We recently done a network intra upgrade by adding an additional firewall as the 1st tier firewall, and making the current one 2nd tier. The setup is:
WAN <–> 1st Tier Firewall <–> Intermediate LAN <–> 2nd Tier Firewall <–> Internal LAN
There's other network such as DMZ, Wifi guest and so on which is not shown above. The intermediate LAN is only a single connection between the 2 firewall, no server or workstation connected to it. The IP for the above network is:
Intermediate LAN : 192.168.100.x/24
Internal LAN : 192.168.50.x/24(Server Farm) & 192.168.40.x/24(Workstation)
We've setup policies to enable browsing and various web traffic from Server Farm and Workstation to WAN. Web filtering is done on 1st tier firewall.
Now the problem we're facing is that, we need to turn on NAT on both the 1st and 2nd tier firewall in order to make web browsing works. If we turn off NAT for the 2nd tier, we're able to ping external IP (ISP DNS, Google DNS), but domain name will not resolve, and thus no web browsing. When we check the log on the 1st tier firewall, DNS packet has indeed allowed to pass through, but workstation and server still failed to resolved domain name.
Since the 1st tier firewall is doing the web filtering, we would like the executive report or any log to show the originating workstation IP instead of the IP of the 2nd tier firewall if NAT is turned on. We also like to reduce the load on the 2nd tier firewall by not having the NAT on it.
What do we need to change to make it work with just 1 layer of NAT?
EDIT:
Sorry of the confusion, basically we just want to know generic solutions to the above problem, like adding the server/workstation network address to the 1st tier interface, or having specific static route in the 2nd tier, or did we're not suppose to have an intermediate LAN and so on. We believe there's no specific configuration which only works on certain brand of firewall
EDIT:
1st tier is Astaro and 2nd tier is FortiGate. There's 3 vlan configured on the LAN port of Fortigate, with Server as native and workstations and printers in 2 separate vlan. For now we're focusing on Server only. There's a policy to allow all traffic from Server to Astaro's LAN port. NAT is enabled on this policy. On Astaro, there's 2 policies allowing LAN to WAN for DNS and HTTP. Browsing works. But if the Server->Astaro policy's NAT is off, we cannot resolve external domain name on server. We can always ping external IPs such as 8.8.8.8 or ISP's DNS regardless of the NAT.
Best Answer
Well, you've given us zero details on the equipment in question, so this answer is going to be very generic.
Your outside firewall is doing NAT. The inside firewall needs to both ACLs configured such that your desired packets can pass back and forth as well as having proper routes added so it knows which interfaces to route traffic to.