This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ behind remote ASG

redhorse2017 over 13 years ago

Hello,

because we will change our network topology, I have to find a solution for the following scenario:

- LOCATION A has an ASG with internet connection, LOCATION B is directly connected to LOCATION A via MPLS.

- LOCATION B has an DMZ with a server which must be reachable through the internet connection of LOCATION A.

What can I do?

My suggestion:

Internet -> ASG A (LOCATION A) -> NAT -> Virtual ASG B (LOCATION B) -> DMZ

For example:
A client connects to the public IP of LOCATION A (1.2.3.4), the ASG A translates the destination IP to the private IP of the server which is placed in the dmz on LOCATION B.
ASG A knows that the DMZ network is located behind ASG B.

Is this secure? Is there a better solution?

Thank you and kind regards

This thread was automatically locked due to age.

0 BAlfson over 13 years ago

That looks right to me. The only trick is that you need a Full NAT with, for example, 'Source translation: Internal (Address)' in ASG A.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 redhorse2017 over 13 years ago in reply to BAlfson

Hi Bob,

I wasn't sure if I just have to do a DNAT because ASG B knows the route to the internet via ASG A. But with using Full NAT I can specify one dedicated internal Adress on ASG A as source address to have a granular possibility to filter the traffic on ASG B in both directions. Is that right?

Independent of DNAT or Full NAT, is this way secure? The packets will cross the internal LAN because the DMZ is not attached to ASG A.

Kind regards
Cancel
Vote Up 0 Vote Down

Cancel