Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2049
Views
0
Helpful
1
Replies

Firewall behind two GLBP routers

essa.anas
Level 1
Level 1

‎05-30-2012 03:56 AM - edited ‎03-11-2019 04:13 PM

Hi, 

  I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside10,outside) source dynamic LAN interface

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x74331ed8, priority=6, domain=nat, deny=false

        hits=1390, user_data=0x74334578, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.X.X.X, mask=255.255.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside10, output_ifc=outside

The firewall configuration is as follows:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XX.XX.0.XX 255.255.255.240
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
description DataVLAN
vlan 10
nameif inside10
security-level 100
ip address X.X.X.X 255.255.0.0

object-group network LAN
network-object X.X.X.X 255.255.0.0

nat (inside10,outside) source dynamic LAN interface

route outside 0.0.0.0 0.0.0.0 GLBP_Virtual_Interface


policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

  The GLBP Routers are configured with natting also as follows:

interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address ISP_CLIENT_SIDE 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address XX.XX.0.XX 255.255.255.240
ip nat inside
ip virtual-reassembly in
glbp 1 ip GLBP_VIRTUAL_IP
duplex auto
speed auto
!


ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 ISP_GW

access-list 1 permit any

Regards

Essa

Labels:
0 Helpful
1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

‎06-03-2012 09:40 AM

Essa,

Interesting.  What do the syslogs show? What is your packet tracer trigger? Could you pls. copy and paste it pls and the entire output as well. What is inside the object LAN?

Thanks,

Kureli

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card