2 Replies Latest reply on Apr 2, 2015 10:27 AM by john.auskelis

    How to: route from one private security zone to another, using a public IP address

    john.auskelis New Member

      NetVanta 3120 R10.9.5.E, using the GUI.


      Hello again experts - here's another brainteaser I need you help with.  I have two 'private' security zones, and need to connect from one to the other using a public IP address.  I'm trying to route traffic from the default private network, out to one of my public IP address, and back in to a second private network.


      • Private LAN #1    10.0.1.0/24 - This is my secure domain network.
      • Private LAN #2    192.168.22.0/24 - This is less secure, and has one machine connected.  The Pc is a 'license server' for a software program.
      • Public WAN 99.99.99.0/28


      I have laptop users that connect from either the Private LAN #1 or from other locations.  Their application program has one field for the address of the license server.  The goal is to populate the application with the public IP address, and allow connections from both sides of the firewall.



      *** From the outside the building using the public ip address (this works great)

           Laptop connects to public IP 99.99.99.2, port forwards to the license server in Private LAN #2 at 192.168.22.100


      *** From the Private 1 LAN using the private IP address (this works great, but I have to change to the private IP address)

           Laptop connects from Private LAN #1 to Private LAN #2 at 192.168.22.100.


      *** Connect fails from the Private 1 LAN to the Private 2 LAN when using the public IP address

           Laptop tries to connect to public IP 99.99.99.2 - fails.



      ip policy-class Public (this is my Lan #1)

        allow list web-acl-21 policy Public


      ip policy-class Public

        nat destination list web-acl-15 address 192.168.22.100


      ip policy-class "Private outside DOM"  (this is my LAN #2)

        nat source list web-acl-17 address 99.99.99.2 overload



      Thanks for your help,


      JA


       

        • Re: How to: route from one private security zone to another, using a public IP address
          Employee

          John,

           

          Thanks for posting your question on the forum!

           

          I think I see what may be the issue with LAN#2 reaching the server on LAN#1. The nat rule should be a destination NAT and not a source NAT since we need to send the traffic to the server on your Private LAN. However, we need to match traffic destined for the public IP that is used for the license server. Since I don't know what "web-acl-17" looks like, I'll go ahead and post what the syntax should look like for it as well.

           

          ip access-list extended web-acl-17

               permit ip any host 99.99.99.2

           

          ip policy-class "Private outside DOM"

              nat destination list web-acl-17 address 192.169.22.100

           

          I would also note that web-acl-17 will NAT all traffic destined for 99.99.99.2. You can modify this ACL so that it only NATs certain ports as opposed to all IP traffic.

           

          Workarounds for hairpin applications can also be found here: Re: Hairpin Prevention

           

          Please do not hesitate to let us know if you have any questions or issues.

           

          Thanks,

          Noor