Default Gateway for server in DMZ and on Lan

I have two servers attached via a little hub to the Dmz port on ours cisco asa 5500 firewall.
Both run web based services to the internet via this connection (sharepoint and library catalogue)
Each server has two ethernet cards the other is connected to our cisco 3750 Lay3 capable switch and are in a server Vlan.
I need to access the servers from the staff Vlan.
The servers (windows 2003 and 2000) will only support one gateway address.
If I set the default to the Server_Vlan Interface Ip address on the apprporiate card then routing two/from the lan works and I can get access to the servers using standard windows networking services (browsing, RDC, file sharing etc). Accessing the web services from the internet will however fail. I believe that the returning information just goes down the wrong gateway and never makes it back to the requestor.
If I swap the Default gateway to the DMZ gateway address, web based access from the internet is ok but lan traffic suffers the same problem as above, simply the problem is reversed.

Srv1 DMZ IP =
Srv2 DMZ IP =

Server Vlan  =
Srv1 Vlan Interface =
Srv1 Vlan Interface =

Staf Vlan Interface IP =
Default Gateway = (And is attched to this Vlan, i.e. on ASA 'ip route')

So the question is how do I configure this to achieve access from both sides so that the servers no where to send the return info.
So far the only thing I can think of (and works) is to put the servers into the staff vlan instead of the server vlan with G/W as the DMZ on the servers. That way local access doesn't get routed.

Buit this does seem to defeat the object of having Vlans. Is there a solution that I am missing here.

Thanks for your help.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Set the default route on the servers to be the IP address of the gateway to the internet .i.e., the largest network, then set static persistent routes on each of the servers to the Staff VLAN via the Server_VLAN Interface using the "route add" command.

I would be concerned about connecting a server in the DMZ to another network as it offers another possible route into the staff network.
JoCox99Author Commented:
Surely this is common practice. If anyone has a webserver that only lets web traffic in/out of the DMZ port one still has to get access to the server for maintenance purposes. In this scenario I can just shutdown the LAN port on the switch whilst I am not doing maintenance.

In our case we have two servers in the DMZ that provide services to our LAN aswell, one is via MS networking for catalogue maintenance and has a web based lookup on the DMZ, the other server provides web based services for DMZ users and LAN. I don't see what the alternatives are.

Anyway I'll give your route adding idea a go seems like the right idea allthough I have never really quite figured out this command but now is the time to resolve that I guess.

The command works as follows...

ROUTE ADD destination_network MASK network_mask gateway_address -P

For your staff VLAN it could look something like this... (I don't know the exact mask as you have not specified it), you can use a number of these commands if you need to access other internal networks via this secondard connection.  The -p at the end makes the host remember the route if the server gets rebooted.


As long as you have some form of additional security on the additional connection, I just wanted to point out that if one of the DMZ servers was compromised it could be used to attack other hosts in the network, so the number of hosts it has access to should be minimized. Maybe I should have elaborated on the one liner in the first post.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Typically the routing from a dmz to the internal lan would be handled by the firewall between the two in your case the ASA box and a second nic would  not be necessary.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.