This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

routing problem to dmz of second firewall

hello everybody,

i have to solve the following problem:

in our environment we have two firewalls which are connected to an internal lan (192.168.0.0/255.255.252.0). over fw1 (192.168.3.20) we get a roadwarrior connection (vpn) to the internal lan. the roadwarrior clients use the ip adress range 10.171.131.0/255.255.255.0.
the second firewall, fw2, has a DMZ (192.168.12.48/255.255.255.248) and we want to reach systems there over special services (i. e. remote desktop client).

we have already tried different routing rules on the fw1:

- static routing
- policy based routing
- to add a route manually at the connected client

can anybody help me please?

thanks
toette

This thread was automatically locked due to age.

Parents

0 ClausP over 19 years ago

Does fw2 know how to reach 10.171.131.0/255.255.255.0 ? Any route to fw1 ?
Cancel
Vote Up 0 Vote Down

Cancel
0 toette over 19 years ago in reply to ClausP

hello claus,

first thanks for the quick answer. on fw2 exists the following static route:

network: IPSecPool1fw1
target: >

but it isn´t possible to ping the virtual vpn ip.

toette
Cancel
Vote Up 0 Vote Down

Cancel
0 ClausP over 19 years ago in reply to toette

[ QUOTE ]

network: IPSecPool1fw1
target: >

[/ QUOTE ]

> of fw1 or fw2 ? Should be fw1..

Or points the def. gateway from fw2 to fw1 ?
Cancel
Vote Up 0 Vote Down

Cancel
0 toette over 19 years ago in reply to ClausP

which gateway setting do you mean exactly on fw2?

only the external interface has a gateway pointing to the router of our internet service provider
the ohters have the gateway setting "none"

or do you mean something different?
Cancel
Vote Up 0 Vote Down

Cancel
0 toette over 19 years ago in reply to toette

sorry, i forgot one information

i mean interface internal of fw2
Cancel
Vote Up 0 Vote Down

Cancel
0 ClausP over 19 years ago in reply to toette

Okay, fw2 needs a static route for the network ( IPSecPool1fw1) to the interface of fw1 (in network 192.168.0.0/255.255.252.0).

fw1 needs a static route for the dmz-network to the interface of fw2 (in network 192.168.0.0/255.255.252.0).

If I did not misunderstood the description above...
Cancel
Vote Up 0 Vote Down

Cancel
0 ClausP over 19 years ago in reply to toette

[ QUOTE ]
sorry, i forgot one information

i mean interface internal of fw2

[/ QUOTE ]

on fw2:

next hop for (network: IPSecPool1fw1) is the internal interface (192.168.3.20) on fw1 and not fw2
Cancel
Vote Up 0 Vote Down

Cancel
0 toette over 19 years ago in reply to ClausP

hello claus,

i made the settings. now it is possible to ping from fw2 the virtual vpn ip 10.171.131.x.

but i cannot connect to the dmz. i already tried to change the tunnel endpoint from "internal network" to "Any" but no success. the autopacket filter is turned on. do you have another idea?

thanks toette
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 toette over 19 years ago in reply to ClausP

hello claus,

i made the settings. now it is possible to ping from fw2 the virtual vpn ip 10.171.131.x.

but i cannot connect to the dmz. i already tried to change the tunnel endpoint from "internal network" to "Any" but no success. the autopacket filter is turned on. do you have another idea?

thanks toette
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 toette over 19 years ago in reply to toette

hello everybody,

i changed the subnet definition (optional): local subnet from internal network to any. after i was able to ping the device of the dmz i want to reach (192.168.12.49).
To get a remote desktop connection to the system standing in the dmz i created a dnat-rule. now everything works fine.

thanks for your help clausp.

cu
toette
Cancel
Vote Up 0 Vote Down

Cancel