Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

DMZ zone users not able to access it's own DMZ internal server.

AijazAijaz Newbie ✭
in Mid Range Firewalls

In my DMZ zone I have one server and I want all my DMZ subnet can access this server internally.i have already done configuration like access rule, nat policy and routing. I can access server externally but my DMZ user not able to access the server.

Also I have configured Loopback Nat policy but DMZ subnet not able to access it's internal oracle server which is present inside the DMZ zone.

Org src = DMZ subnet

translate src= x2 interface (wan)

Org dest= server public ip

Translate dest = server private

Orig service= 22

Translate service= orig

Inbound= any

Outbound=any


I did the above loopback nat policy on my firewall but not getting access of oracle server.

Can anyone have solution pls let me know.

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Aijaz how are your DMZ hosts trying to access each other, with IP or Name? General Rule is, if you stick in the same subnet the SNWL will not see the traffic and it's a host firewall issue or any other host related configuration which causes the trouble.

    E.g. ping from 192.168.1.16 to 192.168.1.17 will never be seen by the Firewall (192.168.1.1).

    If you try to access by name and the name resolves to let's say the public IP you might run into the NAT loopback situation you mentioned. But here is another factor which causes trouble. The reply packets will go a different route then the request packets and this breaks your communication (ping might work).

    E.g. https from 192.168.1.16 to www.mycompay.com (5.5.5.5). 5.5.5.5 gets translated to 192.168.1.17 and allowed by the DMZ-to-DMZ Rule. TCP/SYN is received by 192.168.1.17 via SNWL but the SYN/ACK is send directly to 192.168.1.16 because they are in the same subnet. 192.168.1.16 now sends the ACK via SNWL and this will break, because the Firewall never saw the SYN/ACK (which went directly between the systems).

    The most simple solution would be a DNS overwrite to have the public name resolved to the internal IP instead the external one if requested from the inside.

    I hope this makes some sense for you and puts you in the right direction.

    --Michael@BWC

Sign In or Register to comment.