cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mhemstreet
New Contributor

Inter-zone routing

Jump to solution

I am looking for direction on allowing for inter-security zone routing.  I have a PublicWiFi zone which both employees and outside vendors use for general internet access.  The PublicWiFi sec-zone has three rules configured in this order

Filter PublicWiFi to Private subnet; allow traffic to Netvanta (for management); NAT out primary WAN.  The PublicWiFi sec-zone uses public DNS for name resolution. 

There is a mailserver with OWA configured in the Private zone. When users are connect to the PublicWiFi zone, they resolve their OWA address to the proper public IP. 

In the private zone I also have a filter rule configured for Private subnet to PublicWiFi subnet.  I am not however able to connect over the public address to the mailserver from the PublicWiFi sec-zone. 

Labels (1)
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
vmaxdawg05
Contributor III
Contributor III

Re: Inter-zone routing

Jump to solution

I have run into this.  Assuming the Exchange server is on your Private policy-class (zone), you should be able to put a NAT statement in that will take care of it. 

Example: (X.X.X.X = Public IP of OWA server, N.N.N.N = private/actual IP of OWA server)

ip access-list ext wifi.exchange

  remark NAT to exchange server from WiFi

  permit tcp any host X.X.X.X eq 443 log    

  permit tcp any host X.X.X.X eq 80 log

ip policy-class PublicWiFi

allow list self self

nat destination list wifi.exchange address N.N.N.N overload policy Private

nat source list wifi.internet  interface ethernet 0/1 overload policy Public  (or whatever interface is public facing)

This essentially allows any of the permitted traffic in the wifi.exchange ACL the ability to communicate with the exchange server.  The NetVanta will redirect the selected traffic to the exchange server in the Private zone.

You could also create an ACL for the exchange server to NAT to the Private zone as well.

Example:

(W.W.W.0 0.0.0.255 = IP subnet of the WiFi Network, X.X.X.X = Public IP for OWA/Exchange)


ip access-list ext exchange.wifi

remark Exchange server traffic to WiFi

permit tcp host N.N.N.N  W.W.W.0 0.0.0.255  eq 443 log

  permit tcp host N.N.N.N   W.W.W.0 0.0.0.255 eq 80 log

 

ip policy-class Private

  allow list self self

  nat source list exchange.wifi address X.X.X.X overload policy PublicWiFi

  nat source list wizard-ics interface Ethernet 0/1 overload policy Public


This allows any reply from the Exchange/OWA server to appear to be coming from X.X.X.X.


I hope this helps.


R\

View solution in original post

0 Kudos
3 Replies
vmaxdawg05
Contributor III
Contributor III

Re: Inter-zone routing

Jump to solution

I have run into this.  Assuming the Exchange server is on your Private policy-class (zone), you should be able to put a NAT statement in that will take care of it. 

Example: (X.X.X.X = Public IP of OWA server, N.N.N.N = private/actual IP of OWA server)

ip access-list ext wifi.exchange

  remark NAT to exchange server from WiFi

  permit tcp any host X.X.X.X eq 443 log    

  permit tcp any host X.X.X.X eq 80 log

ip policy-class PublicWiFi

allow list self self

nat destination list wifi.exchange address N.N.N.N overload policy Private

nat source list wifi.internet  interface ethernet 0/1 overload policy Public  (or whatever interface is public facing)

This essentially allows any of the permitted traffic in the wifi.exchange ACL the ability to communicate with the exchange server.  The NetVanta will redirect the selected traffic to the exchange server in the Private zone.

You could also create an ACL for the exchange server to NAT to the Private zone as well.

Example:

(W.W.W.0 0.0.0.255 = IP subnet of the WiFi Network, X.X.X.X = Public IP for OWA/Exchange)


ip access-list ext exchange.wifi

remark Exchange server traffic to WiFi

permit tcp host N.N.N.N  W.W.W.0 0.0.0.255  eq 443 log

  permit tcp host N.N.N.N   W.W.W.0 0.0.0.255 eq 80 log

 

ip policy-class Private

  allow list self self

  nat source list exchange.wifi address X.X.X.X overload policy PublicWiFi

  nat source list wizard-ics interface Ethernet 0/1 overload policy Public


This allows any reply from the Exchange/OWA server to appear to be coming from X.X.X.X.


I hope this helps.


R\

View solution in original post

0 Kudos
jayh
Honored Contributor
Honored Contributor

Re: Inter-zone routing

Jump to solution

mhemstreet wrote:



I am looking for direction on allowing for inter-security zone routing.  I have a PublicWiFi zone which both employees and outside vendors use for general internet access.  The PublicWiFi sec-zone has three rules configured in this order


Filter PublicWiFi to Private subnet; allow traffic to Netvanta (for management); NAT out primary WAN.  The PublicWiFi sec-zone uses public DNS for name resolution. 



There is a mailserver with OWA configured in the Private zone. When users are connect to the PublicWiFi zone, they resolve their OWA address to the proper public IP.



In the private zone I also have a filter rule configured for Private subnet to PublicWiFi subnet.  I am not however able to connect over the public address to the mailserver from the PublicWiFi sec-zone.



I'm assuming that both the Private and PublicWiFi zones are using different private IP ranges.

You likely have two problems...

The first is that your Filter PublicWiFi to Private subnet may not have a permit statement for users in the PublicWiFi zone to reach the mail server, so add that rule specifying the IP of the mailserver as a host address.  This needs to be before any deny rules blocking access to the Private zone.  You probably want to make it granular enough to only allow the ports that are needed for the services you want to allow, TCP 80 and 443, perhaps IMAP.

Test this by seeing if users on PublicWiFi can reach the mail server via a browser specifying its internal IP address in the browser window.

Second potential problem may be name resolution.  If users can connect to the inside IP but can't reach the server by its hostname, then you will probably want to add a static entry into the hosts table of the 3400 mapping the hostname of the mail server to its  local private IP, and enable DNS proxy.  This way local users will resolve to the inside address and not try to go out to the public address outside of the NAT.

mhemstreet
New Contributor

Re: Inter-zone routing

Jump to solution

Thanks vmaxdawg05, that did the trick for me.  I just couldn't see it.