Re: Routing

gcook0001 · ‎12-06-2023

We are in the process of updating our network and I have an issue that I am not sure about. We have a data center and an office connected via a VPLS. Each site has its own firewall (FTD managed by FMC) and the vlans span the connection. The issue I am having is this.

I have a PC(PC1) that is on vlan 200 with an IP 192.168.1.100/24 default gateway 192.168.1.1 which in on the firewall(FW1) in the data center.

I have another PC(PC2) that is on vlan 201 with an IP 192.168.2.100 default gateway 192.168.2.2 which on the firewall(FW2) in the office.

FW1 has vlans 200 and 201 with IP addresses 192.168.1.1 and 192.168.2.1

FW2 has vlans 200 and 201 with IP addresses 192.168.1.2 and 192.168.2.2

I need the two PCs to be able to talk to each other. I know what the issue is but not the resolution.

If I try to ping PC2 from PC1 I can't. I can ping other addresses on the same vlan. So what I figure is that when PC2 responds it does so using it default gateway which is on a different firewall than PC1 and the response does not get back to PC1.

I am not sure how to get around this.

MHM Cisco World · ‎12-07-2023

If it ASA FW then you can use IPSec vpn with subnet overlapping.

This solve issue the subnet overlap in both FW.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

MHM

balaji.bandi · ‎12-07-2023

How is your overall networking diagram looks like - i do not see any overlap IP address.

If you have routing configured as expected that should work as expected.

how is FW1 and FW2 Routing Looks like ? how these interface configured what Zone ?

If you have DG 192.168.2.2 ( then from FW1 and FW 2 should have routing point back to each other)

Make sure you have proper ACP in place to allow subnet 192.168.1.X to 192.168.2.X and vice versa.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gcook0001 · ‎12-07-2023

Thanks for the response.

Here is the basics of what I want to do.

From 192.168.1.100 I can ping 192.168.2.3 and 192.168.2.4 but not 192.168.2.100

From 192.168.2.100 I can ping 192.168.1.3 and 192.168.1.4 but not 192.168.1.100

From 192.168.1.1 I can ping 192.168.1.100

From 192.168.2.1 I can ping 192.168.2.100

So I believe what is happening is that when 192.168.1.100 pings 192.168.2.100 - 2.100 receives the ping but responds back to FW-2 which drops the traffic since it doesn't know anything about the request.

The goal is to have devices in the office to have two default gateways 192.168.x.2 and 192.168.x.1. This will mean that if for some reason 192.168.x.1 is not available it will use the other DG. Then the opposite for the Data Center.

I should also indicate I am using EIGRP for routing.

MHM Cisco World · ‎12-07-2023

It seem that overlap ipsec vpn not suitable for you.

One workaround here which is dont push GW in dhcp to client.

Let client ask send proxy arp to ask mac of gw and the nearest FW will select as gw.

MHM

gcook0001 · ‎12-07-2023

Of course after posting this I figured it out. I was missing a setting for EIGRP on the firewalls. Under redistribution I added static and everything works now.

balaji.bandi · ‎12-07-2023

glad you able to resolve the issue - Sure as i suggeted as long as the routing in place that should work as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-07-2023

Let wait some time and see how routing solve issue of asymmetric traffic with FW due to two GW in same subnet two locations.

Keep monitor

MHM

gcook0001 · ‎01-09-2024

So really strange. I change the vlan my pc is connected to and have it setup so that it has two default gateways. So I tested and as far was the WAN is concerned if the first GW in the list goes down the system automatically starts using the second one in the list. So that works for us. But if my pc with 192.168.1.100 gw-1 192.168.1.2 and gw-2 192.168.1.1 tries to access pc with 192.168.2.100 gw-1 192.168.1.1 and gw-2 192.168.2.1 then it can initially access it. This lasts for between 2-10 minutes then I can no longer access it.