Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1884 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't get to DMZ servers when internet goes down

Josh Rogalski

We have a DMZ subnet off of our XG 550.  When our internet connection goes down, internal clients cannot get to the web servers located on that DMZ. If you do a tracert, it is attempting to send the traffic out the other internet connection and get to the webservers from outside for some reason. 

Any suggestions for this?  We have no static route to the DMZ on the XG since the internal clients should be able to get to that direct attached subnet.  I have a second internet connection so I can force my traffic out the secondary and replicate this issue at will.  I have a ticket open with Sophos support and they are investigating as well but I figured I would throw it out on the forum and see if a routing expert has any ideas on it.  Thank you all!



This thread was automatically locked due to age.
Parents
  • 0

    Some info, if it helps the case along.  It appears our outbound NAT rule might be the culprit behind this.  What I am confused about though, is why a NAT rule would be utilized for DMZ at all.  Going from LAN > DMZ, I figured the traffic would route like a directly attached network and just pass it along.  Why would it even be touching the NAT rule?  Do I need a static route for the DMZ traffic or something?

  • 0 in reply to Josh Rogalski

    Hello Josh,

     No, you shouldn't need a Static route or I don't think you would need, however, if it is going and using the NAT then probably it is resolving externally and then coming back, (so doing a hairpin) in this case, you might try creating a Loopback rule. 

  • 0 in reply to emmosophos

    Shouldn't it be skipping NAT entirely though?  It goes from a PC on my lan, using an internal DNS server that points to a DMZ vlan ip address that the internet doesn't know about.  so shouldn't it just be like "hey DMZ traffic you go that way to the DMZ have a nice day"?  Or am I dramatically misunderstanding how DMZ's work?

Reply
  • 0 in reply to emmosophos

    Shouldn't it be skipping NAT entirely though?  It goes from a PC on my lan, using an internal DNS server that points to a DMZ vlan ip address that the internet doesn't know about.  so shouldn't it just be like "hey DMZ traffic you go that way to the DMZ have a nice day"?  Or am I dramatically misunderstanding how DMZ's work?

Children