Solved: Re: Allow remote network through firewall

Smitster · ‎11-19-2020

Hi,

I currently have two offices/networks connected to one another via Cisco Meraki Site to Site VPN.

Office A has network address 192.168.1.0/24 and Office B has network address 192.168.2.0/24. Office B also has a Cisco FPR1120 firewall managed through FDM with inside address 192.168.3.0/24.

From Office A I can ping and get to all devices through the VPN on the outside interface of the firewall (192.168.2.0/24). Similarly from Office B I can get to all devices on the Office A network both from the outside and inside of the firewall (from 192.168.2.0/24 and 192.168.3.0/24 respectively)

Sitting at Office A I can’t however ping / get to the inside network of the firewall at 192.168.3.0/24. I’m sure I need to set up a firewall rule of some sort to allow traffic from Office A network 192.168.1.0/24 to get to the inside firewall network 192.168.3.0/24 but am struggling to get this setup.

Please can you assist? Thanks

Rob Ingram · ‎11-19-2020

Does the VPN crypto ACL that defines interesting traffic include the 192.168.3.0/24 network?

Or are you attempting to use NAT because it's not?

Your Auto NAT rule (rule #2) in the above screenshot will never be matched, because traffic will be matched by the first NAT rule.

View solution in original post

Rob Ingram · ‎11-19-2020

Hi @Smitster

It could be a NAT problem, do you have a NAT exemption rule setup to ensure traffic between those networks is not unintentially natted?

What rules do you have defined in your ACP? Please provide screenshots of your ACP

Smitster1 · ‎11-19-2020

These are the current ACP rules:

These are the current NAT rules

With regards to the ACP "ADServerOutIn" rule and "VM1ServerNAT" rule there is currently a Windows Server sitting behind the firewall at Office B - object "EServerVM1" and I was looking at trying to translate this from inside interface ip to outside interface ip - 192.168.3.2 to 192.168.2.2 as a way to get access to it from the OfficeA network.

Rob Ingram · ‎11-19-2020

You would need another ACP rule from OfficeANetwork to OfficeBNetwork.

You'll need a NAT exemption rule between those networks, to ensure traffic between those networks is not natted.

Smitster1 · ‎11-19-2020

I've updated the rules as follows:

ACP:

NAT:

But still having the same issue. Have I missed something?

Thanks,

Rob Ingram · ‎11-19-2020

All traffic will match the first nat rule nad never match your new nat rule.

Modify or Delete/recreate the first nat rule and ensure it is below the NAT exemption rule (OfficeA-B).

Smitster1 · ‎11-19-2020

I've updated the order as follows:

Unfortunately this appears to have resulted in Office B network no longer being able to ping Office A. Office A can ping Office B on the outside network 192.168.2.0/24 but still not on the inside.

Rob Ingram · ‎11-19-2020

The screenshot above is from OfficeB or OfficeA?

Smitster1 · ‎11-19-2020

Office B, there's just a Cisco Meraki at Office A (no FPR Firewall)

Smitster1 · ‎11-19-2020

To confirm - it goes

Office A 192.168.1.0/24 --> Cisco Meraki --Auto VPN Tunnel -- Cisco Meraki --> Office B Outside 192.168.2.0/24 --> FPR1120 --> Office B Inside 192.168.3.0/24

Rob Ingram · ‎11-19-2020

Ok, so traffic is now sourced from the original IP address (OfficeBNetwork) rather the outside interface of OfficeB's FTD. So check the other end to confirm if traffic is expected from OfficeBNetwork or the outside interface of Office B's FTD.

Smitster1 · ‎11-19-2020

There's just a Cisco Meraki sitting at Office A, and no FTD. The Cisco Meraki Cloud is set up with an Auto VPN with Office B on 192.168.2.0/24 network, so this may be causing it.

Is it possible to forward the Server sitting on the inside of Office B Firewall at 192.168.3.2 to be reachable on the Outside interface at 192.168.2.2?

Smitster1 · ‎11-19-2020

I've set this up to try and forward the server sitting at 192.168.3.2 on the inside interface to 192.168.2.2 on the outside interface:

NAT:

ACP

Trying to ping the server using 192.168.2.2 but no result

Rob Ingram · ‎11-19-2020

Does the VPN crypto ACL that defines interesting traffic include the 192.168.3.0/24 network?

Or are you attempting to use NAT because it's not?

Your Auto NAT rule (rule #2) in the above screenshot will never be matched, because traffic will be matched by the first NAT rule.

Smitster1 · ‎11-19-2020

Just to confirm it's now up and running - required the setting of a static route on the Cisco Meraki that pointed all traffic on 192.168.3.0/24 subnet to the FDM IP.