Configuration Articles

Featured Article
Issue: In a topology with two Virtual Routers, VR1 and VR2,  sharing a subnet,  VR1 has a public interface on Ethernet 1/1 (100.1.1.10/24) and VR2 has a public interface on Ethernet 1/2 ( 100.1.1.20/24).  Both use the same ISP Gateway, 100.1.1.1/24. Users  need to access a server on a public IP 100.100.100.100, which resides in a DMZ interface conected to VR2.  The private IP of the server is 10.10.10.10.  Sessions are seen as "incomplete" because Ethernet 1/1 is responding to the ARP requests for 100.100.100.100. Resolution: NAT rules are defined based on the zone configured.   If the untrust zone is shared between two different Virtual Routers, either of them  will respond to the ARP request for 100.100.100.100. In this case, only VR2 should respond to the ARP request.  Do not use the same Untrust Zone  for both of the public interfaces residing on different Virtual Routers. Create a new Untrust Zone, for example "Untrust-VR2", and add the public interface of VR2 to that zone. Configure a Bi-Directional NAT: Source Zone: DMZ Destination Zone: Untrust-VR2 Source Address: 10.10.10.10 Destination Address: Any Destination Interface: Ethernet 1/2 Source Translation: Static IP "100.100.100.100" Bi-Directional: Yes Create the security policy accordingly. Based on this configuration, only VR2 will respond to the ARP request. Owner:  kalavi
View full article
panagent ‎03-04-2012 03:43 PM
7,347 Views
1 Reply
2 Likes
Ask Questions Get Answers Join the Live Community