cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
john_auskelis
New Contributor II

How to: route from one private security zone to another, using a public IP address

NetVanta 3120 R10.9.5.E, using the GUI.


Hello again experts - here's another brainteaser I need you help with.  I have two 'private' security zones, and need to connect from one to the other using a public IP address.  I'm trying to route traffic from the default private network, out to one of my public IP address, and back in to a second private network.


  • Private LAN #1    10.0.1.0/24 - This is my secure domain network.
  • Private LAN #2    192.168.22.0/24 - This is less secure, and has one machine connected.  The Pc is a 'license server' for a software program.
  • Public WAN 99.99.99.0/28


I have laptop users that connect from either the Private LAN #1 or from other locations.  Their application program has one field for the address of the license server.  The goal is to populate the application with the public IP address, and allow connections from both sides of the firewall.



*** From the outside the building using the public ip address (this works great)

     Laptop connects to public IP 99.99.99.2, port forwards to the license server in Private LAN #2 at 192.168.22.100


*** From the Private 1 LAN using the private IP address (this works great, but I have to change to the private IP address)

     Laptop connects from Private LAN #1 to Private LAN #2 at 192.168.22.100.


*** Connect fails from the Private 1 LAN to the Private 2 LAN when using the public IP address

     Laptop tries to connect to public IP 99.99.99.2 - fails.



ip policy-class Public (this is my Lan #1)

  allow list web-acl-21 policy Public


ip policy-class Public

  nat destination list web-acl-15 address 192.168.22.100


ip policy-class "Private outside DOM"  (this is my LAN #2)

  nat source list web-acl-17 address 99.99.99.2 overload



Thanks for your help,


JA


Labels (2)
Tags (1)
0 Kudos
2 Replies
Anonymous
Not applicable

Re: How to: route from one private security zone to another, using a public IP address

John,

Thanks for posting your question on the forum!

I think I see what may be the issue with LAN#2 reaching the server on LAN#1. The nat rule should be a destination NAT and not a source NAT since we need to send the traffic to the server on your Private LAN. However, we need to match traffic destined for the public IP that is used for the license server. Since I don't know what "web-acl-17" looks like, I'll go ahead and post what the syntax should look like for it as well.

ip access-list extended web-acl-17

     permit ip any host 99.99.99.2

ip policy-class "Private outside DOM"

    nat destination list web-acl-17 address 192.169.22.100

I would also note that web-acl-17 will NAT all traffic destined for 99.99.99.2. You can modify this ACL so that it only NATs certain ports as opposed to all IP traffic.

Workarounds for hairpin applications can also be found here: Re: Hairpin Prevention

Please do not hesitate to let us know if you have any questions or issues.

Thanks,

Noor

Re: How to: route from one private security zone to another, using a public IP address

Thanks Noor!  I had to abandon this configuration project in February.  My solution was to move the license server PC to another location.  Now everybody accesses it from the public internet zone.  I'll save 'hairpin' configurations for another day.