cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1022
Views
0
Helpful
1
Replies

Firewall back to back.

psaravanan
Level 1
Level 1

Hi friends,

I have some doubt on the following scenario.

          Internet router------------------> Internet firewall----------------> Dept firewall--------------> users

1.2.3.50            1.2.2.1/29      1.2.2.2/29      1.2.2.9/29        1.2.2.10/29     192.168.10.2/24

                                                    (Context firewall)                (VPN tunnel)

In the above scenario, I am using site to site VPN from Dept firewall to outside internet connected to another location same dept.

I can ping 4.2.2.2 from Internet firewall outside, but I can't ping from Inside interface and Dept firewall.

Internet router config:

Hostname Internet-router

!

interface GigabitEthernet0/0
ip address 1.2.3.50 255.255.255.252

!

interface GigabitEthernet0/1.5
encapsulation dot1Q 5
ip address 1.2.2.1 255.255.255.248

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/1.5

!

Internet Firewall:

ASA Version 8.3(1) <context>
!
hostname Internet-FW1

!
interface Ethernet0/2
nameif inside
security-level 100
ip address 1.2.2.9 255.255.255.248
!
interface Ethernet0/0.5
nameif outside
security-level 0
ip address 1.2.2.2 255.255.255.248

!

icmp permit host 1.2.2.1 outside
icmp permit any inside

!

object network WAN-inside
subnet 1.2.2.1 255.255.255.248
nat (inside,outside) dynamic interface

!

access-list 102 extended permit ip 192.168.10.0 255.255.255.0 any

access-list 102 extended permit ip 1.2.2.8 255.255.255.248 any
access-group 102 in interface inside

Dept Firewall:

ASA Version 8.3(1)
!
hostname Dept-1-Firewall

interface Ethernet0/0
  nameif outside
security-level 0
ip address 1.2.2.10 255.255.255.248
!
interface Ethernet0/1
  nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0

!

object network internet-inside
subnet 192.168.10.0 255.255.255.0

  nat (inside,outside) dynamic interface

!

route outside 0.0.0.0 0.0.0.0 1.2.2.9

route inside 192.168.10.0 255.255.255.0 192.168.10.1

!

access-list 103 extended permit ip 192.168.10.0 255.255.255.0 any

access-group 103 in interface inside

I need to access internet from user end and also i need to ping 4.2.2.2 for create a VPN tunnel to another end.

Thanks in advance.

Regards,

Saravanan

1 Reply 1

padatta
Level 1
Level 1

Hi,

Please paste a 'show service-policy' and 'show run policy-map' from internet firewall.

Run 'debug icmp trace' on intenet firewall, ping 4.2.2.2 from dept firewall and check what you get in the debugs. You should see the request PATed to external address.

When behind a firewall, ping is always not the best way to check connectivity as icmp might be blocked. Have you tried browsing from 'user' subnet?

If none of the above help, please paste the entire config from both internet and dept firewalls. Any syslogs obtained during testing will help.

Paps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: