How to implement Static Routing with Dual Layer Firewalls?


  • Welcome All,
    Although I have a lot of experience with computers, networking with static routes through devices I am fairly weak with. Due to requirements, there are two firewalls in use, an outer and an inner. Static routes are to be used. I do have the understanding of placing a signal static route through one firewall, but not with two, along with a DMZ.

    Using example IPs:
    IP from the Outside: 100.100.100.99
    IP for Internal Network Switch: 192.168.1.72
    A Server separate from the Switch: 172.20.1.2

    Outer Firewall:
    WAN (Facing to Outside): 100.100.100.100
    LAN (Facing to Inner FW): 10.10.10.1

    Inner Firewall:
    WAN (Facing the Outer FW LAN): 10.10.10.2
    LAN1 (Facing the internal Network): 192.168.1.73
    LAN2 (Facing the internal Server): 172.20.1.1

    DMZ:
    IP: 10.10.10.3

    Thus:

    1. The route would be from the Outside IP to the Outer Firewall WAN,
    2. Which goes to the Outer Firewall LAN, which goes to both the DMZ and Inner Firewall WAN
    3. With the Inner Firewall, uses both LAN1 and LAN2:
      --- LAN1 to the Network Switch
      --- LAN2 to the Internal Server
    4. And of course reverse direction

    Normally, with just one firewall and the network switch, would be to disable NAT and then apply the Static Route from the WAN and LAN sides, but I am not certain how to does in such a complex manner as above.

  • Galactic Empire

    @mrpatrick

    On your outer firewall define your routes for your inner firewall subnets pointing to 10.10.10.2

    On your inner firewall disable outbound nat and set the default route to 10.10.10.1

    If you're feeling brave install ffr and set up OSPF between the two devices, this would be preferable if there are loads of subnets behind your inner firewall.

    Screenshot 2021-01-02 at 10.51.15.png


  • @nogbadthebad
    Thanks for the reply and insight.
    Question, would the Outter FW have its NAT disabled as well?
    Will put this into tests on Monday and post of the outcomes.

  • Galactic Empire

    @mrpatrick

    If the outer firewall connects to the internet it would need to NAT local addresses.