×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to check if server is behind a firewall or not.

Answered Question
May 23rd, 2014
User Badges:

 

Hi Everyone,

 

For one of our customer remote sites i need to open some specific ports between the servers.

For this i need to config the ACL on firewalls.

Say Source is 192.168.50.x 

       Source is 172.16.10.x

       Source is 172.30.50.x

Destination is 172.16.10.x

 

I do not know deatiled network topology at the remote site.

I know the servers default gateway and traffic from source server to  to destination goes via few firewalls.

Need to confirm if i need to track which firewalls traffic flows from source to destination server best way is to remote in to server gateway and

do the sh ip route 172.16.10.x? and check the next hop device if it is firewall or not?

 

Also in some case source and destination server have same subnet so in this case i can assume no ACL is needed as they are behind same network?

Regards

Mahesh

 

 

 

Correct Answer by Marvin Rhoads about 3 years 2 months ago

Mahesh,

If your remote partner is using the same private network addressing as you (172.16.10.0 network) then you will have to use some NAT to change how they appear to your sources. Otherwise they won't be able to distinguish the path to "your" 172.16.10.0 subnet from "theirs". You will also have to NAT your sources in the 172.16.10.0 network to appear as something else to them or else they will have the same problem.

There a couple of good external sites with examples of how this works. Please refer to this packetu.com posting and this packetpushers one.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marvin Rhoads Sat, 05/24/2014 - 07:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Mahesh,

If your remote partner is using the same private network addressing as you (172.16.10.0 network) then you will have to use some NAT to change how they appear to your sources. Otherwise they won't be able to distinguish the path to "your" 172.16.10.0 subnet from "theirs". You will also have to NAT your sources in the 172.16.10.0 network to appear as something else to them or else they will have the same problem.

There a couple of good external sites with examples of how this works. Please refer to this packetu.com posting and this packetpushers one.

Actions

This Discussion