• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1139
  • Last Modified:

Access LAN from DMZ

I have two router to build my own DMZ:

Router 1 (Cisco RV110W) connected from Internet to DMZ:
WAN IP: 80.21X.XX.XX
LAN IP: 192.168.1.1

Router 2 (Cisco RV810W) connected from DMZ to LAN:
WAN IP: 192.168.1.101
LAN IP: 192.168.2.1 / 255.255.255.0

I have a WebServer (IIS, 192.168.1.103) in the DMZ. I can see (ping, RDP) this server from my LAN, but the WebServer can't see anything inside my LAN. That's OK so far.
Now I have a NAS Devices (192.168.2.222) inside my LAN and that is configured to be an FTP server. How can I give access to this Device from Internet / DMZ?
0
mr-kenny
Asked:
mr-kenny
  • 6
  • 5
  • 2
2 Solutions
 
EVeugerCommented:
You have to create a route in Router 1 (I assume this is your default gateway)!
0
 
EVeugerCommented:
So in your case in router 1 (configuration mode) enter: ip route 192.168.2.0 255.255.255.0 192.168.1.101

Cheers!
0
 
mr-kennyAuthor Commented:
Thanks, I don't understand yet:

I have both Routers in Gateway Mode (NAT).

In the Routing menu of Router 1 I have to add a Static Routing:

Destination LAN IP: 192.168.2.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.101
Interface: LAN & Wireless   OR Internet (WAN)

is this correct?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Ernie BeekExpertCommented:
You will also have to create access lists to allow ftp through and create nat statements to link the public address/port to the server (and the same from the LAN.
0
 
Ernie BeekExpertCommented:
I took the liberty of adding 'network routers' and 'networking hardware' the your zones to draw some extra attention.
0
 
EVeugerCommented:
That is correct. Only router 1 has a public address, so there you need to route towards your LAN which is connected to router 2. The websever in the DMZ will have router 1 as DG and also needs that route access anything on the LAN.

Happy routing!
0
 
mr-kennyAuthor Commented:
I still have no access from my WebServer into LAN when I try to ping my NAS (192.168.2.222)

Here's my config:

Routing Table on Router 1 (Internet-DMZ):
Destination LAN IP	Subnet Mask	        Gateway	Interface	 
192.168.2.0	                        255.255.255.0	192.168.1.101	LAN	
192.168.1.0	                        255.255.255.0	192.168.1.1	LAN	
20.100.68.0	                         255.255.254.0	20.100.69.55	WAN	
0.0.0.0	                                 0.0.0.0	                 20.219.68.1	WAN

Open in new window



Acces Rule on Router 2 (LAN):

Always Allow       ANY       Enabled       Inbound (WAN (Internet) > LAN (Local Network))       
Source: 192.168.1.1 - 192.168.1.250
Send to Local Server (DNAT IP): 192.168.1.101
0
 
EVeugerCommented:
Is the DG on the webserver set to router 1?
0
 
mr-kennyAuthor Commented:
yes IP of WebServer is 192.168.1.103 and DG 192.168.1.1
0
 
EVeugerCommented:
Can you post a tracert to the NAS from the webserver?
0
 
mr-kennyAuthor Commented:
1 192.168.1.1
2 192.168.2.222
3 Request timed out
0
 
EVeugerCommented:
It seems the issue here is not routing, because it is routing correctly!
0
 
mr-kennyAuthor Commented:
I think it works now: I've changed the router mode of the router in the LAN to "Router" instead of "Gateway". Now the Router WAN-DMZ is configured in Router mode "Gateway" and the other in the LAN as "Router". I added the static Routing on the one router and Allow Inbound traffic on the LAN Firewall. <br /><br />It works now but I wonder if it also should work with both Routers configurd to run in Gateway Mode? <br />Thanks for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now