topic Re: DMZ Config for web server in General Topics

DMZ Config for web server

nmckee — Thu, 20 Dec 2018 12:36:36 GMT

My firewall is using the following Interfaces/Zones: E1/1(5.5.5.170/29) and E1/1.1(5.5.5.174/29) are in the outside zone. E1/2(192.168.254.252/24) is in the inside zone. E1/8(192.168.1.1) is in DMZ zone. E1/1 and E1/2 are connected to the mainvr virtual router. E1/1.1 and E1/8 are connected to the DMZrouter virtual router. I have a web server located in the DMZ zone (192.168.1.2/24) that I want a One-to-One static NAT to 5.5.5.174/29 to grant outside zone access to and from the web. I’m not having any success. Any help would be great.

(My inside to outside traffic works fine just having problems with DMZ access from outside zone)

Below are my NAT/Security rules:

1) Outbound Nat rule:

Original packet:

Source - DMZ

Source address - 192.168.1.2

Destination - Untrust

Destination Address – Any

Translated packet:

Source translation - Static IP

Translated address - 5.5.5.174

(Bi-directional is not checked)

2) Inbound NAT rule:

Original packet:

Source - Untrust

Source address - Any

Destination - DMZ

Destination Address 5.5.5.174

Translated packet:

Destination translation

Translated address - 192.168.1.2

(Translated port is not entered)

Outbound Security Rule

Source Zone - DMZ

Source Address - 192.168.1.2

Destination zone - Untrust

Destination Address - Any

Inbound Security Rule

Source Zone - Untrust

Source Address - Any

Destination zone-Trust

Destination Address - 5.5.5.174

Re: DMZ Config for web server

reaper — Thu, 20 Dec 2018 13:12:39 GMT

your inbound NAT policy needs to be untrust to untrust, your inbound security policy needs to be untrust to dmz

Re: DMZ Config for web server

RobinClayton — Thu, 20 Dec 2018 17:03:39 GMT

You should also be able to use a single bi-directional rule.

1) Bi-Directional Nat rule:

Original packet:

Source - DMZ

Source address - 192.168.1.2

Destination - Untrust

Destination Address – Any

Translated packet:

Translation Type - Static IP

Translation Address - 5.5.5.174
Bi-Directional [Tick]

Re: DMZ Config for web server

nmckee — Thu, 20 Dec 2018 21:16:55 GMT

Thanks. I did make the changes but tried to access my webserver without success...

One issue I see is that I can't ping the 5.5.5.174 address from either the outside or dmz zones. I can ping the dmz default gateway(192.168.1.1) as well as my ISPs default gateway(5.5.5.169) from inside the dmz but can't ping any other outside addresses(5.5.5.174, 5.5.5.170, as well as other outside web addresses) from inside the dmz.

5.5.5.170 is my original outside interface and it has been working. It's running my GlobalProtect and I haven't had any problems with that.

Any thoughts?

Re: DMZ Config for web server

nmckee — Thu, 03 Jan 2019 12:49:49 GMT

Thanks for the information. The solution did work but I was still having issues with the web server but figured out that is was a DNS config issue. All is well. Thanks again!