06-23-2014 07:29 AM
I have a network with 2 Firewalls, an old one (I think Fortigate) and a new Cisco/ASA (5515, 9.1.2).
Different VLANs, one of which is for "Server" and one is the DMZ.
Both have NATs (over 40 object-NATs, PAT in reality) to publish services.
The default-gateway of the DMZ is the "old" firewall, while the VLAN Server is rotated by a Layer-3 Switch.
With reference to the attached diagram, the current DG is CORSWT01, which route all the "external" traffic to the "old" Firewall."
There is also a new Layer-3 (MILSWT01) that route all the "external" traffic to the "new" Firewall.
First problem:
NAT on the new Firewall does not work, nor those of the machines in the DMZ nor those machines on VLAN "Server" (routed).
The internal machines respond to calls from "outside" only if I configure a second DG, but this causes me other problems.
Second problem:
With client VPN I can reach machines on VLAN "Server" because the Switch Layer-3 has a route to the IP address of the client class.
But I DO NOT reach the machines in the DMZ, despite the ACL also incorporates this class IP.
Any idea?
06-23-2014 09:17 AM
A quick look at your ASA configuration tells me it looks to be at a high level correct. I haven't parsed through all the ASDM-created DMINLINE objects.
You should move down your statements:
object network N_CLIENT-COR nat (INSIDE,OUTSIDE) dynamic interface object network N_SERVER nat (INSIDE,OUTSIDE) dynamic interface
...so that they fall below the other inside,outside statements.
However, as long as the default gateway is routing all traffic to the old firewall, how would any client traffic (initiated or responding) ever know to use the path via MILSWT01 and the new firewall?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide