Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
4
Replies

Question about routes

sidcracker
Level 1
Level 1

‎08-18-2010 06:41 PM - edited ‎03-11-2019 11:27 AM

Hello everyone,

I have 2 redundant layer 3 switches which are connected to the core router. The switches are also connected to the redundant firewalls.

ISP Network
       |
       |
       |
       |
   Core Router
       |
       |
       |
       |
Redundant Layer 3Core Switch ----------Redundant Firewalls -------- VPN Router---------Core Router ---------Internet  

We have a default route on the Core switch saying all traffic goes towards the Core Router. I add a route on the Firewall saying that a host (20.20.20.20) should go towards the VPN router. I add NAT statement to nat the traffic towards the VPN router and out the Internet. When I ping from the firewall to 20.20.20.20 it doesnt ping. However when i remove the nats and the routes it pings.

My question is if there is a default route on the switch pointing to the core router, then will another specific static route on the firewall towards the VPN router work? it should work since its logical that I am pinging from the firewall.

This is my nat statement

nat (inside) 10 access-list site_to_site

global (vpn-network) 10 192.168.10.20

access-list site_to_site extended permit ip object-group internal_hosts host 20.20.20.20

Thanks

Labels:
0 Helpful
4 Replies 4

KARUPPUCHAMY MALAIYANDI
Level 4
Level 4

‎08-18-2010 07:17 PM

Hi,

Your NAT configuration are perfectly OK.After configured NAT on the firewalls, have you tried to ping from core switch.

One more thing, Default route point towards which core router. since you have mentioned two core router, i am bit confused.

If you have default route point towards ISP core router, then you need to configure specific routes to reach internet towards firewall.

Thanks

Samy

0 Helpful

sidcracker
Level 1
Level 1
In response to KARUPPUCHAMY MALAIYANDI

‎08-18-2010 07:34 PM

Hi Samy,

The default route goes towards the ISP Router from the switch. Even if this is the case, since i have a default route on the firewall telling it to pass traffic towards the VPN router, isnt it logical that if i am pinging from the firewall it should pass towards the vpn router. The switches are behind the firewall so it wont even be looking at that side.

Thanks

0 Helpful

KARUPPUCHAMY MALAIYANDI
Level 4
Level 4
In response to sidcracker

‎08-18-2010 07:39 PM

Hi,

If you have default routes on the firewall towards the VPN, then no need of specific routes.

I am saying that after you have done NAT on firewall, have you tried to ping to 20.xx.xx.xx IP from core switch.

Thanks

Samy

0 Helpful

Jigar Dave
Level 3
Level 3
In response to sidcracker

‎08-18-2010 09:34 PM

Hi Sidcracker,

only permitted traffic is allowed to pass through firewall, means if you have allowed ping (ICMP type 8) in firewall then only it crosses firewall otherwise it drops at firewall. other config is ok.

hope this helps a bit in troubleshooting this.

Thanks,

Jigar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card