topic Re: Allow remote network through firewall in Network Security

Allow remote network through firewall

Smitster — Thu, 19 Nov 2020 09:58:29 GMT

Hi,

I currently have two offices/networks connected to one another via Cisco Meraki Site to Site VPN.

Office A has network address 192.168.1.0/24 and Office B has network address 192.168.2.0/24. Office B also has a Cisco FPR1120 firewall managed through FDM with inside address 192.168.3.0/24.

From Office A I can ping and get to all devices through the VPN on the outside interface of the firewall (192.168.2.0/24). Similarly from Office B I can get to all devices on the Office A network both from the outside and inside of the firewall (from 192.168.2.0/24 and 192.168.3.0/24 respectively)

Sitting at Office A I can’t however ping / get to the inside network of the firewall at 192.168.3.0/24. I’m sure I need to set up a firewall rule of some sort to allow traffic from Office A network 192.168.1.0/24 to get to the inside firewall network 192.168.3.0/24 but am struggling to get this setup.

Please can you assist? Thanks

Re: Allow remote network through firewall

Rob Ingram — Thu, 19 Nov 2020 10:19:12 GMT

Hi @Smitster

It could be a NAT problem, do you have a NAT exemption rule setup to ensure traffic between those networks is not unintentially natted?

What rules do you have defined in your ACP? Please provide screenshots of your ACP

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 10:40:50 GMT

These are the current ACP rules:

These are the current NAT rules

With regards to the ACP "ADServerOutIn" rule and "VM1ServerNAT" rule there is currently a Windows Server sitting behind the firewall at Office B - object "EServerVM1" and I was looking at trying to translate this from inside interface ip to outside interface ip - 192.168.3.2 to 192.168.2.2 as a way to get access to it from the OfficeA network.

Re: Allow remote network through firewall

Rob Ingram — Thu, 19 Nov 2020 11:00:47 GMT

You would need another ACP rule from OfficeANetwork to OfficeBNetwork.

You'll need a NAT exemption rule between those networks, to ensure traffic between those networks is not natted.

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 11:18:41 GMT

I've updated the rules as follows:

ACP:

NAT:

But still having the same issue. Have I missed something?

Thanks,

Re: Allow remote network through firewall

Rob Ingram — Thu, 19 Nov 2020 11:36:13 GMT

All traffic will match the first nat rule nad never match your new nat rule.

Modify or Delete/recreate the first nat rule and ensure it is below the NAT exemption rule (OfficeA-B).

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 11:49:39 GMT

I've updated the order as follows:

Unfortunately this appears to have resulted in Office B network no longer being able to ping Office A. Office A can ping Office B on the outside network 192.168.2.0/24 but still not on the inside.

Re: Allow remote network through firewall

Rob Ingram — Thu, 19 Nov 2020 12:04:07 GMT

The screenshot above is from OfficeB or OfficeA?

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 12:06:52 GMT

Office B, there's just a Cisco Meraki at Office A (no FPR Firewall)

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 12:08:43 GMT

To confirm - it goes

Office A 192.168.1.0/24 --> Cisco Meraki --Auto VPN Tunnel -- Cisco Meraki --> Office B Outside 192.168.2.0/24 --> FPR1120 --> Office B Inside 192.168.3.0/24

Re: Allow remote network through firewall

Rob Ingram — Thu, 19 Nov 2020 12:10:14 GMT

Ok, so traffic is now sourced from the original IP address (OfficeBNetwork) rather the outside interface of OfficeB's FTD. So check the other end to confirm if traffic is expected from OfficeBNetwork or the outside interface of Office B's FTD.

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 12:23:00 GMT

There's just a Cisco Meraki sitting at Office A, and no FTD. The Cisco Meraki Cloud is set up with an Auto VPN with Office B on 192.168.2.0/24 network, so this may be causing it.

Is it possible to forward the Server sitting on the inside of Office B Firewall at 192.168.3.2 to be reachable on the Outside interface at 192.168.2.2?

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 12:33:27 GMT

I've set this up to try and forward the server sitting at 192.168.3.2 on the inside interface to 192.168.2.2 on the outside interface:

NAT:

ACP

Trying to ping the server using 192.168.2.2 but no result

Re: Allow remote network through firewall

Rob Ingram — Thu, 19 Nov 2020 12:59:52 GMT

Does the VPN crypto ACL that defines interesting traffic include the 192.168.3.0/24 network?

Or are you attempting to use NAT because it's not?

Your Auto NAT rule (rule #2) in the above screenshot will never be matched, because traffic will be matched by the first NAT rule.

Re: Allow remote network through firewall

Smitster1 — Thu, 19 Nov 2020 13:45:15 GMT

Just to confirm it's now up and running - required the setting of a static route on the Cisco Meraki that pointed all traffic on 192.168.3.0/24 subnet to the FDM IP.