Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
3
Replies

Firewall Blocking Routing Between Internal Networks

mjh686
Level 1
Level 1

‎10-09-2017 01:33 PM - edited ‎02-21-2020 06:27 AM

I ran into an issue a while back that I fixed, but couldn't understand why it was occuring. I manage a pretty standard network that goes ISP->Firewall->L3 Core Switch->distribution switches. My issue was that the firewall was blocking routing between internal subnets, my question is why, in terms of, why is internal traffic even being inspected/blocked by the firewall if the L3 core is supposed to be doing the internal routing? (all traffic has to traverse through the L3 before hitting the firewall) Why doesn't it just get routed internal with out even hitting the firewall? I assume this is a function of the routing protocols involved and not the hardware/software, because I have now ran into this issue in two different hardware setups that had the same topology. 

Labels:
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎10-10-2017 06:59 AM

Hi,

 I´d say that this depends on the setup. If traffic pass to firewall it is expected that it denies if not allowed.

 What you did to solve the problem could tell what the problem was. Without a more in depth knowledge about your environment it is hard to say anything.

0 Helpful

mjh686
Level 1
Level 1
In response to Flavio Miranda

‎10-10-2017 10:05 AM

I have vlan gateways all set on the L3 switch with the default gateway of the L3 going to the Firewall, so I assumed because routing was enabled and vlans configured, that the L3 would do all the internal routing with out consulting the firewall. All the internal traffic has to hit the L3 befire it goes to the firewall, since the firewall only has one LAN connection, and it is on its own vlan/subnet connected directly to the L3. I had to add the internal subnets to the firewall to get them to route internally.  

0 Helpful

Flavio Miranda
VIP
VIP
In response to mjh686

‎10-10-2017 10:13 AM

This "L3 switch with the default gateway of the L3 going to the Firewall" could be the problem with Internal routing is not properly configured. If L3 does not find a route to the destination, it would send the packet to Firewall. 

 Would be nice if you could share the routing table of all L3 switches. 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card