Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
0
Helpful
5
Replies

Forwarding DMZ traffic to DMZ firewall interface in a collapsed network

Go to solution
chase.cameron
Level 1
Level 1

‎09-20-2018 10:06 AM

I have a question related to forwarding DMZ traffic to the DMZ firewall interface.

I have two layer 3 switches (Nexus 9k) with SVIs that control routing for multiple internal subnets as well as a DMZ subnet. Typically we use separate switches for DMZ infrastructure, but this network is using two nexus switches in hsrp that are acting as both edge, distribution and core (collapsed smaller network).  These multiple internal subnets use a default route statement pointing to the firewall, where their traffic is inspected etc.

The DMZ, obviously, is not part of the internal network and should be ACL'ed by the firewall on its own interface/subinterface. The problem is, I can’t figure out how to tell the nexus l3 switch to forward DMZ traffic to the DMZ interface of the firewall, regardless of whether I use a separate physical firewall interface or a subinterface for the DMZ.
- The default route statement on the switch will forward DMZ traffic to the inside interface of the firewall
- This DMZ traffic will drop once it hits the deny IP any any rule on the inside interface inbound-acl.
- Is it possible to have a statement that forwards traffic from the DMZ SVI (which acts as local DMZ gateway) directly to the DMZ firewall interface, so that the default route is bypassed?

One solution I thought of was to not use SVI's/HSRP for the DMZ and have the firewall be the local DMZ gateway...I’d rather use HSRP if possible since the DMZ is on the same set of Nexus switches as every other routed subnet.

 

Any advice is appreciated, thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chase.cameron
Level 1
Level 1

‎09-20-2018 02:04 PM

I figured it out after talking with co-workers...I didn't realize that the firewall can be "vlan aware", and that even if my default route forwards dmz traffic to the inside interface of the firewall, the firewall will forward dmz traffic to the subinterface (with its own inbound-ACL).  As long as the subinterface is called out as belonging to the dmz vlan, then dmz traffic will be forwarded to this interface.  I thought the inside interface would see the dmz traffic and drop it, rather than forwarding dmz traffic to the firewall subinterface. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Georg Pauwen
VIP
VIP

‎09-20-2018 11:58 AM

Hello,

 

--> This DMZ traffic will drop once it hits the deny IP any any rule on the inside interface inbound-acl

 

Can you modify the inside inbound ACL to allow traffic to the DMZ ?

0 Helpful

Go to solution
chase.cameron
Level 1
Level 1
In response to Georg Pauwen

‎09-20-2018 12:56 PM

This would defeat the purpose of having a separate DMZ interface...I'm trying to get DMZ traffic to the DMZ firewall interface.  I think I figured it out after talking with others locally...they said the default route will send DMZ traffic to my inside interface, but if the firewall is vlan aware, it will separate traffic for processing on its respective interface (dmz in this case).  I just need to enter a vlan configuration for the interface/subinterface.  Does this make sense?

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to chase.cameron

‎09-20-2018 01:11 PM

Hello

tbh no - its hard to understand your topology- if you can post a topology then maybe it would become clearer.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-20-2018 12:02 PM

Hello

why don’t you policy route the traffic you want to hit the dmz  Fw handoff?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
chase.cameron
Level 1
Level 1

‎09-20-2018 02:04 PM

I figured it out after talking with co-workers...I didn't realize that the firewall can be "vlan aware", and that even if my default route forwards dmz traffic to the inside interface of the firewall, the firewall will forward dmz traffic to the subinterface (with its own inbound-ACL).  As long as the subinterface is called out as belonging to the dmz vlan, then dmz traffic will be forwarded to this interface.  I thought the inside interface would see the dmz traffic and drop it, rather than forwarding dmz traffic to the firewall subinterface. 

0 Helpful
Customers Also Viewed These Support Documents