View Single Post
  #2   (View Single Post)  
Old 22nd May 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If NAT were not used on gate2 -- and it is probably not necessary -- you would have a standard dual firewall with a DMZ subnet (10.0.1). If so, you merely need to add routing table entries for the internal protected network (192.168) to gate1 and to your servers in the DMZ. e.g.:

# route add 192.168.4/24 10.0.1.20

Because you are using NAT in gate2, all packets originating on 192.168.4/24 are translated to 10.0.1.20. This eliminates the need to route to the 192.168 subnet from systems on the 10.0.1 DMZ. In theory. But without further diagnostics of the environment (ping, tcpdump, fw ruleset, etc.) there's no way to know the source of your configuration problem.
Reply With Quote