer C need to be blocked, but HTTP requests (port 80) from S to C need to still work. I can add this firewall rule to implement the block using the WAN IP 71.123.123.11, and that works fine. But doing that will also prevent LAN computer A from being able to SSH into DMZ computer C. That's my problem. I was thinking that if I could use a "local address" (e.g. 10.4.20.x) for DMZ computer C, then I could set up a different firewall rule for that and allow the SSH connection. Is this possible? Or is there a better way to do this?

Perhaps a screenshot of your Access Rules configuration would show where things were not configured correctly. You can white out certain IP addresses for privacy, or you could let our support staff take a look when you call SBSC.

Again, thank you for your continued help. See screenshot. I ended up playing around with some more setting and firewall rules and I think I have it working now. I think the problem was that I was trying to add a rule to allow traffic from Source: LAN to Destination: 71.123.123.11 and for some reason that was blocking just those types of connections. I then removed that rule (so that I just have 80 and 443 open from WAN1) and now I'm able to connect from the LAN computer to the DMZ computer over SSH. Honestly it doesn't make sense to me, but it's working. If any of the things that I just described seem like something that I should't have done, please let me know. Otherwise, I'll let you know if I run into any other problems.

It looks good.