Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
862
Views
3
Helpful
11
Replies

Cannot ping across Cisco Firewall 2110

Go to solution
donovanrodriguez9726
Level 1
Level 1

ā€Ž03-27-2023 11:35 AM

I have a bit of a unique situation which I am struggling with. The topology is a bit weird so let me explain the end goal. We want to physically separate the two sides of this network into two autonomous networks with each side having their own firewall to control what traffic enters their side. Here is part of the set up:

donovanrodriguez9726_0-1679941831461.png

The issue is that I cannot ping the PC on the right from the PC on the left. I can ping the default gateway of 172.27.0.1, but I cannot ping the p2p interface of 192.168.5.2. On the actual firewall, I can ping the PC at 172.27.0.2 and the outside interface of the other firewall at 192.168.5.1, but I cannot ping the inside interface of the other firewall at 172.27.1.1 or the PC at 172.27.1.2. I haven't done much for the actual configuration of the firewalls, just added a generic allow all policy and messed around with the routes but I haven't had any success.

The firewalls are Cisco Firepower 2110 and I'm managing them locally using FDM. The switches are both Catalyst 9200's and the end points are just generic windows. I'm not too familiar with this stuff so any help is appreciated. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to donovanrodriguez9726

ā€Ž03-27-2023 02:09 PM - edited ā€Ž03-27-2023 02:09 PM

@donovanrodriguez9726 there's no point testing traffic on a directly connected interface. Run packet tracer from source IP of pc1 to pc2 ip.

Repeat the packet tracer test from both firewalls.

Also don't test from the firewalls ip address, generate traffic through the firewall, not to/from.

View solution in original post

11 Replies 11

Go to solution
Rob Ingram
VIP
VIP

ā€Ž03-27-2023 11:45 AM

@donovanrodriguez9726 you can only ping the firewall interface closest to you. You cannot ping through the firewall to one of the firewall's far interfaces, that's by design.

If you cannot ping the PC at 172.27.1.2, you have confirmed the PC has the correct routing?

Do you have NAT configured?

Run packet-tracer from the CLI of the firewalls to confirm connectivity to the PC.

Go to solution
donovanrodriguez9726
Level 1
Level 1
In response to Rob Ingram

ā€Ž03-27-2023 12:30 PM

No NAT running, we are purely using the firewalls for acl purposes essentially. What do you mean by correct routing exactly? I'm able to ping from 172.27.0.2 to 172.27.0.1 should I have routing from 172.27.0.1 -> 172.27.1.2? 

I'm trying to figure out the packet-tracer deal, standby. Thanks for reaching out though.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to donovanrodriguez9726

ā€Ž03-27-2023 12:47 PM

@donovanrodriguez9726 yes you will need full routing. The Pc should have the local FW ip address as the default gateway and the FWs should have a route to the remote network, or a default route via the other FW.

0 Helpful

Go to solution
donovanrodriguez9726
Level 1
Level 1
In response to Rob Ingram

ā€Ž03-27-2023 01:17 PM

Would this route work? 

Name              Interface                  Network          Gateway
DefaultRoute    Inside (172.27.0.1) 172.27.1.0/24 192.168.5.2

0 Helpful

Go to solution
donovanrodriguez9726
Level 1
Level 1
In response to donovanrodriguez9726

ā€Ž03-27-2023 01:18 PM

I'm more used to standard router routes, ip route 172.27.1.0 255.255.255.0 next-hop-ip 

Not sure how the security routes work

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to donovanrodriguez9726

ā€Ž03-27-2023 01:23 PM

@donovanrodriguez9726 it's the same logic on the firewall.

Define the destination network/mask and the next hop ip address.

You'll need to define routes on both FWs and obviously both PCs will need the default gateway as the FW inside interface IP address.

 

Go to solution
donovanrodriguez9726
Level 1
Level 1
In response to Rob Ingram

ā€Ž03-27-2023 02:03 PM

So I did verify connectivity from the PC's to the DGs. I then went and ran the packet-tracer it seems that something is blocking the ICMP traffic.

donovanrodriguez9726_0-1679950822612.png

I only have one access policy, see below:

donovanrodriguez9726_1-1679950968341.png

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to donovanrodriguez9726

ā€Ž03-27-2023 02:09 PM - edited ā€Ž03-27-2023 02:09 PM

@donovanrodriguez9726 there's no point testing traffic on a directly connected interface. Run packet tracer from source IP of pc1 to pc2 ip.

Repeat the packet tracer test from both firewalls.

Also don't test from the firewalls ip address, generate traffic through the firewall, not to/from.

Go to solution
donovanrodriguez9726
Level 1
Level 1
In response to Rob Ingram

ā€Ž03-27-2023 02:41 PM

I was finally able to figure it out. Packet tracer was a huge help. For the static route I needed to have the interface as the outside interface instead of the inside one. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž03-27-2023 12:24 PM

This VPN and you want to mgmt the FW through tunnel?

0 Helpful

Go to solution
donovanrodriguez9726
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-27-2023 12:31 PM

Not using an VPN's or any sort of NATing. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card