Routing outside traffic through two firewalls; can it be done?
I have an odd situation involving two ASA firewalls that I'm trying to configure to allow traffic to-and-from both the outside world and our main private network to reach the private network of the 2nd firewall.
I have no problems getting the traffic flow to-and-from our main private network. A computer inside the 2nd firewall is also able to access the Internet.
Where I'm having trouble is getting access from the Internet *to* that 2nd firewall's private network.
I'm testing with RDP access to that computer inside the 2nd firewall.
Since Internet access is possible with the test computer, and I am able to access the test computer from the main private network, I'm assuming its a matter of either routing or setting up the correct access rules.
The following picture illustrates how the two firewalls are currently set up.
For simplicity's sake, I haven't included switches that are used in between the firewalls and on either inside network.
Firewall 1 configuration settings:
Firewall 1 has a public IP NAT'd to the DMZ IP address of firewall 2. This is the IP assigned to firewall 2's outside interface.
For current testing, the access rule for that NAT allows *all* IP traffic to reach firewall 2.
There's a copy of that rule in the access rules section of both the outside interface and the DMZ interface of firewall 1.
object network asa_2 host <dmz subnet IP>
object network asa_2 nat (DMZ,outside) <static public IP>
access-list outside_access_in extended permit ip object asa_2 any4 access-list DMZ_access_in extended permit ip object asa_2 any4
route outside 0.0.0.0 0.0.0.0 <public IP subnet gateway>
Firewall 2 has the following configuration entries:
interface GigabitEthernet0/0 nameif outside security-level 0 ip address <DMZ IP address>
Is this the IP of the test PC or the ASA2 inside IP? This should be the test PC IP if it is not already.
Other than that the rest of the configuration looks fine. If you are still having issues we would need to look at the full configurations of both ASAs (remember to remove public IPs, usernames and passwords) as well as have a network diagram of physical connections (including switches) and where routing is being performed. Could be a possible asynchronous routing issue in this case.
-- Please remember to select a correct answer and rate helpful posts
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln...
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/CiscoChampion
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of di...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...