11-19-2020 01:57 AM - edited 11-19-2020 01:58 AM
Hi,
I currently have two offices/networks connected to one another via Cisco Meraki Site to Site VPN.
Office A has network address 192.168.1.0/24 and Office B has network address 192.168.2.0/24. Office B also has a Cisco FPR1120 firewall managed through FDM with inside address 192.168.3.0/24.
From Office A I can ping and get to all devices through the VPN on the outside interface of the firewall (192.168.2.0/24). Similarly from Office B I can get to all devices on the Office A network both from the outside and inside of the firewall (from 192.168.2.0/24 and 192.168.3.0/24 respectively)
Sitting at Office A I can’t however ping / get to the inside network of the firewall at 192.168.3.0/24. I’m sure I need to set up a firewall rule of some sort to allow traffic from Office A network 192.168.1.0/24 to get to the inside firewall network 192.168.3.0/24 but am struggling to get this setup.
Please can you assist? Thanks
Solved! Go to Solution.
11-19-2020 04:59 AM
Does the VPN crypto ACL that defines interesting traffic include the 192.168.3.0/24 network?
Or are you attempting to use NAT because it's not?
Your Auto NAT rule (rule #2) in the above screenshot will never be matched, because traffic will be matched by the first NAT rule.
11-19-2020 02:19 AM
Hi @Smitster
It could be a NAT problem, do you have a NAT exemption rule setup to ensure traffic between those networks is not unintentially natted?
What rules do you have defined in your ACP? Please provide screenshots of your ACP
11-19-2020 02:40 AM
These are the current ACP rules:
These are the current NAT rules
With regards to the ACP "ADServerOutIn" rule and "VM1ServerNAT" rule there is currently a Windows Server sitting behind the firewall at Office B - object "EServerVM1" and I was looking at trying to translate this from inside interface ip to outside interface ip - 192.168.3.2 to 192.168.2.2 as a way to get access to it from the OfficeA network.
11-19-2020 03:00 AM
You would need another ACP rule from OfficeANetwork to OfficeBNetwork.
You'll need a NAT exemption rule between those networks, to ensure traffic between those networks is not natted.
11-19-2020 03:18 AM
I've updated the rules as follows:
ACP:
NAT:
But still having the same issue. Have I missed something?
Thanks,
11-19-2020 03:28 AM - edited 11-19-2020 03:36 AM
All traffic will match the first nat rule nad never match your new nat rule.
Modify or Delete/recreate the first nat rule and ensure it is below the NAT exemption rule (OfficeA-B).
11-19-2020 03:49 AM
I've updated the order as follows:
Unfortunately this appears to have resulted in Office B network no longer being able to ping Office A. Office A can ping Office B on the outside network 192.168.2.0/24 but still not on the inside.
11-19-2020 04:04 AM
The screenshot above is from OfficeB or OfficeA?
11-19-2020 04:06 AM
Office B, there's just a Cisco Meraki at Office A (no FPR Firewall)
11-19-2020 04:08 AM
To confirm - it goes
Office A 192.168.1.0/24 --> Cisco Meraki --Auto VPN Tunnel -- Cisco Meraki --> Office B Outside 192.168.2.0/24 --> FPR1120 --> Office B Inside 192.168.3.0/24
11-19-2020 04:10 AM
Ok, so traffic is now sourced from the original IP address (OfficeBNetwork) rather the outside interface of OfficeB's FTD. So check the other end to confirm if traffic is expected from OfficeBNetwork or the outside interface of Office B's FTD.
11-19-2020 04:23 AM
There's just a Cisco Meraki sitting at Office A, and no FTD. The Cisco Meraki Cloud is set up with an Auto VPN with Office B on 192.168.2.0/24 network, so this may be causing it.
Is it possible to forward the Server sitting on the inside of Office B Firewall at 192.168.3.2 to be reachable on the Outside interface at 192.168.2.2?
11-19-2020 04:33 AM
I've set this up to try and forward the server sitting at 192.168.3.2 on the inside interface to 192.168.2.2 on the outside interface:
NAT:
ACP
Trying to ping the server using 192.168.2.2 but no result
11-19-2020 04:59 AM
Does the VPN crypto ACL that defines interesting traffic include the 192.168.3.0/24 network?
Or are you attempting to use NAT because it's not?
Your Auto NAT rule (rule #2) in the above screenshot will never be matched, because traffic will be matched by the first NAT rule.
11-19-2020 05:45 AM
Just to confirm it's now up and running - required the setting of a static route on the Cisco Meraki that pointed all traffic on 192.168.3.0/24 subnet to the FDM IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide