Networks

Question

Gravatar
Locked

firewall natting question

By vwsportruck ·
Hi All,

We are presently working on a project where we will have a load balancer inside our network that needs to be available from the internet for people to get to our web-app. We've been able to get it to work going directly from the inside through the firewall and available outside, but I know this is not a best practice. We have not had any luck in getting the load balancer to live in the DMZ and be able to pass traffic to the app servers on the inside network. The load balancer is a Win2k3 server with two nics on it. The firewall is a Cisco PIX 515. Can anyone offer some pointers on how to get this load balancer to sit in the DMZ and still be able to pass traffic through?

Thanks in advance!

-=Mark

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Answers

gravatar
Collapse -

DMZ config

by SYNner In reply to firewall natting question

On your Pix, you have an inside, outside and DMZ?

To pass traffic from your DMZ to your inside, you need a translation and ACLs applied to the proper interface.

To pass traffic from your inside to your DMZ, you need a NAT and a global.

If you provide a sample configuration, I can point out what else you need to configure on your pix.

gravatar
Collapse -

sample config

by vwsportruck In reply to DMZ config

Sorry for the delay - here's a snippet of my config. I have grabbed everything that points to my loadbalancer below:


names
name 10.1.x.x loadbalancer

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 204.x.x.x 255.255.255.240 standby 204.x.x.x

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.x.x.x 255.255.0.0 standby 10.x.x.x

!

interface Ethernet2

speed 100

duplex full

nameif dmz

security-level 50

ip address 172.x.x.x 255.255.0.0 standby 172.x.x.x
object-group service loadbalancer tcp-udp

port-object eq kerberos

access-list acl_out remark permit http traffic to loadbalancer

access-list acl_out extended permit tcp any host 204.x.x.x eq www

access-list acl_out extended permit tcp any host 204.x.x.x eq ssh

access-list acl_out extended permit tcp any host 204.x.x.x eq domain

access-list acl_out extended permit tcp any host 204.x.x.x eq 8000

access-list acl_out extended permit udp any host 204.x.x.x eq domain

access-list acl_out extended permit udp any host 204.x.x.x eq ntp
access-list acl-out remark permit http access to loadbalancer

access-list acl-out extended permit tcp any host 204.x.x.x eq www

access-list acl-out remark permit https access to loadbalancer

access-list acl-out extended permit tcp any host 204.x.x.x eq https

access-list acl-out remark permit https access to loadbalancer

access-list acl-out extended permit tcp any host 204.x.x.x eq 8000

nat-control

global (outside) 1 interface

nat (inside) 0 access-list acl_in_dmz

nat (inside) 1 10.0.0.0 255.0.0.0

nat (dmz) 1 172.x.x.x 255.255.255.0

static (inside,outside) 204.x.x.x loadbalancer netmask 255.255.255.255

Back to Networks Forum
2 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums