LAN/Internet seperate FW

Question

Hi 
 First of all a quick brief on our set up. 
 we have two DCs, both DCs have a HA pair of firewalls controlling our LAN traffic. We also have a HA pair of firewalls across both DCs for DMZ and Internet traffic. 
 Our LAN firewalls have a leg in the DMZ and all internal routing seems fine (all sites can route to the DMZ primary firewall and vice versa) 
 Our LAN firewalls are configure to route all DMZ and external traffic to our Internet/DMZ firewall and all LAN traffic via VPLS. Again, LAN access to DMZ servers is working fine. 
 The issue is breaking out to the internet. I have tried several types of rules (including even very briefly trying an allow any/any, along with various NAT rules) but I cannot get out to the internet. 
 Running a packet capture from the LAN FW I can see the traffic passing to the DMZ interface. On the DMZ FW I can see the packet in on the DMZ interface and out of the WAN interface. However the packet states it&rsquo;s a violation with the reason as Firewall. 
 I have double checked routing, I&rsquo;ve made strict and then very open rules to test, but I am running out of ideas! 
 Does anyone have any suggestions or pointers for troubleshooting? The information I&rsquo;m getting doesnt seem to help me in anyway 
 thanks

richie913 · Accepted Answer

Hi, So this issue is now resolved.... I have logged on this morning and noticed that the firewall had failed over to its peer and suddenly the internet access is working! 
 My first thought was something with the cabling/routing on the other side so I failed it back to troubleshoot and....its still all working! 
 So looks like all that was required was a reboot of my FW for it to pick up the rule! 
 Nice one Sophos.....

LAN/Internet seperate FW

Top Replies