Network with double Firewall

battanc · ‎06-23-2014

I have a network with 2 Firewalls, an old one (I think Fortigate) and a new Cisco/ASA (5515, 9.1.2).
Different VLANs, one of which is for "Server" and one is the DMZ.
Both have NATs (over 40 object-NATs, PAT in reality) to publish services.
The default-gateway of the DMZ is the "old" firewall, while the VLAN Server is rotated by a Layer-3 Switch.
With reference to the attached diagram, the current DG is CORSWT01, which route all the "external" traffic to the "old" Firewall."
There is also a new Layer-3 (MILSWT01) that route all the "external" traffic to the "new" Firewall.

First problem:
NAT on the new Firewall does not work, nor those of the machines in the DMZ nor those machines on VLAN "Server" (routed).
The internal machines respond to calls from "outside" only if I configure a second DG, but this causes me other problems.

Second problem:
With client VPN I can reach machines on VLAN "Server" because the Switch Layer-3 has a route to the IP address of the client class.
But I DO NOT reach the machines in the DMZ, despite the ACL also incorporates this class IP.

Any idea?

Marvin Rhoads · ‎06-23-2014

A quick look at your ASA configuration tells me it looks to be at a high level correct. I haven't parsed through all the ASDM-created DMINLINE objects.

You should move down your statements:

object network N_CLIENT-COR
 nat (INSIDE,OUTSIDE) dynamic interface
object network N_SERVER
 nat (INSIDE,OUTSIDE) dynamic interface

...so that they fall below the other inside,outside statements.

However, as long as the default gateway is routing all traffic to the old firewall, how would any client traffic (initiated or responding) ever know to use the path via MILSWT01 and the new firewall?