topic Re: Routing Issue in General Topics

Routing Issue

Mitesh — Mon, 01 Dec 2025 08:12:22 GMT

Hi Team,

We are facing routing issue, need your suggestion.

In our environment we are running two CP Cluster 9100 & 3800. Cluster 9100 is used for Internet Traffic & Cluster 3800 is used for IPSec Tunnel Traffic. Both Clusters Gateway intefaces directly connected to DMZ switch.

In DMZ Servers existing gateway ip is 192.168.1.1, which is mentioned in Cluster 9100.

how Remote Office Network traffic which is coming via IPSec Tunnel, can access the DMZ Servers.

What kind of config (routing) we need to perform?

Architecture diagram attached.

Re: Routing Issue

Chris_Atkinson — Mon, 01 Dec 2025 08:50:13 GMT

You may need to look at performing NAT rather than routing depending on the different traffic flows that need to work.

Re: Routing Issue

Martijn — Mon, 01 Dec 2025 14:05:32 GMT

Hi,

You have two options.

Configure a static route on the DMZ servers to 192.168.10.0/24 via 192.168.1.6.

Or as @Chris_Atkinson mentions, configure a NAT rule on the 3800 cluster to hide source 192.168.10.0/24 behind 192.168.1.6.
This NAT only works for traffic initiated from 192.168.10.0/24. If the DMZ servers initiate traffic to 192.168.10.0/24, you need static destination NAT.

Martijn

Re: Routing Issue

the_rock — Tue, 02 Dec 2025 02:11:47 GMT

I totally agree with the guys, those suggestions make perfect sense.

Re: Routing Issue

Mitesh — Tue, 02 Dec 2025 04:33:28 GMT

@Martijn

If the DMZ Servers initate the traffic, than traffic will forward to 9100 Cluster reason 9100 cluster IP is mentioned as a gateway IP in the DMZ Servers.

In this case what will be the configuration we need to perform in 9100 cluster & 3800 cluster.

Re: Routing Issue

emmap — Tue, 02 Dec 2025 05:14:44 GMT

The routing change needs to happen at the servers. Alternatively, remove the link to the 3800 cluster from the server LAN and instead connect it to the 9100s on another subnet, so that everything routes via the 9100s.

Re: Routing Issue

Martijn — Tue, 02 Dec 2025 06:35:23 GMT

If the DMZ servers need to initiate traffic to 192.168.10.0/24, the simple solution is to add a static route on the DMZ servers. This will route the traffic to 192.168.10.0/24 via the 3800 cluster and the internet traffic to the 9100 cluster. This requires no changes on the 9100 or 3800 cluster.

If changing the route on the DMZ servers is not an option or not possible the solution @emmap suggests is a good one. But this requites changes on the 9100 and 3800 cluster in terms of routes and interfaces.

You could go with static (one-on-one) NAT on the 3800 cluster if only a few IP-addresses in the 192.168.10.0/24 subnet should be reached by the DMZ servers. For example:

The DMZ servers need to connect to 192.168.10.10 on the remote location. You can create a NAT rule on the 3800 where destination 192.168.1.10 is NAT-ed to 192.168.10.10. You have to do this for every IP in 192.168.10.0/24 that servers need to connect to (if they initiate the traffic).

This makes it more complex. You need to take care of proxy ARP and it also depends on the application on the server. If the application is programmed to connect to a 192.168.10.x IP, this needs to be changed to a 192.168.1.x IP.

So the most simple option is to add that static route on the DMZ servers.

Re: Routing Issue

Mitesh — Tue, 09 Dec 2025 06:40:23 GMT

Thanks @Martijn , we have put up the solution in fornt of the managment, waiting for their approval.