What's going on here - DMZ + Routing Issues

JamesSykes · 6th October 2008

I've got a very simple network setup :

Local Network : 192.168.0.0/24
DMZ : 10.10.10.0/24

I've got a server on the DMZ and a rule setup on the firewall to send HTTP traffic to it. It all works well for external users.

The issue is from within the local network. When you try to reach the server using the public IP address you can't get through. If you use the local address then it works just fine. You just cant use the public address.

I've got a rule temporarily in place that allows full access between the DMZ and Local Network so that's not an issue.

Just wanted to check encase it's a really obviously stupid thing going on here. I'm guessing yes.

Karl · 6th October 2008

AFAIK that's perfectly standard behaviour that the LAN can't talk to the DMZ on the public IP address as you'd have a 3-way NAT going on.

Trikkitt · 6th October 2008

I've always hit the same problem myself. The only fix I can think of is to use DNS names. On a small network of a couple of PCs just modify the HOSTS files on Windows computers, put the name and the DMZ address. On larger networks messing around with the DNS server can create a fix.

You should be able to create a similar rule for LAN users to access the DMZ only on port 80/443 to stop open access.

Michael

PeteK · 6th October 2008

What device is the DMZ setup on. Most have a nat loopback option to sort it. If its something Cisco then I can give you the command set, the rest would just be generic help!

markcastle · 7th October 2008

Out Packets: Client: 192.168.0.x --> NAT --> Public IP --> NAT --> DMZ: 10.10.10.x
Return Packets: DMZ: 10.10.10.x --> NAT --> Public IP --> NAT --> Client: 192.168.0.x

....not pretty.