Question about routes

Unanswered Question
Aug 18th, 2010

Hello everyone,

I have 2 redundant layer 3 switches which are connected to the core router. The switches are also connected to the redundant firewalls.

ISP Network
   Core Router
Redundant Layer 3Core Switch ----------Redundant Firewalls -------- VPN Router---------Core Router ---------Internet  

We have a default route on the Core switch saying all traffic goes towards the Core Router. I add a route on the Firewall saying that a host ( should go towards the VPN router. I add NAT statement to nat the traffic towards the VPN router and out the Internet. When I ping from the firewall to it doesnt ping. However when i remove the nats and the routes it pings.

My question is if there is a default route on the switch pointing to the core router, then will another specific static route on the firewall towards the VPN router work? it should work since its logical that I am pinging from the firewall.

This is my nat statement

nat (inside) 10 access-list site_to_site

global (vpn-network) 10

access-list site_to_site extended permit ip object-group internal_hosts host


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
KARUPPUCHAMY MA... Wed, 08/18/2010 - 19:17


Your NAT configuration are perfectly OK.After configured NAT on the firewalls, have you tried to ping from core switch.

One more thing, Default route point towards which core router. since you have mentioned two core router, i am bit confused.

If you have default route point towards ISP core router, then you need to configure specific routes to reach internet towards firewall.



sidcracker Wed, 08/18/2010 - 19:34

Hi Samy,

The default route goes towards the ISP Router from the switch. Even if this is the case, since i have a default route on the firewall telling it to pass traffic towards the VPN router, isnt it logical that if i am pinging from the firewall it should pass towards the vpn router. The switches are behind the firewall so it wont even be looking at that side.


KARUPPUCHAMY MA... Wed, 08/18/2010 - 19:39


If you have default routes on the firewall towards the VPN, then no need of specific routes.

I am saying that after you have done NAT on firewall, have you tried to ping to 20.xx.xx.xx IP from core switch.



Jigar Dave Wed, 08/18/2010 - 21:34

Hi Sidcracker,

only permitted traffic is allowed to pass through firewall, means if you have allowed ping (ICMP type 8) in firewall then only it crosses firewall otherwise it drops at firewall. other config is ok.

hope this helps a bit in troubleshooting this.




This Discussion