Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
1
Replies

Problema com roteamento entre LAN - Firewall - VPN(DMZ)

felipi.santana
Level 1
Level 1

‎07-25-2017 08:20 AM - edited ‎03-08-2019 11:28 AM

Cenário:

Switch 3750 em Stack [192.168.0.1] ( Tabela de Roteamento à seguir)

Switch 3850 em Stack exclusivamente para os servidores (tabela de roteamento a seguir)

Possuímos um Firewall de cara para Internet. (gateway 0.0.0.0 0.0.0.0 192.168.0.2)

Possuímos uma DMZ Fortigate.

Problema Encontrado:

Temos uma VPN Site-to-Site entre nossa Matriz (através da DMZ Fortigate) até um filial X. (IP: 10.104.x.x / 16)


Através do NAT 1 para 1 todos os hosts que estão na minha LAN da rede 0 - 192.168.0.0/24, alcançam essa VPN, porém qualquer outra rede LAN nossa não alcança.

Para sair para VPN, nós temos que ver o tráfego passando pelo Firewall, porém, no TSHOOT consigo ver apenas o tráfego da rede 0 para a VPN passando por ele.

Qualquer outra rede que tenta alcançar o IP dessa VPN, não está passando nem pelo FIREWALL.

Dentro da nossa própria LAN, temos uma subnet 10.10.10.x/24.

A impressão que me dá, é que ele não sai para a VPN por que o nosso core entende que a Rede que estamos tentando alcançar está dentro da própria LAN e por isso ele não manda para Firewall para o Firewall encaminhar para a DMZ e alcançar esse IP

Veja no Switch dos Servidores essas rotas:


10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.101.0/24 is directly connected, Vlan101
L 10.10.101.254/32 is directly connected, Vlan101
C 10.10.102.0/24 is directly connected, Vlan102
L 10.10.102.254/32 is directly connected, Vlan102

Agora, não consigo entender como da REDE 0 (192.168.0.0/24) a gente alcança a VPN e de qualquer outra rede, ela fica inalcançável.


Quem puder me dar uma luz, eu agradeço.

Desde já obrigado!


Tabela de Roteamento - SWITCH SERVIDORES

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [0/0] via 192.168.0.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.101.0/24 is directly connected, Vlan101
L 10.10.101.254/32 is directly connected, Vlan101
C 10.10.102.0/24 is directly connected, Vlan102
L 10.10.102.254/32 is directly connected, Vlan102
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, Vlan100
L 192.168.0.126/32 is directly connected, Vlan100
192.168.168.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.168.0/24 is directly connected, Vlan1
L 192.168.168.2/32 is directly connected, Vlan1


Tabela de Roteamento - SWITCH CORE

Gateway of last resort is 192.168.0.2 to network 0.0.0.0

S 192.168.12.0/24 [1/0] via 192.168.110.3
S 192.168.29.0/24 [1/0] via 192.168.110.10
S 192.168.209.0/24 [1/0] via 192.168.110.3
C 192.192.192.0/24 is directly connected, Vlan500
S 192.168.13.0/24 [1/0] via 192.168.113.4
C 192.168.133.0/24 is directly connected, Vlan133
S 192.168.104.0/24 [1/0] via 192.168.110.3
S 192.168.31.0/24 [1/0] via 192.168.110.3
S 192.168.211.0/24 [1/0] via 192.168.110.3
S 192.168.90.0/24 [1/0] via 192.168.110.3
S 192.168.120.0/24 [1/0] via 192.168.110.2
S 192.168.210.0/24 [1/0] via 192.168.110.3
S 192.168.225.0/24 [1/0] via 192.168.0.200
S 192.168.8.0/24 [1/0] via 192.168.110.2
S 192.168.25.0/24 [1/0] via 192.168.0.200
C 192.168.110.0/24 is directly connected, Vlan110
C 192.168.230.0/24 is directly connected, Vlan400
S 192.168.9.0/24 [1/0] via 192.168.110.3
S 192.168.129.0/24 [1/0] via 192.168.0.239
S 192.168.212.0/24 [1/0] via 192.168.0.136
S 192.168.10.0/24 [1/0] via 192.168.110.3
S 192.168.108.0/24 [1/0] via 192.168.110.10
S 192.168.130.0/24 [1/0] via 192.168.230.2
C 192.168.26.0/24 is directly connected, Vlan26
S 192.168.11.0/24 [1/0] via 192.168.110.3
S 192.168.109.0/24 [1/0] via 192.168.110.3
S 192.168.131.0/24 [1/0] via 192.168.110.3
C 192.168.115.0/24 is directly connected, Vlan115
S 192.168.38.0/24 [1/0] via 192.168.0.239
S 192.168.114.0/24 [1/0] via 192.168.0.8
C 192.168.80.0/24 is directly connected, Vlan80
C 192.168.5.0/24 is directly connected, Vlan5
S 192.168.219.0/24 [1/0] via 192.168.110.3
C 192.168.113.0/24 is directly connected, Vlan113
S 192.168.23.0/24 [1/0] via 192.168.110.2
S 192.168.112.0/24 [1/0] via 192.168.110.3
S 192.168.22.0/24 [1/0] via 192.168.0.200
S 192.168.37.0/24 [1/0] via 192.168.0.239
S 192.168.34.0/24 [1/0] via 192.168.0.239
C 192.168.0.0/24 is directly connected, Vlan100
S 192.168.17.0/24 [1/0] via 192.168.117.4
S 192.168.137.0/24 [1/0] via 192.168.0.239
C 192.168.254.0/24 is directly connected, Vlan254
S 192.168.103.0/24 [1/0] via 192.168.110.3
S 192.168.138.0/24 [1/0] via 192.168.0.239
C 192.168.168.0/24 is directly connected, Vlan1
C 192.168.253.0/24 is directly connected, Vlan253
C 192.168.117.0/24 is directly connected, Vlan117
S 192.168.237.0/24 [1/0] via 192.168.110.2
S 192.168.3.0/24 [1/0] via 192.168.110.2
S 192.168.33.0/24 [1/0] via 192.168.133.4
S* 0.0.0.0/0 [1/0] via 192.168.0.2

Labels:
0 Helpful
1 Reply 1

Ruben Cocheno
Spotlight
Spotlight

‎08-02-2017 10:52 AM

Felipi,

podes partilhar a topologia L3?

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card