IPFILTER DMZ access to internal LAN

[msmcknight]

Hi everyone,

I have an ipfilter firewall with three interfaces. Everything works fine from the internal network to the internet and from the internet to internal hosts. From the DMZ, outbound traffic to the internet works fine.

I need to allow hosts in the DMZ to access certain internal services. I can see the firewall logs showing the connection attempts and they are all being "passed" as expected, but the traffic doesn't seem to flow. Traffic from the internal network to the DMZ seems to work just fine.

My guess is that it's an IPNAT problem, but I just can't seem to figure it out.

My interfaces are as follows:
sfe0 - public internet (x.x.x.x)
rtls0 - internal LAN (y.y.y.0) - firewall address=y.y.y.1
elxl1 - DMZ (z.z.z.0) - firewall address=z.z.z.1

My current IPNAT mappings look like this:

map elxl1 y.y.y.0/24 -> z.z.z.1/32  #map internal traffic to DMZ 

map sfe0 y.y.y.0/24 -> x.x.x.x/32 #map internal traffic to internet

map sfe0 z.z.z.0/24 -> x.x.x.x/32 #map dmz traffic to internet

I have tried several map statements to try and get DMZ traffic to the internal LAN, but just can't get any of them to work. If anyone can help with the correct syntax and positioning of the DMZ->internal map statement, it would be greatly appreciated.

Thanks to you all in advance,
-Michael

 

[SirDice]

Not everything has to be solved with NAT. Don't use NAT for the LAN to DMZ traffic. Just use plain and simple routing.

 

[msmcknight]

If I don't want the DMZ to know about internal addresses, or the internal network to know about DMZ addresses, wouldn't I have to use NAT? I'm kindof new to this, so if I'm completely off base, please help me understand.

 

[kpa]

Hiding addresses behind NAT always causes some problems and should be avoided if possible. You can do all access control with just pass/block rules, hiding the internal addresses with NAT is not needed.