12-06-2023 01:22 PM
We are in the process of updating our network and I have an issue that I am not sure about. We have a data center and an office connected via a VPLS. Each site has its own firewall (FTD managed by FMC) and the vlans span the connection. The issue I am having is this.
I have a PC(PC1) that is on vlan 200 with an IP 192.168.1.100/24 default gateway 192.168.1.1 which in on the firewall(FW1) in the data center.
I have another PC(PC2) that is on vlan 201 with an IP 192.168.2.100 default gateway 192.168.2.2 which on the firewall(FW2) in the office.
FW1 has vlans 200 and 201 with IP addresses 192.168.1.1 and 192.168.2.1
FW2 has vlans 200 and 201 with IP addresses 192.168.1.2 and 192.168.2.2
I need the two PCs to be able to talk to each other. I know what the issue is but not the resolution.
If I try to ping PC2 from PC1 I can't. I can ping other addresses on the same vlan. So what I figure is that when PC2 responds it does so using it default gateway which is on a different firewall than PC1 and the response does not get back to PC1.
I am not sure how to get around this.
12-07-2023 01:44 AM - edited 12-07-2023 02:08 AM
If it ASA FW then you can use IPSec vpn with subnet overlapping.
This solve issue the subnet overlap in both FW.
MHM
12-07-2023 02:04 AM
How is your overall networking diagram looks like - i do not see any overlap IP address.
If you have routing configured as expected that should work as expected.
how is FW1 and FW2 Routing Looks like ? how these interface configured what Zone ?
If you have DG 192.168.2.2 ( then from FW1 and FW 2 should have routing point back to each other)
Make sure you have proper ACP in place to allow subnet 192.168.1.X to 192.168.2.X and vice versa.
12-07-2023 05:43 AM - edited 12-07-2023 05:45 AM
Thanks for the response.
Here is the basics of what I want to do.
From 192.168.1.100 I can ping 192.168.2.3 and 192.168.2.4 but not 192.168.2.100
From 192.168.2.100 I can ping 192.168.1.3 and 192.168.1.4 but not 192.168.1.100
From 192.168.1.1 I can ping 192.168.1.100
From 192.168.2.1 I can ping 192.168.2.100
So I believe what is happening is that when 192.168.1.100 pings 192.168.2.100 - 2.100 receives the ping but responds back to FW-2 which drops the traffic since it doesn't know anything about the request.
The goal is to have devices in the office to have two default gateways 192.168.x.2 and 192.168.x.1. This will mean that if for some reason 192.168.x.1 is not available it will use the other DG. Then the opposite for the Data Center.
I should also indicate I am using EIGRP for routing.
12-07-2023 06:00 AM
It seem that overlap ipsec vpn not suitable for you.
One workaround here which is dont push GW in dhcp to client.
Let client ask send proxy arp to ask mac of gw and the nearest FW will select as gw.
MHM
12-07-2023 06:27 AM
Of course after posting this I figured it out. I was missing a setting for EIGRP on the firewalls. Under redistribution I added static and everything works now.
12-07-2023 08:18 AM
glad you able to resolve the issue - Sure as i suggeted as long as the routing in place that should work as expected.
12-07-2023 08:26 AM
Let wait some time and see how routing solve issue of asymmetric traffic with FW due to two GW in same subnet two locations.
Keep monitor
MHM
01-09-2024 10:18 AM
So really strange. I change the vlan my pc is connected to and have it setup so that it has two default gateways. So I tested and as far was the WAN is concerned if the first GW in the list goes down the system automatically starts using the second one in the list. So that works for us. But if my pc with 192.168.1.100 gw-1 192.168.1.2 and gw-2 192.168.1.1 tries to access pc with 192.168.2.100 gw-1 192.168.1.1 and gw-2 192.168.2.1 then it can initially access it. This lasts for between 2-10 minutes then I can no longer access it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide