Default Gateway for server in DMZ and on Lan

Posted on 2006-04-03
Last Modified: 2012-08-14
I have two servers attached via a little hub to the Dmz port on ours cisco asa 5500 firewall.
Both run web based services to the internet via this connection (sharepoint and library catalogue)
Each server has two ethernet cards the other is connected to our cisco 3750 Lay3 capable switch and are in a server Vlan.
I need to access the servers from the staff Vlan.
The servers (windows 2003 and 2000) will only support one gateway address.
If I set the default to the Server_Vlan Interface Ip address on the apprporiate card then routing two/from the lan works and I can get access to the servers using standard windows networking services (browsing, RDC, file sharing etc). Accessing the web services from the internet will however fail. I believe that the returning information just goes down the wrong gateway and never makes it back to the requestor.
If I swap the Default gateway to the DMZ gateway address, web based access from the internet is ok but lan traffic suffers the same problem as above, simply the problem is reversed.

Srv1 DMZ IP =
Srv2 DMZ IP =

Server Vlan  =
Srv1 Vlan Interface =
Srv1 Vlan Interface =

Staf Vlan Interface IP =
Default Gateway = (And is attched to this Vlan, i.e. on ASA 'ip route')

So the question is how do I configure this to achieve access from both sides so that the servers no where to send the return info.
So far the only thing I can think of (and works) is to put the servers into the staff vlan instead of the server vlan with G/W as the DMZ on the servers. That way local access doesn't get routed.

Buit this does seem to defeat the object of having Vlans. Is there a solution that I am missing here.

Thanks for your help.

Question by:JoCox99
    LVL 8

    Expert Comment

    Set the default route on the servers to be the IP address of the gateway to the internet .i.e., the largest network, then set static persistent routes on each of the servers to the Staff VLAN via the Server_VLAN Interface using the "route add" command.

    I would be concerned about connecting a server in the DMZ to another network as it offers another possible route into the staff network.

    Author Comment

    Surely this is common practice. If anyone has a webserver that only lets web traffic in/out of the DMZ port one still has to get access to the server for maintenance purposes. In this scenario I can just shutdown the LAN port on the switch whilst I am not doing maintenance.

    In our case we have two servers in the DMZ that provide services to our LAN aswell, one is via MS networking for catalogue maintenance and has a web based lookup on the DMZ, the other server provides web based services for DMZ users and LAN. I don't see what the alternatives are.

    Anyway I'll give your route adding idea a go seems like the right idea allthough I have never really quite figured out this command but now is the time to resolve that I guess.

    LVL 8

    Accepted Solution

    The command works as follows...

    ROUTE ADD destination_network MASK network_mask gateway_address -P

    For your staff VLAN it could look something like this... (I don't know the exact mask as you have not specified it), you can use a number of these commands if you need to access other internal networks via this secondard connection.  The -p at the end makes the host remember the route if the server gets rebooted.


    As long as you have some form of additional security on the additional connection, I just wanted to point out that if one of the DMZ servers was compromised it could be used to attack other hosts in the network, so the number of hosts it has access to should be minimized. Maybe I should have elaborated on the one liner in the first post.
    LVL 5

    Expert Comment

    Typically the routing from a dmz to the internal lan would be handled by the firewall between the two in your case the ASA box and a second nic would  not be necessary.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now