Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
5
Helpful
12
Replies

unable to access LAN to DMZ via L3 switch

rajesh4
Level 1
Level 1

‎12-30-2022 04:56 AM

Dear Team,

My Network topology

We are migrating the Cyberoam to firepower 1010,

issue reported:

"Unable to access LAN to DMZ via LAN L3 switch"

Internal LAN (192.168.10.2)--||--L3 switch 192.168.9.2 --|| -- FW 1010 LAN interface 192.168.9.1 --||-- FW 1010 DMZ interface 192.168.4.1 --||-- 192.168.4.190(host machine)

1) We can able to ping from internal LAN network 192.168.10.2 to FW 1010 LAN interface 192.168.9.1 (working fine)
2) And when I am tried to ping from internal LAN network 192.168.10.2 to DMZ host machine 192.168.4. 190 (Not working and tracert output is up to reachable 192.168.10.1)
3) In the existing Cyberoam firewall routing is working fine.

Required your assistance to resolve issue and kindly assign to senior expert engineer to troubleshoot.

Can you help me why 192.168.4.1 not reachable from 192.168.10.2 internal LAN system.

For your reference attached network topology.

Preview file
158 KB
0 Helpful
12 Replies 12

Rob Ingram
VIP
VIP

‎12-30-2022 05:28 AM

@rajesh4 you cannot ping the DMZ interface IP address (192.168.4.1) when you are connected behind the LAN interface, that's by design on the FTD. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through one FTD interface to a far FTD interface.

You should test connectivity by pinging a device in the DMZ, for that you need to create an Access Control rule to permit the traffic. Also, ensure that NAT is not unintentially translating the traffic.

0 Helpful

MHM Cisco World
VIP
VIP

‎12-30-2022 05:40 AM - edited ‎12-30-2022 05:41 AM

the issue in L3SW not in FW.
you must add route to DMZ subnet in L3SW toward INside interface of FW. 
that all.

0 Helpful

rajesh4
Level 1
Level 1
In response to MHM Cisco World

‎12-30-2022 06:09 AM

Hi,

"Same setup working in Cyberoam firewall" When i replace the firepower 1010 firewall not working.

In L3 switch already have the default route and still not working.

#ip route 0.0.0.0 0.0.0.0 192.168.9.1

We can able to ping firewall interface 192.168.9.1/30 via L3 switch LAN IP 192.168.10.2/24

if trying to ping the NAS IP address from same LAN IP 192.168.10.2 to 192.168.4.190. not working ( tracert output 192.168.10.1)

Thanks & Regards

S Rajesh

+91- 8861530472

0 Helpful

rajesh4
Level 1
Level 1
In response to MHM Cisco World

‎12-30-2022 06:12 AM

Hi,

If possible can we connect through remote session or through call, it would be better for understand setup & issue. 

Rajesh +918861530472 

0 Helpful

rajesh4
Level 1
Level 1

‎12-30-2022 05:49 AM

Hi Rob,

Thank you for your response,

Noted, I want to reach NAS server 192.168.4.190 from 192.168.10.2 via 192.168.9.1

Internal LAN (192.168.10.2)--||--L3 switch 192.168.9.2 --|| -- FW 1010 LAN interface 192.168.9.1 --||-- 192.168.4.190(host machine)

Kindly help us to resolve issue.

"Same setup working in Cyberoam firewall" When i replace the firepower 1010 firewall not working. 

Thanks & regards

S Rajesh

+91-8861530472  

Rob Ingram
VIP
VIP
In response to rajesh4

‎12-30-2022 05:52 AM - edited ‎12-30-2022 05:53 AM

@rajesh4 you can run packet-tracer this will confirm where the problem lies.

From the CLI of the FTD run "packet-tracer input <source interface name> tcp 192.168.10.2 3000 192.168.4.190 80" and provide the output for review.

Please provide a screenshot of your Access Control policy and NAT rules on the FTD.

From the CLI of the FTD run "show route" and provide the output for review.

0 Helpful

rajesh4
Level 1
Level 1
In response to Rob Ingram

‎12-30-2022 06:11 AM

Hi Rob, 

If possible can we connect through remote session or through call, it would be better for understand setup & issue. 

Rajesh +918861530472 

0 Helpful

rajesh4
Level 1
Level 1
In response to Rob Ingram

‎01-02-2023 08:38 AM

Dear Rob,

Please find the attached screenshot of ACL, NAT & Route.

Thanks & Regards

S Rajesh

+91-8861530472   

Preview file
438 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to rajesh4

‎01-02-2023 08:51 AM

@rajesh4 possibly a NAT issue, there are 10 NAT rules above the screenshot of the rules you provided, traffic may unintentially match one of those rules, from the CLI of the switch run show nat detail and provide the output.

Provide the packet-tracer output as previously requested, this would confirm the NAT rule and which Access Control rule is matched.

0 Helpful

rajesh4
Level 1
Level 1
In response to Rob Ingram

‎01-02-2023 09:00 AM

@rob I have disabled all NAT policy and only i have enabled the NAT policy no 11 & 12.

0 Helpful

Rob Ingram
VIP
VIP
In response to rajesh4

‎01-02-2023 09:21 AM

@rajesh4 please provide the exact information requested.

0 Helpful

rajesh4
Level 1
Level 1

‎01-02-2023 09:11 AM

I have to reach (DMZ network) 192.168.4.0/24 series from L3 switch 192.168.10.0/24

And my route should work like this 192.168.10.1---> 192.168.9.1--->192.168.4.X and reserve route should work like this 192.168.4.1--->192.168.9.2--->192.168.10.X

How can cerate route in firepower firewall 1010 and L3 switch.

Thanks & Regards 

S Rajesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card