Question

  • Creator
    Topic
  • #2153679

    firewall natting question

    Locked

    by vwsportruck ·

    Hi All,

    We are presently working on a project where we will have a load balancer inside our network that needs to be available from the internet for people to get to our web-app. We’ve been able to get it to work going directly from the inside through the firewall and available outside, but I know this is not a best practice. We have not had any luck in getting the load balancer to live in the DMZ and be able to pass traffic to the app servers on the inside network. The load balancer is a Win2k3 server with two nics on it. The firewall is a Cisco PIX 515. Can anyone offer some pointers on how to get this load balancer to sit in the DMZ and still be able to pass traffic through?

    Thanks in advance!

    -=Mark

All Answers

  • Author
    Replies
    • #2918187

      Clarifications

      by vwsportruck ·

      In reply to firewall natting question

      Clarifications

    • #2929159

      DMZ config

      by synner ·

      In reply to firewall natting question

      On your Pix, you have an inside, outside and DMZ?

      To pass traffic from your DMZ to your inside, you need a translation and ACLs applied to the proper interface.

      To pass traffic from your inside to your DMZ, you need a NAT and a global.

      If you provide a sample configuration, I can point out what else you need to configure on your pix.

      • #2927932

        sample config

        by vwsportruck ·

        In reply to DMZ config

        Sorry for the delay – here’s a snippet of my config. I have grabbed everything that points to my loadbalancer below:

        names
        name 10.1.x.x loadbalancer

        interface Ethernet0

        speed 100

        duplex full

        nameif outside

        security-level 0

        ip address 204.x.x.x 255.255.255.240 standby 204.x.x.x

        !

        interface Ethernet1

        speed 100

        duplex full

        nameif inside

        security-level 100

        ip address 10.x.x.x 255.255.0.0 standby 10.x.x.x

        !

        interface Ethernet2

        speed 100

        duplex full

        nameif dmz

        security-level 50

        ip address 172.x.x.x 255.255.0.0 standby 172.x.x.x
        object-group service loadbalancer tcp-udp

        port-object eq kerberos

        access-list acl_out remark permit http traffic to loadbalancer

        access-list acl_out extended permit tcp any host 204.x.x.x eq www

        access-list acl_out extended permit tcp any host 204.x.x.x eq ssh

        access-list acl_out extended permit tcp any host 204.x.x.x eq domain

        access-list acl_out extended permit tcp any host 204.x.x.x eq 8000

        access-list acl_out extended permit udp any host 204.x.x.x eq domain

        access-list acl_out extended permit udp any host 204.x.x.x eq ntp
        access-list acl-out remark permit http access to loadbalancer

        access-list acl-out extended permit tcp any host 204.x.x.x eq www

        access-list acl-out remark permit https access to loadbalancer

        access-list acl-out extended permit tcp any host 204.x.x.x eq https

        access-list acl-out remark permit https access to loadbalancer

        access-list acl-out extended permit tcp any host 204.x.x.x eq 8000

        nat-control

        global (outside) 1 interface

        nat (inside) 0 access-list acl_in_dmz

        nat (inside) 1 10.0.0.0 255.0.0.0

        nat (dmz) 1 172.x.x.x 255.255.255.0

        static (inside,outside) 204.x.x.x loadbalancer netmask 255.255.255.255

Viewing 1 reply thread