Wednesday, September 26, 2018

Routing for DMZ to DMZ communication between sites?

I am trying to set up communication between two DMZs that exist in each of our data centers, and I am having a hard time wrapping my head around the routing logic required to make that happen. I have included a Visio of how the traffic I envision the traffic would flow between the two sites, but I'm having some trouble understanding how I can have traffic destined for a subnet, let's say 172.16.1.0/24 get to the firewall (in step 3 of the diagram) and also be routed properly over the DCI (in step 4). Getting the traffic to the Site A firewall is easy, but I'm missing something for the remainder of the path.

If I create a route on the Site A core switch to point traffic destined for 172.16.1.0/24 to the firewall, and then a route on the firewall to point the traffic back to the core router so that it can traverse the DCI over to Site B, that obviously won't work very well.

How would you handle this particular configuration? Switches are Juniper and firewalls are Palo Alto.

Quick ugly Visio of the topology and the traffic path: https://i.imgur.com/rvzGLfB.png



No comments:

Post a Comment