I don't see how this post

Hanif Saharudin · ‎05-20-2017

Dear Experts,

We have installed Cisco ISR(ISR_1 and ISR_2) and Cisco FW(FW_1 & FW_2) as per photo below.

I already perform PERMITALL to each FW. So no blocking issue in FW.

We perform test FW_1 to FW_2 (using cross cable)without ISR, all the VLAN able to ping each other.

My question why we not able to reach at VLAN 514,515 and 516 to VLAN 114, 115, 116 after implementing ISR devices.

VLAN 514: 10.5.14.0/24 10.5.14.254 VLAN 114: 10.51.14.0/24 10.51.14.254

VLAN 515: 10.5.15.0/24 10.5.15.254 VLAN 115: 10.51.15.0/24 10.51.15.254

VLAN 516: 10.5.16.0/24 10.5.16.254 VLAN 116: 10.51.16.0/24 10.51.16.254

Is it that issue on FW config or ISR config? Really need help on solving this issue.

Thanks.

Regards,

Hanif

D_Lebedev · ‎05-20-2017

Hi,

To solve your issue you have configure trunk port on each interface:

1) ISR1---ISR2

2)ISR1--FW1

3) ISR2--FW2

As in your scenario,intervlan routing on fws needs trunk ports outside of firewall.

Hope it helps.

Jon Marshall · ‎05-20-2017

You do not need to configure trunks between all the devices in this scenario.

Providing the firewalls allow the traffic and the routing is setup correctly it should work fine.

Jon

Siti Mas Hidayu Ab Gapor · ‎05-21-2017

Jon Marshall · ‎05-22-2017

I don't see how this post relates to the original problem.

Did you see my first post about the missing routes on ISR_1 ?

Jon

Jon Marshall · ‎05-20-2017

The routing table on ISR_1 does not have routes for the 51x vlans.

Is the interface between FW_1 and ISR_1 up on the the ISR ?

Jon

VLAN not able reach after applied ISR device