Server with public IP behind the firewall without Natting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Server with public IP behind the firewall without Natting

Cyber Elite
Cyber Elite

 

We need to have a 1 server behind the firewall with public ip address.

We do not want private ip on the server.

 

Firewall -  outside zone

Server is behind the DMZ_Zone.

 

Currently  DMZ has sub interface with private ip address

 

so when traffic comes from internet it will hit he firewall and hit should redirect that to DMZ zone where server has public ip address.

 

For NAT rule i can do source and destination zone  as outside 

Source address any and Dest has server public ip address and no natting.

 

For security rule same ips but dest will be dmz zone.

 

Will this setup work?

 

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

No

 

You first need to consider the firewall as a router 

It knows that x.x.x.x/x is on the untrust interface and it knows that a.a.a.a/a is on the DMZ interface

If you add a server with ip x.x.x.z to the a.a.a.a/24 network, the firewall will not be able to route to it as it's routing table will demand the packets be sent to the x.x.x.x/x interface

 

Your server will also not be able to communicate with any of the other servers in the DMZ, because they too know to send x.x.x.x/x to the firewall instead of an adjacent device (default route and broadcast domain)

 

There are 2 solutions that I can think of (well, 3, but NAT is not an option)

 

1. put the server behind a vwire that is connected to the outside router. That way your server is 'on the outside' but still protected by the vwire

2. create layer2 interfaces and add the server to the same vlan as the untrust interface, make sure to enable intrazone security profiles

3. NAT 😛

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

No

 

You first need to consider the firewall as a router 

It knows that x.x.x.x/x is on the untrust interface and it knows that a.a.a.a/a is on the DMZ interface

If you add a server with ip x.x.x.z to the a.a.a.a/24 network, the firewall will not be able to route to it as it's routing table will demand the packets be sent to the x.x.x.x/x interface

 

Your server will also not be able to communicate with any of the other servers in the DMZ, because they too know to send x.x.x.x/x to the firewall instead of an adjacent device (default route and broadcast domain)

 

There are 2 solutions that I can think of (well, 3, but NAT is not an option)

 

1. put the server behind a vwire that is connected to the outside router. That way your server is 'on the outside' but still protected by the vwire

2. create layer2 interfaces and add the server to the same vlan as the untrust interface, make sure to enable intrazone security profiles

3. NAT 😛

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

4.  Put this server in it's own vlan/subnet.  Either use a separate physical interface for it or add a subinterface on the same port as your current DMZ zone.  Attach this interface to the applicable vRouter and add static or dynamic routing.

MAny Thanks Reaper for answering the Question.

 

Best Regards

Mike

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 7659 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!