How to access DMZ from LAN?
 

I'm learning to set up an iptables firewall with a DMZ.

At the moment, I have networks set up as:

external net: a.a.a.200/29
DMZ net : 10.1.1.0/24
LAN net : 192.168.1.0/24

Where the outside world gets to my DMZ servers by NAT mapping in the firewall from external addresses to the 10.1.1.X addresses/ports.

I'm not clear how to correctly access the DMZ machines from the LAN.

If I have a mail server on, say, 10.1.1.10:25, mapped via NAT to/from a.a.a.200:25, what address should INTERNAL, lan-side machines (on the 192.168.1.X network) access it at ? 10.1.1.10:25 or a.a.a.200:25?

Thanks a lot.

Geri

Use the real address, 10.1.1.10:25

Since NAT would not be involved, I'd just make sure that FW rules allowing 192.168.1.X <-> 10.1.1.X are in place?

Do I need to ALSO set up some sort of special additional route(ing) since both the 192. & 10. are "internal only" IP ranges?

The routers handle the subnet management. If your router allows a different subnet in the DMZ than in the regular internal LAN then it should be able to handle the routing.

NAT won't be involved between your internal LAN and the DMZ.