D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: Terrance on February 24, 2012, 03:43:06 PM
-
Hello, I'm having a headache with traffic redirection. I explain my situation:
OFFICE A:
lan subnet 172.16.126.x
wan subnet 192.168.0.x
dmz subnet 172.16.127.x
OFFICE B:
lan subnet 172.16.129.X
Both offices are connected through a Cisco VPN configured by our ISP. Office A cisco's gateway is 172.16.127.1 (for example) and Office B cisco's gateway 172.16.128.1.
The cisco in office A acts as a router which I have connected through DMZ to grant access.
I need to redirect all http and ftp traffic through WAN and, here's the issue, redirect all 172.16.129.X traffic through DMZ, so I can access the net from A to B. Only a DFL is present on office A.
Any ideas will be very appreciated.
If you need more details about the configuration fell free to ask.
Thanks in advance.
-
UPDATE:
In Office B, the server which acts as gateway for all net has 2 net cards: CARD1 with subnet 172.16.129.X (local lan) and other CARD2 which connects to Cisco at 172.16.128.X.
I've configured DFL which is located in Office A and I can ping to CARD2 in the server. I can mstsc too using that adress but I can't ping at anything located in 172.16.129.X. Logging says
Warning RULE 6000051 Default_Rule ICMP lan from my local IP to the destination IP in subnet 172.16.129.X ruleset_drop_packet.
ipdatalen=40 icmptype=)ECHO_REQUEST echoseq=9075
Over that error it throws other:
Warning RULE 6000051 Default_Rule UDP dmz 172.16.126.60 (my computer IP) to 172.16.126.255 (which is nothing) Src/Dst_Port 137 137 ruleset_drop_packet
I must be missing a rule, but which one? ::)
-
UPDATE 3:
Connection between 2 Offices work fine. Now I'm in need of redirecting all http and ftp traffic through WAN1 and rest of traffic through DMZ. I'm trying to configure another Routing table and Routing rule but no luck. Any ideas will be apreciated.
-
Your schema seems complicated - as i can see, you have two routers in each office
Please make an image with your schema
Also, please describe, does DFL in office A has route to network B thru Cisco? Which DFL interface Cisco is connected? DMZ?
Generally, all policy based routing is making by alternative routing table + PBR rule
Also, if necessary to route some network over IPsec, it should be included into IPsec ACL
-
That's for the reply, let's face it from the begining:
we have 2 offices connected by a VPN bought by the company and configured by our ISP (we have this for a long time ago, before we could make VPNs with firewalls) and we are using them. We had to buy a DFL 800 because we needed to connect to an external application through a IPSec channel. That is working fine but the company that provides us the application only gives us 1 IP public address to connect. We connect to the application through and IP address (i'll give the details later).
So in the office B we had to put another DFL 210 to connect through Tunnel to the DFL 800 so we can use the application also in Office B, so both offices connect to the only one public IP of the application.
OFFICE A
Server A
- Lan1: IP=ServerLan1
- Lan2: IP=ServerLan2 GW=CiscoOfficeA_IP
Cisco Office A
IP=CiscoOfficeA_IP
DFL 210
Lan: IP=DFL_Lan_IP
DMZ: IP=DMZ_IP GW=CiscoOfficeA_IP
Wan: IP=WanIP GW=Router_IP
OFFICE B
Server B
Lan1: IP=ServerLan1
Lan2: IP=ServerLan2 GW=CiscoOfficeB_IP
I'm sending you all raw screenshots from DFL 210.
Now it is not working. It i get clients to see internet and lan, they can't connet to external application. If I configure it for internet and external application, they can't see lan.
I hope you can throw some light here.
-
LAST UPDATE
Current state is:
- Communication between offices work sweet
- Internet through firewall (where users have to login) works perfect
- External application through tunnel from Office A to Office B does not work.
I'm preparing a good documentation more understandable. I'll send you the last working backup so you can figure this out.