Access Firewall Interface which Connects to Cisco Switch

PolarPanda · ‎12-14-2022

Hi Gurus,

I've encountered an issue that might relate to Cisco.

The issue is I cannot access FW A internal interface from FW B, but it's ok from the Cisco switch and any computer connects to the switch. I've asked support from Firewall side and they didn't see any issue. I have a Cisco switch directly connect the FW A internal interface, both interfaces have ip address configured on the same subnet. I have no problem to access anything behind FW A from FW B (which includes the cisco switch), vice versa (Cisco switch access FWB).

On cisco side, i have a static default route to point to 10.101.131.241 as next hop, and the cisco interface is L3 interface and configured IP 10.101.131.242. on the FW A side, I have it configured that the default route next hop is 10.101.131.242 if needs to reach any device behind FW A.

Does anyone know if the issue could be caused from Cisco side? Thank you.

Reza Sharifi · ‎12-14-2022

Hi,

It appears that FW-B may need a static route pointing to FW-A address to reach the switch's IP:

ip route 10.101.131.0/x <next hop ip adress>

HTH

PolarPanda · ‎12-14-2022

i have the destination subnet 10.101.131.0 point to VPN tunnel as next hop.

I have no issue access the switch from FWB

are you saying i need to use the FW A interface Ip instead?

Reza Sharifi · ‎12-14-2022

i have the destination subnet 10.101.131.0 point to VPN tunnel as next hop.

VPN tunnel next hop is correct. Are the subnet masks configured correctly?

HTH

PolarPanda · ‎12-14-2022

Good question. For the subnets i put on FWA&B to access anything behind FW A, i gave a broader range /24, but on the switch I have smaller subnets on the switch, which includes the interface of the switch connects to FW A

Do you mean that I should have more specific static route to each subnet instead of a /24? If so, how come I can access the switch?

Reza Sharifi · ‎12-14-2022

As long as the mask assignment per subnet is configured correctly, there is no need for a static route for each small subnet. A broader range should work just fine.

HTH

PolarPanda · ‎12-14-2022

Yes, they're configured correctly. Thank you for your help to troubleshoot the problem

MHM Cisco World · ‎12-14-2022

I think this is default behave of ASA FW, not accept ping connect to inside interface if traffic come from outside.
but to be sure I will run lab and check this.

PolarPanda · ‎12-14-2022

sorry, forgot to mention, it's not ASA firewall, but I did make sure the FW interface is able to be access via ping, https

MHM Cisco World · ‎12-14-2022

still it OK, the FW can accept the HTTP to remote admin FW and ping to test reachability but no more than this.
just ask FW support if they receive any Log message deny the traffic to interface.

PolarPanda · ‎12-14-2022

Thank you. The latest debug log I found is FW B can reach the FW A interface for sent package, but no response. I do have a static route on FW A that next hop is VPN tunnel if FW A needs to reach FW B or anything behind FW B.