topic Re: Question about routes in Network Security

Question about routes

sidcracker — Mon, 11 Mar 2019 18:27:41 GMT

Hello everyone,

I have 2 redundant layer 3 switches which are connected to the core router. The switches are also connected to the redundant firewalls.

ISP Network
       |
       |
       |
       |
   Core Router
       |
       |
       |
       |
Redundant Layer 3Core Switch ----------Redundant Firewalls -------- VPN Router---------Core Router ---------Internet

We have a default route on the Core switch saying all traffic goes towards the Core Router. I add a route on the Firewall saying that a host (20.20.20.20) should go towards the VPN router. I add NAT statement to nat the traffic towards the VPN router and out the Internet. When I ping from the firewall to 20.20.20.20 it doesnt ping. However when i remove the nats and the routes it pings.

My question is if there is a default route on the switch pointing to the core router, then will another specific static route on the firewall towards the VPN router work? it should work since its logical that I am pinging from the firewall.

This is my nat statement

nat (inside) 10 access-list site_to_site

global (vpn-network) 10 192.168.10.20

access-list site_to_site extended permit ip object-group internal_hosts host 20.20.20.20

Thanks

Re: Question about routes

KARUPPUCHAMY MALAIYANDI — Thu, 19 Aug 2010 02:17:43 GMT

Hi,

Your NAT configuration are perfectly OK.After configured NAT on the firewalls, have you tried to ping from core switch.

One more thing, Default route point towards which core router. since you have mentioned two core router, i am bit confused.

If you have default route point towards ISP core router, then you need to configure specific routes to reach internet towards firewall.

Thanks

Samy

Re: Question about routes

sidcracker — Thu, 19 Aug 2010 02:34:22 GMT

Hi Samy,

The default route goes towards the ISP Router from the switch. Even if this is the case, since i have a default route on the firewall telling it to pass traffic towards the VPN router, isnt it logical that if i am pinging from the firewall it should pass towards the vpn router. The switches are behind the firewall so it wont even be looking at that side.

Thanks

Re: Question about routes

KARUPPUCHAMY MALAIYANDI — Thu, 19 Aug 2010 02:39:07 GMT

Hi,

If you have default routes on the firewall towards the VPN, then no need of specific routes.

I am saying that after you have done NAT on firewall, have you tried to ping to 20.xx.xx.xx IP from core switch.

Thanks

Samy

Re: Question about routes

Jigar Dave — Thu, 19 Aug 2010 04:34:51 GMT

Hi Sidcracker,

only permitted traffic is allowed to pass through firewall, means if you have allowed ping (ICMP type 😎 in firewall then only it crosses firewall otherwise it drops at firewall. other config is ok.

hope this helps a bit in troubleshooting this.

Thanks,

Jigar