Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
4
Replies

3 Firewalls in 1 layer-2 switch, 1 acts as Default Gateway

juandcc2014
Level 1
Level 1

‎03-26-2025 08:22 PM - edited ‎03-26-2025 09:46 PM

Hello everyone.

I am currently trying to setup a network madeup of a large layer-2 switch, some computers connected to that switch, 3 Cisco Firepower 1120 ASA Firewalls, and other networks beyond 2 of the firewalls, with the other firewall acting as the default gateway. This firewall that acts as a default gateway has the objective to route any packets destined or from the networks of the other firewall. Below is an image of the network:

juandcc2014_1-1743044358874.png

 

I am simulating the network I have physically with what I have on Packet Tracer. So instead of using a Firepower 1120 ASA, I am suing a 5506-X firewall. Each computer on the 192.168.1.0 network(ex: Desktop 0) has 192.168.1.254 as its default gateway.

So, if I want to ping from Desktop 0 to Network 4 PC, the packet would first go to the Default Gateway Firewall(DG FW), then to Network 4 ASA FW, then to Network 4 Router, then to Network 4 L2 Switch, then to Network 4 PC, and lastly obtain the ping reply coming the same way it came in. The Default Gateway Firewall should also take care of receiving and giving its ping replies to the desktop.

 

-- Information about devices --

  • Firewalls:
    • GigabitEthernet1/1 is "outside" interface with 192.168.1.x IP address
    • GigabitEthernet1/2 is "inside" interface with 172.2x.y.z IP Address, except for the DG ASA Firewall
    • No VLAN settings were modified, and left as default(not set)
    • ICMP Settings were inserted:
      • access-list ALLOW_OCMP extended permit icmp any any
      • access-group ALLOW_ICMP in interface outside
      • access-group ALLOW_OCMP in interface inside
    • NAT Settings were inserted:
      • no object network obj_any
    • Routes for Network 1 ASA FW

      • route inside 172.21.2.0 255.255.255.0 172.21.1.254

    • Routes for Network 4 ASA FW

      • route inside 172.24.2.0 255.255.255.0 172.24.1.254

    • Routes for DG ASA Firewall

      • route outside 172.24.2.0 255.255.255.0 192.168.1.4

      • route outside 172.21.2.0 255.255.255.0 192.168.1.1 

  • Routers: Using the ISR4331 Router
    • No VLAN Settings were applied
    • No NAT settings were applied
    • Static routes were applied:
      • Network 1 Router: 192.168.1.0/24 via 172.21.1.253
      • Network 4 Router: 192.168.1.0/24 via 172.24.1.253

-- Behavior --

  • When pinging:
    • Only Desktop 1 successfully pings Network 1 PC and Network 2 PC, following the correct path stated initially
    • Desktop 0 and 2 have strange behavior I do not understand: 
      • When Desktop 0 or 2 Pings Network 4 PC, the Simulation view shows the ICMP packet going *directly* into Network 4 ASA FW rather than going to DG ASA Firewall. The ping gets back successfully to Desktop 0 but it clearly did not follow the intended path(DG ASA Firewall first, thenNetwork 4 ASA FW)
      • When Desktop 0 or 2 Pings Network 1 PC, the Simulation view shows the ICMP packet going again directly into Network 4 ASA FW but this time it doesn't send it to the router, it sends a packet back to the switch, which the switch sends to the Desktop 0, and the Last Status column indicates Failed on the ping

I am fairly new to networking so any help is appreciated.

 

Labels:
0 Helpful
4 Replies 4

Azizi123
Level 1
Level 1

‎03-26-2025 09:24 PM

Desktop 0 and 2 Configuration: Verify the default gateway on Desktop 0 and Desktop 2. They should have the IP address of the default gateway ASA configured as the default route. If the desktops have incorrect gateway configurations, they might try to communicate with the wrong ASA (e.g., Network 4 ASA).

Routing Configuration on Desktops: Make sure that no static routes are incorrectly set on Desktop 0 or Desktop 2 that could force traffic to the wrong firewall.

0 Helpful

juandcc2014
Level 1
Level 1
In response to Azizi123

‎03-26-2025 09:41 PM

@Azizi123 wrote:

Routing Configuration on Desktops: Make sure that no static routes are incorrectly set on Desktop 0 or Desktop 2 that could force traffic to the wrong firewall.

I have verified that the Default gateways of each desktop are 192.168.1.254. However, I did not place any static routes on those desktop computers. The reason I am using this Firewall as default gateway is solely because I want to avoid adding static routes to the desktops.

0 Helpful

Azizi123
Level 1
Level 1

‎03-26-2025 09:26 PM

Please make sure that the firewall acting as the default gateway for the desktops and the routing rules are correctly configured. The firewall should route traffic to the other firewalls, but if the static routes or dynamic routing protocols (e.g., OSPF, BGP) are not properly set, traffic might be sent directly to the wrong firewall (e.g., Network 4 ASA).

Also check the routing tables on all firewalls (Network 1 ASA, Network 2 ASA, and the default gateway ASA). Ensure that each firewall has the appropriate static routes or dynamic routes that direct traffic towards the intended next-hop (other firewall). In particular, verify that the default gateway ASA is properly routing traffic towards the other two firewalls.

0 Helpful

Andriy Bilous
Level 1
Level 1

‎04-05-2025 05:11 AM

This is most probably due to ip redirects. As all your firewalls reside on the same network with clients, after the first packet from the client your default gateway firewall informs it with an icmp message that there is a better path to the destination through different next-hop using its own routing table. This should get reflected in the desktop routing table if packet tracer allows you to do so.

0 Helpful
Customers Also Viewed These Support Documents