Re: routing issue between two firewalls ??

deephazz02 · ‎02-13-2008

Hello,

I have two FW, on is a ASA the other one is a FWSM they're conected to each other via a vlan. So each one of the 2 Fw have an interface on the same VLAN.

they are connected like this :

Fw(10.1.1.1/24) <-> 6500 (used only for layer 2 connectivity) <-> FWSMContext(10.1.1.2/24) <-> VRF{ FWSMContext(10.1.2.2/24) <-> Vlan interface(10.1.2.1/24) etc..}

From the Fw(10.1.1.1/24) I can ping FWSMContext(10.1.1.2/24) but I can't ping FWSMContext(10.1.2.2/24) and everything beyond in the VRF.

interfaces on th fwsm are :

DMZ_Outside 10.1.1.2/24

VRF_Inside 10.1.2.2/24

The sh route on the FWSM looks like this :

S 0.0.0.0 0.0.0.0 [1/0] via 10.1.1.1, DMZ_Outside

S 10.10.10.100 255.255.255.255 [1/0] via 10.1.2.1, VRF_Inside

C 10.1.2.0 255.255.255.0 is directly connected, VRF_Inside

S 1.1.3. 255.255.255.0 [1/0] via 10.1.2.1, VRF_Inside

S 1.1.4.0 255.255.255.0 [1/0] via 10.1.2.1, VRF_Inside

C 10.1.1.0 255.255.255.0 is directly connected, DMZ_Outside

I checked the access-list but I don't see any hitcounts incremented on any of it when pinging the VRF_inside interface from Fw(10.1.1.1/24).

Does anybody have any idea about what could be the reason of this issue?

Regards.

jbayuka · ‎02-20-2008

Routing is a critical part of almost every IPsec VPN deployment. Be certain that your encryption devices such as Routers and PIX or ASA Security Appliances have the proper routing information to send traffic over your VPN tunnel. Moreover, if other routers exist behind your gateway device, be sure that those routers know how to reach the tunnel and what networks are on the other side.

Refer to http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution11 for more information