New to Intermediate RHEL user. Trying to setup a RHEL web server in a DMZ that will need to communication with a RHEL server on an internal network. Server has Nic 1 setup for an internal address and Nic 2 for a DMZ address. Users inside the network will not need to access the URL on the external web server. Below is the basic config.

External Static Range: 65.x.x.2 to 65.x.x.6
Firewall Interface: 65.x.x.2
External Firewall Gateway: 65.x.x.1
External NAT: 65.x.x.3 to 10.2.x.2

DMZ Interface 10.2.x.1
DMZ Web Server Nic 2 IP: 10.2.x.2
Subnet: 255.255.0.0

Internal Nic 1: 10.0.x.2
Subnet: 255.255.0.0

Issue: The firewall log shows the traffic being allowed on the necessary ports coming from the external ip to the NAT'd DMZ IP, but then there is no response from the RHEL server. It's my understanding that this issue is on the RHEL server and not the firewall, possibly a configuration to route traffic from the DMZ nic to the internal nic.

Could someone provide some insight, documentation, or a link that might help resolve this?

Thank you.

It just sounds like there is no default route from the server outbound towards the net based on what you've said. if you tcpdump on the box, do you see a SYN ACK packet leave the box for somewhere? Have you set two default gateways or somethign else unusual / illogical?

Why does your "DMZ" server have an internal NIC? Classically unless you have another firewall below the DMZ server as well, that box would only have the DMZ NIC to reach it. Otherwise, if someone compromises the DMZ box, then they're off and away using the internal NIC, which totally undermines the logic of the DMZ in the first place.

Unfortunately, the developers needed to get started immediately, and the DMZ configuration wasn't ready. The server was setup with an internal nic so they could have access to the internal database and the external nic (dmz) was added afterward. Running a tcpdump nets no SYN ACK. Nic 1 points to the gateway of the internal network, the primary internet connection. Nic 2 points to the gateway of a secondary internet connection.

I agree with the classic DMZ config. Since the server has to communicate with the internal network, in a single nic config, you'd still have to route the dmz nic so it could communicate internally, right?

Running a traceroute shows the server to be using the gateway from Nic 1 (internal). I suspect this is the problem.

So you have TWO default gateways? that won't work. NIC's don't get routed anywhere, the entire system is. the internal NIC should only be used to reach 10.0.0.0/8 or whatever your internal network range is. Before it's removed of course, as right now you do NOT have a DMZ.

Ok, makes sense. We cannot remove the internal nic because the development is tied to that nic and ip address. We can remove the gateway configured to the internal nic and set the etc/sysconfig/network gateway to the dmz gateway. Also, our firewall is doing a 1-to-1 NAT to the DMZ ip and we only have specific ports open. Is it possible to create a route or ip forwarding between two nics?