Due to Global Address Mapping, Internal Server Fails to Reach the Internal Database

Publication Date:  2012-07-25 Views:  91 Downloads:  0
Alarm Information
None.
Handling Process
Method 1: On the GAP, correlate the public address of the servers in the DMZ with the database address so that packets from addresses mapped through the firewall can go through the GAP.
Method 2: On the firewall, run the nat server zone untrust global X.X.X.X inside Y.Y.Y.Y command to configure address mapping for traffic of only the DMZ and Untrust zone. Then the source IP addresses of packets from the DMZ to the Trust zone are private addresses of the servers, so the packets are allowed through the GAP.
Root Cause
Private addresses of the servers in the DMZ are correlated with the database address. This restricts access from other addresses to the database. However, the source IP addresses of packets from the servers through the firewall are public addresses. Therefore, servers in the DMZ whose addresses are mapped by the firewall cannot access the database in the Trust zone.  
Suggestions
Summary: Address mapping is not required by packets from servers through the firewall. You can run the nat server zone zonename global X.X.X.X inside Y.Y.Y.Y command to configure address mapping of a specified interzone.

END