This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Private DMZ and NAT Issue

Please point me to another post if it has the answer.

We have a customer that has two internet sources that connect to the Astaro as follows.  The Astaro is an ASG220 running 7.503.

Internet -> Astaro -> LAN
Internet -> 3rd Party Firewall -> DMZ -> Astaro -> LAN

The 3rd Party firewall only purpose is to provide access to two specific destinations via tunnels and not any general internet traffic.  It also does not have any routing capability built into it.  The problem this presents is that I have to setup the Astaro to NAT all LAN traffic bound for this 3rd Party Firewall from the LAN to the DMZ IP (and back again).  Needless to say, I am having trouble with this as I keep getting Invalid Parameter errors.

I cannot change the devices and I cannot move the tunnels.

Any assistance would be helpful.  I would discuss what I've tried, but I feel like I've tried every iteration except the one that would work.

Attached is an image of the setup in case my description is confusing.

Thank you,

Jason

This thread was automatically locked due to age.

Parents

0 BAlfson over 15 years ago

Understood. Are you saying that the "LAN" you show behind the Astaro is in fact the eight MPLS LANs?

If not, then I still think BarryG's approach is the one for you.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 15 years ago

Understood. Are you saying that the "LAN" you show behind the Astaro is in fact the eight MPLS LANs?

If not, then I still think BarryG's approach is the one for you.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jason.Earl over 15 years ago in reply to BAlfson

Yes, our internal network consists of 8 LANs interconnected via an MPLS WAN.  This Astaro provides internet access for the entire internal network.  Each site does not have it's own internet access - all is routed out via the corporate site (Astaro)

Sorry, I should have pointed that out to avoid some confusion.  Tunnel vision...

We have routes built into the Astaro that points all traffic for the other 7 subnets to the local MPLS router.  All eight LANs require the ability to talk to this 3rd Party device (and the endpoints within it).  Ideally I would set this up in parallel to the Astaro and it would be a minor routing update, but the lack of ability to route traffic in the 3rd party device forces us to internally NAT traffic so it can get back to the remote offices.  The choice comes down to NAT within the routers or NAT within the firewall.  As we manage the firewall and not the routers, that is why I prefer the setup this way.

I know this can be accomplished and have done it on other devices, but my knowledge level in the Astaro is causing a problem.
Cancel
Vote Up 0 Vote Down

Cancel