3 Replies Latest reply on Jan 3, 2014 10:58 AM by mhemstreet

    Inter-zone routing

    mhemstreet New Member

      I am looking for direction on allowing for inter-security zone routing.  I have a PublicWiFi zone which both employees and outside vendors use for general internet access.  The PublicWiFi sec-zone has three rules configured in this order

      Filter PublicWiFi to Private subnet; allow traffic to Netvanta (for management); NAT out primary WAN.  The PublicWiFi sec-zone uses public DNS for name resolution. 

       

      There is a mailserver with OWA configured in the Private zone. When users are connect to the PublicWiFi zone, they resolve their OWA address to the proper public IP. 

       

      In the private zone I also have a filter rule configured for Private subnet to PublicWiFi subnet.  I am not however able to connect over the public address to the mailserver from the PublicWiFi sec-zone. 

        • Re: Inter-zone routing
          vmaxdawg05 Past_Featured_Member

          I have run into this.  Assuming the Exchange server is on your Private policy-class (zone), you should be able to put a NAT statement in that will take care of it. 

          Example: (X.X.X.X = Public IP of OWA server, N.N.N.N = private/actual IP of OWA server)

           

          ip access-list ext wifi.exchange

            remark NAT to exchange server from WiFi

            permit tcp any host X.X.X.X eq 443 log    

            permit tcp any host X.X.X.X eq 80 log

           

          ip policy-class PublicWiFi

          allow list self self

          nat destination list wifi.exchange address N.N.N.N overload policy Private

          nat source list wifi.internet  interface ethernet 0/1 overload policy Public  (or whatever interface is public facing)

           

          This essentially allows any of the permitted traffic in the wifi.exchange ACL the ability to communicate with the exchange server.  The NetVanta will redirect the selected traffic to the exchange server in the Private zone.

           

          You could also create an ACL for the exchange server to NAT to the Private zone as well.

          Example:

          (W.W.W.0 0.0.0.255 = IP subnet of the WiFi Network, X.X.X.X = Public IP for OWA/Exchange)


          ip access-list ext exchange.wifi

          remark Exchange server traffic to WiFi

          permit tcp host N.N.N.N  W.W.W.0 0.0.0.255  eq 443 log

            permit tcp host N.N.N.N   W.W.W.0 0.0.0.255 eq 80 log

           

          ip policy-class Private

            allow list self self

            nat source list exchange.wifi address X.X.X.X overload policy PublicWiFi

            nat source list wizard-ics interface Ethernet 0/1 overload policy Public


          This allows any reply from the Exchange/OWA server to appear to be coming from X.X.X.X.


          I hope this helps.


          R\

          • Re: Inter-zone routing
            jayh Hall_of_Fame

            mhemstreet wrote:

             

            I am looking for direction on allowing for inter-security zone routing.  I have a PublicWiFi zone which both employees and outside vendors use for general internet access.  The PublicWiFi sec-zone has three rules configured in this order

            Filter PublicWiFi to Private subnet; allow traffic to Netvanta (for management); NAT out primary WAN.  The PublicWiFi sec-zone uses public DNS for name resolution. 

             

            There is a mailserver with OWA configured in the Private zone. When users are connect to the PublicWiFi zone, they resolve their OWA address to the proper public IP.

             

            In the private zone I also have a filter rule configured for Private subnet to PublicWiFi subnet.  I am not however able to connect over the public address to the mailserver from the PublicWiFi sec-zone.

            I'm assuming that both the Private and PublicWiFi zones are using different private IP ranges.

             

            You likely have two problems...

             

            The first is that your Filter PublicWiFi to Private subnet may not have a permit statement for users in the PublicWiFi zone to reach the mail server, so add that rule specifying the IP of the mailserver as a host address.  This needs to be before any deny rules blocking access to the Private zone.  You probably want to make it granular enough to only allow the ports that are needed for the services you want to allow, TCP 80 and 443, perhaps IMAP.

             

            Test this by seeing if users on PublicWiFi can reach the mail server via a browser specifying its internal IP address in the browser window.

             

            Second potential problem may be name resolution.  If users can connect to the inside IP but can't reach the server by its hostname, then you will probably want to add a static entry into the hosts table of the 3400 mapping the hostname of the mail server to its  local private IP, and enable DNS proxy.  This way local users will resolve to the inside address and not try to go out to the public address outside of the NAT.

            • Re: Inter-zone routing
              mhemstreet New Member

              Thanks vmaxdawg05, that did the trick for me.  I just couldn't see it.