cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
324
Views
5
Helpful
2
Replies
Highlighted
Beginner

Suggestions on how to Setup DMZ and move Public facing servers without changing server IP.

Hi All,

 

Here is my situation, I am creating a DMZ zone for our public facing applications and servers, in doing so the DMZ is setup on a different subnet and vlan.  Because we have so many applications, services etc on a separate subnet/vlan, is there a way to proxy the connections to and from the servers and dmz without making a physical IP change on the servers to have them in the same subnet/vlan as the DMZ?? Here is my current config below:

 

DMZ: 10.1.99.1

ME Server: 10.1.1.149

 

object network obj-10.1.1.149
nat (DMZ,outside) static 204.2.222.56
object network obj-10.1.1.149
host 10.1.1.149

object network me-server-fromOutside
host 10.1.1.149
nat (DMZ,outside) static interface service tcp https https

object network me-server-fromInside
host 10.1.1.149
nat (DMZ,inside) static interface service tcp https https
access-list OutsidetoDMZ permit tcp any4 host 10.1.1.149 eq https
access-group OutsidetoDMZ in interface outside

 

Any insight into how to make this happen is appreciated.

 

Tks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

If you are going to use the firewall as gateway for the servers, then IPs
has to change.

Another option is to introduce L3 device between the servers as ASA (lets
say L3 switch). Then on the switch create a PBR that any traffic from
x-servers to ASA using set next-hop command in route-map. On ASA you add a
static route for x-servers pointing to L3 device.

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

If you are going to use the firewall as gateway for the servers, then IPs
has to change.

Another option is to introduce L3 device between the servers as ASA (lets
say L3 switch). Then on the switch create a PBR that any traffic from
x-servers to ASA using set next-hop command in route-map. On ASA you add a
static route for x-servers pointing to L3 device.

View solution in original post

Highlighted

Mohommad, quick question about DNS in the DMZ once we change the servers IP's in this thread.. https://community.cisco.com/t5/firewalls/dns-in-a-dmz/td-p/3709214. Can you advise?