Re: Routing outside traffic through two firewalls; can it be done?

GRANT GATHAGAN · ‎01-12-2021

I have an odd situation involving two ASA firewalls that I'm trying to configure to allow traffic to-and-from both the outside world and our main private network to reach the private network of the 2nd firewall.

I have no problems getting the traffic flow to-and-from our main private network.
A computer inside the 2nd firewall is also able to access the Internet.

Where I'm having trouble is getting access from the Internet *to* that 2nd firewall's private network.

I'm testing with RDP access to that computer inside the 2nd firewall.

Since Internet access is possible with the test computer, and I am able to access the test computer from the main private network, I'm assuming its a matter of either routing or setting up the correct access rules.

The following picture illustrates how the two firewalls are currently set up.

For simplicity's sake, I haven't included switches that are used in between the firewalls and on either inside network.

Firewall 1 configuration settings:

Firewall 1 has a public IP NAT'd to the DMZ IP address of firewall 2.
This is the IP assigned to firewall 2's outside interface.

For current testing, the access rule for that NAT allows *all* IP traffic to reach firewall 2.

There's a copy of that rule in the access rules section of both the outside interface and the DMZ interface of firewall 1.

object network asa_2
host <dmz subnet IP>

object network asa_2
nat (DMZ,outside) <static public IP>

access-list outside_access_in extended permit ip object asa_2 any4
access-list DMZ_access_in extended permit ip object asa_2 any4

route outside 0.0.0.0 0.0.0.0 <public IP subnet gateway>

Firewall 2 has the following configuration entries:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address <DMZ IP address>

object network PORTFORWARD-RDP
host <ASA 2 internal address>

access-list outside_access_in extended permit tcp any4 object PORTFORWARD-RDP eq 3389

object network PORTFORWARD-RDP
nat (inside,outside) static interface service tcp 3389 3389

route outside 0.0.0.0 0.0.0.0 <DMZ subnet gateway>

Other possibly germane facts:
Firewall 1 is set up with EIGRP for all of the main internal network's subnets, but NOT the DMZ subnet.

Any help is appreciated.

Marius Gunnerud · ‎01-12-2021

access-list outside_access_in extended permit ip object asa_2 any4

On ASA1 this statement should read access-list outside_access_in extended permit ip object any4 asa_2

object network asa_2
host <dmz subnet IP>

I am assuming that this is the outside interface IP of ASA2? If not then this should be changed to the ASA IP.

object network PORTFORWARD-RDP
host <ASA 2 internal address>

Is this the IP of the test PC or the ASA2 inside IP? This should be the test PC IP if it is not already.

Other than that the rest of the configuration looks fine. If you are still having issues we would need to look at the full configurations of both ASAs (remember to remove public IPs, usernames and passwords) as well as have a network diagram of physical connections (including switches) and where routing is being performed. Could be a possible asynchronous routing issue in this case.

--
Please remember to select a correct answer and rate helpful posts

GRANT GATHAGAN · ‎01-12-2021

Aloha, Marius

Thanks for the quick response.

I'll make the change in the access rule on ASA1 and report back

You are correct on the other two entries you reference; the following is the outside interface IP of ASA2

object network asa_2
host <dmz subnet IP>

and the following is the internal IP of the test PC.

object network PORTFORWARD-RDP
host <ASA 2 internal address>

Regards,

Grant