cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
599
Views
0
Helpful
5
Replies

Help routing & switch for vendor traffic traversing through DMZ

rmorenobb
Level 1
Level 1

Hi,
So, I need some help understanding an issue with a router I'm trying to direct traffic to, this is a vendor's router that sits on our network.

We have the exact same router, and setup at one of our other data centers, and it functions properly, and we're trying to get another router setup at our new data center, because we plan to decomission the other data center.

Differences between Data Centers are:

Prod Data Center - working vendor vpn router
cisco 1841 router
two interfaces connected to our network
Ge0 Inside LAN - interface is connected to our DMZ, and assigned an inside Vlan 252 ip 172.25.2.52
Ge8 WAN - interface is connected to our DMZ, and assigned a static Public IP with an outside vlan 999

All traffic traverses the firewall that is directly connected to the DMZ.

DMZ is a Cisco 3850
ASA is a Cisco 5510

The way this works at the Prod Data Center is that we have the following

Static route on the Cisco 3850 switch that is the core switch at the data center.
static router 10.49.126.0 255.255.255.0 next hop is the ASA firewall
the static route is also redistributed from this core out to the MPLS network

On the ASA firewall
route dmz 252 10.49.126.0 255.255.255.0 to inside Ge0 LAN interface of vendor router 172.25.2.52

That's it, that's how all this works at the Prod DC.

I'm trying to mimic this as the New Data Center, but cannot get this to work.
NEW DATA CENTER DETAILS

cisco 1841 router
two interfaces connected to our network
Ge0 Inside LAN - interface is connected to our DMZ, and assigned an inside Vlan 627 ip 10.10.16.18
Ge8 WAN - interface is connected to our DMZ, and assigned a static Public IP with an outside vlan 999

All traffic traverses the firewall that is directly connected to the DMZ.

DMZ is a cisco WS-C3850-48P
Firewall is a virtual FMC with 2 FTDs as an HA Pair

On the FTD firewall
route DMZ-627 10.49.126.0 255.255.255.0 to inside Ge0 LAN interface of vendor router 10.10.16.18

On the core switch for the new DC which is a cisco Nexus9000 93180YC-EX
ip route 10.49.126.0/24 10.10.66.66
10.10.66.66 is the IP address of one of primary active FTD on for the firewall

-- what issue I'm having

when I temporarily advertise the static route out of the new dc 10.49.126.0/24 we cannot see any traffic hitting the firewall.

From the DMZ I can ping the Ge0 Lan inside interface 10.10.16.18
I cannot ping that Ge0 Lan inside interface from the Nexus9000, it times out.

on the Nexus if I do a
ssnp-c10-93180-A# sh forwarding route 10.10.16.18

slot 1
=======


IPv4 routes for table default/base

------------------+-----------------------------------------+----------------------+-----------------+-----------------
Prefix | Next-hop | Interface | Labels | Partial Install
------------------+-----------------------------------------+----------------------+-----------------+-----------------
10.10.16.16/28 10.10.70.10 Vlan57

Also I should mention the layer 2 vlan is configured on the Dmz
ssnp-dmz-sa01#sh run int vlan 627
Building configuration...

Current configuration : 124 bytes
!
interface Vlan627
description Vendor
ip address 10.10.16.30 255.255.255.240

I have opened a Cisco Tac ticket, going to go over this with them, my only thoughts is that there is something different with the way the FMC and FTDs work.
Been pulling my hair out over this design, its pretty simple, and I'm under pressure to get this new router fully online so I can decomission the old router.

Any ideas? Suggestions? Need more info on this?
Please let me know, your help is greatly appreciated!

1 Accepted Solution

Accepted Solutions

 

If the 3850 is not routing then the vendor router should use the firewall as the next hop not the SVI on the 3850. 

 

The default gateway on the 3850 is only used for traffic to and from the switch ie. not traffic passing through the switch. 

 

Jon

View solution in original post

5 Replies 5

rmorenobb
Level 1
Level 1

Alright, I have some more information, trying to figure this issue out. 

 

Or better yet, a better way to phrase the issue. 

 

Vendor router 

Inside Interface vlan 628

10.10.16.34 / 28

 

Connected to DMZ switch 3850

The DMZ switch has a Layer 2 SVI 

vlan 628

10.10.16.46 /28

 

Vendor routes all their traffic next hop pointing to 10.10.16.46

Traffic from this router is 170.209.0.2 /32, 170.209.0.3 /32

 

End-points (workstation) access that traffic via a browser

I've verified via captures on the firewall that when an end-point accesses the addresses via browser, I can see the firewall do the following

 

source 10.80.5.51 destination 170.209.0.3 routes to 10.10.16.34

 

so as far as routing its correct, the firewall is correctly routing

 

Now in the captures, we see no replies , so there must be an issue with return traffic sourcing from the vendors inside interface over to the vlan 628 gateway 10.10.16.46.

 

This shouldn't be that difficult to get to work, the same design works at our other data center, but this is the first data center that has a FMC with 2 FTD HA Pairs.  

 

I'm going to get another Cisco TAC call after hours, hoping this will get resolved.

I think I'm getting closer to what may be the issue; still searching for an affirmative reason why packet captures aren't seeing any replies back. 

 

The DMZ 3850 switch, is the intermediary device that the vendor's router is directly connected to for both the WAN and LAN interfaces.  

 

Traffic is routed from the firepower FTDs to the DMZ switch to the vendors router LAN interface.

The vendor is sending replies back for all traffic , a next hop of 10.10.16.46, which is the Vlan the vendors LAN interface is on. 

 

I just went on the DMZ, and did this 

 

ssnp-dmz-sa01#sh ip route 10.80.5.51
% Subnet not in table
ssnp-dmz-sa01#

 

the 10.80.5.51 is the source IP, i.e. an end users machine that is attempting to resolve the URL https://170.209.0.2/ is the destination. 

 

that is making it to the vendors vpn router, but no replies back are reaching back to the source. 

 

looking at the routing table for the dmz, it doesn't know about that subnet, i would think it would return traffic the same path it came in, but i'm wondering is this maybe the issue? 

 

doing further research; hoping someone has any insight into this....

 

 

I've researched the DMZ 3850 switch config, the intermediary device between vendors router and the firepower ftd's ha pairs. 

 

no ip routing configured on this switch, so it's relaying on ip default gateway. 

it will send all traffic "not known" to the default gateway, which is a directly connected core switch.

 

so i think source traffic that is initiated from an end point on our mpls networks routes to the advertised bgp /32 routes for the vendors hosts, that routes properly to the data center asn #, to the core switch to the firewall to the dmz to the vendors router, but replies are not making it back that same path because its choosing the ip default gateway, since the vendors' /32 hosts aren't known, and aren't in the FIB table.

 

this is my guestimation thus far, I'm working on getting a webex with my cisco tac engineer.

 

If the 3850 is not routing then the vendor router should use the firewall as the next hop not the SVI on the 3850. 

 

The default gateway on the 3850 is only used for traffic to and from the switch ie. not traffic passing through the switch. 

 

Jon

Thank you for that info, that was actually on mind earlier today, that I'd have them route traffic to the firewall, and not the SVI.

We have this exact same design at our old Data Center ( where the vendors next hop) is the SVI and it works fine, but, its a traditional ASA 5510. At this new DC, we're using a virtual FMC with a HA pair FTD.

I'll try this tonight, thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card