12-14-2022 11:03 AM
Hi Gurus,
I've encountered an issue that might relate to Cisco.
The issue is I cannot access FW A internal interface from FW B, but it's ok from the Cisco switch and any computer connects to the switch. I've asked support from Firewall side and they didn't see any issue. I have a Cisco switch directly connect the FW A internal interface, both interfaces have ip address configured on the same subnet. I have no problem to access anything behind FW A from FW B (which includes the cisco switch), vice versa (Cisco switch access FWB).
On cisco side, i have a static default route to point to 10.101.131.241 as next hop, and the cisco interface is L3 interface and configured IP 10.101.131.242. on the FW A side, I have it configured that the default route next hop is 10.101.131.242 if needs to reach any device behind FW A.
Does anyone know if the issue could be caused from Cisco side? Thank you.
12-14-2022 11:48 AM
Hi,
It appears that FW-B may need a static route pointing to FW-A address to reach the switch's IP:
ip route 10.101.131.0/x <next hop ip adress>
HTH
12-14-2022 11:51 AM - edited 12-14-2022 11:59 AM
i have the destination subnet 10.101.131.0 point to VPN tunnel as next hop.
I have no issue access the switch from FWB
are you saying i need to use the FW A interface Ip instead?
12-14-2022 12:29 PM
i have the destination subnet 10.101.131.0 point to VPN tunnel as next hop.
VPN tunnel next hop is correct. Are the subnet masks configured correctly?
HTH
12-14-2022 01:25 PM
Good question. For the subnets i put on FWA&B to access anything behind FW A, i gave a broader range /24, but on the switch I have smaller subnets on the switch, which includes the interface of the switch connects to FW A
Do you mean that I should have more specific static route to each subnet instead of a /24? If so, how come I can access the switch?
12-14-2022 01:35 PM
As long as the mask assignment per subnet is configured correctly, there is no need for a static route for each small subnet. A broader range should work just fine.
HTH
12-14-2022 01:44 PM
Yes, they're configured correctly. Thank you for your help to troubleshoot the problem
12-14-2022 01:30 PM
I think this is default behave of ASA FW, not accept ping connect to inside interface if traffic come from outside.
but to be sure I will run lab and check this.
12-14-2022 01:45 PM
sorry, forgot to mention, it's not ASA firewall, but I did make sure the FW interface is able to be access via ping, https
12-14-2022 02:04 PM
still it OK, the FW can accept the HTTP to remote admin FW and ping to test reachability but no more than this.
just ask FW support if they receive any Log message deny the traffic to interface.
12-14-2022 02:09 PM
Thank you. The latest debug log I found is FW B can reach the FW A interface for sent package, but no response. I do have a static route on FW A that next hop is VPN tunnel if FW A needs to reach FW B or anything behind FW B.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide