topic Re: unable to access LAN to DMZ via L3 switch in Network Security

unable to access LAN to DMZ via L3 switch

rajesh4 — Fri, 30 Dec 2022 12:56:11 GMT

Dear Team,

My Network topology

We are migrating the Cyberoam to firepower 1010,

issue reported:

"Unable to access LAN to DMZ via LAN L3 switch"

Internal LAN (192.168.10.2)--||--L3 switch 192.168.9.2 --|| -- FW 1010 LAN interface 192.168.9.1 --||-- FW 1010 DMZ interface 192.168.4.1 --||-- 192.168.4.190(host machine)

1) We can able to ping from internal LAN network 192.168.10.2 to FW 1010 LAN interface 192.168.9.1 (working fine)
2) And when I am tried to ping from internal LAN network 192.168.10.2 to DMZ host machine 192.168.4. 190 (Not working and tracert output is up to reachable 192.168.10.1)
3) In the existing Cyberoam firewall routing is working fine.

Required your assistance to resolve issue and kindly assign to senior expert engineer to troubleshoot.

Can you help me why 192.168.4.1 not reachable from 192.168.10.2 internal LAN system.

For your reference attached network topology.

Re: unable to access LAN to DMZ via L3 switch

Rob Ingram — Fri, 30 Dec 2022 13:28:58 GMT

@rajesh4 you cannot ping the DMZ interface IP address (192.168.4.1) when you are connected behind the LAN interface, that's by design on the FTD. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through one FTD interface to a far FTD interface.

You should test connectivity by pinging a device in the DMZ, for that you need to create an Access Control rule to permit the traffic. Also, ensure that NAT is not unintentially translating the traffic.

Re: unable to access LAN to DMZ via L3 switch

MHM Cisco World — Fri, 30 Dec 2022 13:41:30 GMT

the issue in L3SW not in FW.
you must add route to DMZ subnet in L3SW toward INside interface of FW.
that all.

Re: unable to access LAN to DMZ via L3 switch

rajesh4 — Fri, 30 Dec 2022 13:49:30 GMT

Hi Rob,

Thank you for your response,

Noted, I want to reach NAS server 192.168.4.190 from 192.168.10.2 via 192.168.9.1

Internal LAN (192.168.10.2)--||--L3 switch 192.168.9.2 --|| -- FW 1010 LAN interface 192.168.9.1 --||-- 192.168.4.190(host machine)

Kindly help us to resolve issue.

"Same setup working in Cyberoam firewall" When i replace the firepower 1010 firewall not working.

Thanks & regards

S Rajesh

+91-8861530472

Re: unable to access LAN to DMZ via L3 switch

Rob Ingram — Fri, 30 Dec 2022 13:53:41 GMT

@rajesh4 you can run packet-tracer this will confirm where the problem lies.

From the CLI of the FTD run "packet-tracer input <source interface name> tcp 192.168.10.2 3000 192.168.4.190 80" and provide the output for review.

Please provide a screenshot of your Access Control policy and NAT rules on the FTD.

From the CLI of the FTD run "show route" and provide the output for review.

Re: unable to access LAN to DMZ via L3 switch

rajesh4 — Fri, 30 Dec 2022 14:09:15 GMT

Hi,

"Same setup working in Cyberoam firewall" When i replace the firepower 1010 firewall not working.

In L3 switch already have the default route and still not working.

#ip route 0.0.0.0 0.0.0.0 192.168.9.1

We can able to ping firewall interface 192.168.9.1/30 via L3 switch LAN IP 192.168.10.2/24

if trying to ping the NAS IP address from same LAN IP 192.168.10.2 to 192.168.4.190. not working ( tracert output 192.168.10.1)

Thanks & Regards

S Rajesh

+91- 8861530472

Re: unable to access LAN to DMZ via L3 switch

rajesh4 — Fri, 30 Dec 2022 14:11:47 GMT

Hi Rob,

If possible can we connect through remote session or through call, it would be better for understand setup & issue.

Rajesh +918861530472

Re: unable to access LAN to DMZ via L3 switch

rajesh4 — Fri, 30 Dec 2022 14:12:42 GMT

Hi,

If possible can we connect through remote session or through call, it would be better for understand setup & issue.

Rajesh +918861530472

Re: unable to access LAN to DMZ via L3 switch

rajesh4 — Mon, 02 Jan 2023 16:38:00 GMT

Dear Rob,

Please find the attached screenshot of ACL, NAT & Route.

Thanks & Regards

S Rajesh

+91-8861530472

Re: unable to access LAN to DMZ via L3 switch

Rob Ingram — Mon, 02 Jan 2023 16:51:14 GMT

@rajesh4 possibly a NAT issue, there are 10 NAT rules above the screenshot of the rules you provided, traffic may unintentially match one of those rules, from the CLI of the switch run show nat detail and provide the output.

Provide the packet-tracer output as previously requested, this would confirm the NAT rule and which Access Control rule is matched.

Re: unable to access LAN to DMZ via L3 switch

rajesh4 — Mon, 02 Jan 2023 17:00:23 GMT

@rob I have disabled all NAT policy and only i have enabled the NAT policy no 11 & 12.

Re: unable to access LAN to DMZ via L3 switch

rajesh4 — Mon, 02 Jan 2023 17:11:50 GMT

I have to reach (DMZ network) 192.168.4.0/24 series from L3 switch 192.168.10.0/24

And my route should work like this 192.168.10.1---> 192.168.9.1--->192.168.4.X and reserve route should work like this 192.168.4.1--->192.168.9.2--->192.168.10.X

How can cerate route in firepower firewall 1010 and L3 switch.

Thanks & Regards

S Rajesh

Re: unable to access LAN to DMZ via L3 switch

Rob Ingram — Mon, 02 Jan 2023 17:21:09 GMT

@rajesh4 please provide the exact information requested.