Randal Stowell
asked on
Routing DMZ Hosts on Different Subnets out to the Internet
I had this question after viewing Packet drop, No valid adjacency, ASA 5516x.
- We have a Cisco FirePower FTD with 2 WAN ports configured for DMZ purposes. Our Infrastructure switches are Juniper EX-3300 and core router is Juniper EX-4550
- Each WAN/DMZ port is configured with DMZ A address 192.168.aaa.aaa/29 and DMZ B address 192.168.bbb.bbb/29 respectively, and those WAN/DMZ ports connect to ports configured with matching L3 vlan inet subnet interfaces on our core router
- The L3 core router ports are configured as ACCESS ports and have corresponding /29 Gateway IP OBJECTS created on the FTD (for use in the routing config)
- DMZ Host A is on the same LAN as our core router configured with DMZ C vlan 192.ccc.ccc.ccc/24
- DMZ Host B is on a different subnet across a P2P WAN link configured with DMZ D vlan 192.ddd.ddd.ddd/24
- Under DEVICE > ROUTING I have DMZ Host A Interface configured as ipv4, DMZ A Gateway IP, and under Networks I have: DMZ C Default Gateway IP, DMZ C /24 Subnet, and DMZ C Host Object
- Under DEVICE > ROUTING I have DMZ Host B Interface configured as ipv4, DMZ B Gateway IP, and under Networks I have: DMZ D Default Gateway IP, DMZ D /24 Subnet, and DMZ D Host Object
- Under SECURITY POLICIES > NAT, I have 2 policies each:
- (outside, DMZ A, Dynamic) DMZ Host C Public > DMZ Host C Private
- (DMZ A, outside, Static) DMZ Host C Private > DMZ Host C Public
- (outside, DMZ B, Dynamic) DMZ Host D Public > DMZ Host D Private
- (DMZ B, outside, Static) DMZ Host D Private > DMZ Host D Public
- Under SECURITY POLICIES > Access Control I have 2 policies each:
- SOURCE > Allow > Outside > Any > Any --> DESTINATION > DMZ A Zone > DMZ Host C Private
- SOURCE > Allow > DMZ A Zone > DMZ Host C Private --> DESTINATION > Outside > DMZ Host C Public
- SOURCE > Allow > Outside > Any > Any --> DESTINATION > DMZ B Zone > DMZ Host D Private
- SOURCE > Allow > DMZ B Zone > DMZ Host D Private --> DESTINATION > Outside > DMZ Host D Public
I can ping the source Default Gateways to their respective DMZ hosts but I am not getting out to the Internet or in from the Internet. I have also tried adding DMZ, Inside and Inside, DMZ ACLs and NATs but Internet Access does not become available.
Unfortunately, when I ping the Internet with the source DMZ Gateway IPs, I get no replies.
What am I missing?
- We have a Cisco FirePower FTD with 2 WAN ports configured for DMZ purposes. Our Infrastructure switches are Juniper EX-3300 and core router is Juniper EX-4550
- Each WAN/DMZ port is configured with DMZ A address 192.168.aaa.aaa/29 and DMZ B address 192.168.bbb.bbb/29 respectively, and those WAN/DMZ ports connect to ports configured with matching L3 vlan inet subnet interfaces on our core router
- The L3 core router ports are configured as ACCESS ports and have corresponding /29 Gateway IP OBJECTS created on the FTD (for use in the routing config)
- DMZ Host A is on the same LAN as our core router configured with DMZ C vlan 192.ccc.ccc.ccc/24
- DMZ Host B is on a different subnet across a P2P WAN link configured with DMZ D vlan 192.ddd.ddd.ddd/24
- Under DEVICE > ROUTING I have DMZ Host A Interface configured as ipv4, DMZ A Gateway IP, and under Networks I have: DMZ C Default Gateway IP, DMZ C /24 Subnet, and DMZ C Host Object
- Under DEVICE > ROUTING I have DMZ Host B Interface configured as ipv4, DMZ B Gateway IP, and under Networks I have: DMZ D Default Gateway IP, DMZ D /24 Subnet, and DMZ D Host Object
- Under SECURITY POLICIES > NAT, I have 2 policies each:
- (outside, DMZ A, Dynamic) DMZ Host C Public > DMZ Host C Private
- (DMZ A, outside, Static) DMZ Host C Private > DMZ Host C Public
- (outside, DMZ B, Dynamic) DMZ Host D Public > DMZ Host D Private
- (DMZ B, outside, Static) DMZ Host D Private > DMZ Host D Public
- Under SECURITY POLICIES > Access Control I have 2 policies each:
- SOURCE > Allow > Outside > Any > Any --> DESTINATION > DMZ A Zone > DMZ Host C Private
- SOURCE > Allow > DMZ A Zone > DMZ Host C Private --> DESTINATION > Outside > DMZ Host C Public
- SOURCE > Allow > Outside > Any > Any --> DESTINATION > DMZ B Zone > DMZ Host D Private
- SOURCE > Allow > DMZ B Zone > DMZ Host D Private --> DESTINATION > Outside > DMZ Host D Public
I can ping the source Default Gateways to their respective DMZ hosts but I am not getting out to the Internet or in from the Internet. I have also tried adding DMZ, Inside and Inside, DMZ ACLs and NATs but Internet Access does not become available.
Unfortunately, when I ping the Internet with the source DMZ Gateway IPs, I get no replies.
What am I missing?
rather than describing the config, I would suggest attaching a suitably sanitized copy of the config.
Typically a DMZ is not natted at all. all incoming traffic on the outside port is sent to the inside port and vice versa.
Cisco FirePower FTD implies you are using a Cisco ASA of some sort
Cisco FirePower FTD implies you are using a Cisco ASA of some sort
hence my suggestion of attaching a config instead of decribing the config
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again for the comments!