How to make this DMZ routing work?

95 pts.
Tags:
ACL
ASA
DMZ
Firewalls
IP Routing
Routers
routers and switches
Currently we have the DMZ ACL in the ASA firewall. One interface that was assigned as DMZ was connected to the core switch and within a VLAN. The server that was untagged to this DMZ VLAN will have the DMZ ACL applied to the inbound/outbound traffic.  This was quite simple setup.  This issue now I am facing is: we are going to move the ASA firewall to the Colo rack but the servers will stay in the central office.  I am afraid this will not work.

Currently.... ASA 172.16.1.1 DMZ - 10.254.254.0/24   | Core switch 172.16.1.2 VLAN for DMZ server (10.254.254.0/24)

The ip route is to route 10.254.254.0/24 over to ASA. So ASA DMZ interface receives the traffic, applies the ACL and the traffic will then get to the DMZ VLAN to reach to the server.

Here is part of the new MPLS network..... (Colo) ASA 172.16.100.1 DMZ - 10.254.254.0/24   | router1   ||  MPLS   || router2   | Core switch 172.16.1.2 VLAN for DMZ server (10.254.254.0/24)

As you can see the ASA and Core switch is not in the same subnet any more.  How can I make the DMZ working?  I don't know how to make the ip route.  Perhaps it just won't work this way. Perhaps I will have to just create the ACL within the core switch. 

Any thought is welcome.

Answer Wiki

Thanks. We'll let you know when a new response is added.

On your core switch, you will enter a command identical to:
(DMZ IP SUBNET DESTINATION INTERFACE IP)
ip route 10.254.254.0 255.255.255.0 172.16.100.1

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • springman
    The form didn't process the line break nicely. Let me try it again. Currently.... ASA (172.16.1.1) DMZ (10.254.254.0/24) | Core switch (172.16.1.2) VLAN for DMZ server (10.254.254.0/24) Here is part of the new MPLS network..... (Colo) ASA (172.16.1.1) DMZ (10.254.254.0/24) | router1 || MPLS || router2 | Core switch (172.16.1.2) VLAN for DMZ server (10.254.254.0/24)
    95 pointsBadges:
    report
  • springman
    Thank you so much for replying. I can't believe I made this mistake on my post. I have the wrong IP address entered. It should be: (Colo) ASA (172.20.1.1) DMZ (10.254.254.0/24) | router1 (172.20.1.10) || MPLS || router2 (172.16.1.10) | Core switch (172.16.1.1) VLAN for DMZ server (10.254.254.0/24) Do you mean on the core I should have a route for the dmz subnet directly to ASA? If that's the case, does it look like..... ip route 10.254.254.0 255.255.255.0 172.20.1.1 I am not sure if I can bypass the router and directly route the traffic to ASA on the other subnet. If I can, I will give it a try. Otherwise, on the core I should route it to "router2" first, then router2 pass it to router1 and reach the DMZ interface on ASA. Then the traffic will get routed to "router1" and back to "router2" then the core. Is that what you mean? In this case, both router1 and router2 will have an ip router config for the dmz subnet to each other. Would that work? Would that become a loop?
    95 pointsBadges:
    report
  • Sixball
    Still bothered by the line "One interface that was assigned as DMZ was connected to the core switch..." Dunno why you need your core switch outside of the firewall...
    8,515 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following