Firewall behind two GLBP routers

essa.anas — Mon, 11 Mar 2019 23:13:14 GMT

Hi,

I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside10,outside) source dynamic LAN interface

Additional Information:

Forward Flow based lookup yields rule:

in id=0x74331ed8, priority=6, domain=nat, deny=false

hits=1390, user_data=0x74334578, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=10.X.X.X, mask=255.255.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside10, output_ifc=outside

The firewall configuration is as follows:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XX.XX.0.XX 255.255.255.240
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
description DataVLAN
vlan 10
nameif inside10
security-level 100
ip address X.X.X.X 255.255.0.0

object-group network LAN
network-object X.X.X.X 255.255.0.0

nat (inside10,outside) source dynamic LAN interface

route outside 0.0.0.0 0.0.0.0 GLBP_Virtual_Interface

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp

The GLBP Routers are configured with natting also as follows:

interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address ISP_CLIENT_SIDE 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address XX.XX.0.XX 255.255.255.240
ip nat inside
ip virtual-reassembly in
glbp 1 ip GLBP_VIRTUAL_IP
duplex auto
speed auto
!

ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 ISP_GW

access-list 1 permit any

Regards

Essa

Firewall behind two GLBP routers

Kureli Sankar — Sun, 03 Jun 2012 16:40:35 GMT

Essa,

Interesting. What do the syslogs show? What is your packet tracer trigger? Could you pls. copy and paste it pls and the entire output as well. What is inside the object LAN?

Thanks,

Kureli

topic Firewall behind two GLBP routers in Network Security

Firewall behind two GLBP routers

Firewall behind two GLBP routers