Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DMZ Config for web server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DMZ Config for web server

L1 Bithead

My firewall is using the following Interfaces/Zones: E1/1(5.5.5.170/29) and E1/1.1(5.5.5.174/29) are in the outside zone.  E1/2(192.168.254.252/24) is in the inside zone.  E1/8(192.168.1.1) is in DMZ zone.  E1/1 and E1/2 are connected to the mainvr virtual router.  E1/1.1 and E1/8 are connected to the DMZrouter virtual router.  I have a web server located in the DMZ zone (192.168.1.2/24) that I want a One-to-One static NAT to 5.5.5.174/29 to grant outside zone access to and from the web.  I’m not having any success.  Any help would be great. 

(My inside to outside traffic works fine just having problems with DMZ access from outside zone)

 

Below are my NAT/Security rules:

 

1) Outbound Nat rule:

Original packet:

    Source - DMZ

    Source address - 192.168.1.2

    Destination - Untrust

    Destination Address – Any

   

Translated packet:

    Source translation - Static IP

    Translated address - 5.5.5.174

    (Bi-directional is not checked)

 

2) Inbound NAT rule:

Original packet:

    Source - Untrust

    Source address - Any

    Destination - DMZ

    Destination Address 5.5.5.174

 

Translated packet:

    Destination translation

    Translated address - 192.168.1.2

    (Translated port is not entered)

 

Outbound Security Rule

    Source Zone - DMZ

    Source Address - 192.168.1.2

    Destination zone - Untrust

    Destination Address - Any

   

 

Inbound Security Rule

    Source Zone - Untrust

    Source Address - Any

    Destination zone-Trust

    Destination Address - 5.5.5.174

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

your inbound NAT policy needs to be untrust to untrust, your inbound security policy needs to be untrust to dmz

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

your inbound NAT policy needs to be untrust to untrust, your inbound security policy needs to be untrust to dmz

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

You should also be able to use a single bi-directional rule.

 

1) Bi-Directional  Nat rule:

Original packet:

    Source - DMZ

    Source address - 192.168.1.2

    Destination - Untrust

    Destination Address – Any

Translated packet:

    Translation Type - Static IP

    Translation Address - 5.5.5.174
     Bi-Directional [Tick]

 

 

   

 

 

Thanks.  I did make the changes but tried to access my webserver without success...

 

One issue I see is that I can't ping the 5.5.5.174 address from either the outside or dmz zones.  I can ping the dmz default gateway(192.168.1.1) as well as my ISPs default gateway(5.5.5.169) from inside the dmz but can't ping any other outside addresses(5.5.5.174, 5.5.5.170, as well as other outside web addresses) from inside the dmz.   

 

5.5.5.170 is my original outside interface and it has been working.  It's running my GlobalProtect and I haven't had any problems with that.

 

Any thoughts?

Thanks for the information.  The solution did work but I was still having issues with the web server but figured out that is was a DNS config issue.  All is well.  Thanks again!

  • 1 accepted solution
  • 10900 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!