Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

firewall not passing server traffic

Referring to the attached diagram.(sorry if the diagram is not too neat, had to sketch in a hurry).

There are 2 different internet lines being used at different sites.

All internet traffic from Layer3switch 2 uses that internet link. & internet 1 is used for all internet

traffic from Layer3 sw1 segment.

There is a server hosting a site on the right hand side , which is well accessible via its internet

link. This now needs to be accessible via the internet 1 ip segment.

after the setup of doing required nat on fw1 & rules are put in on fw2 alongwith access on FW 3 for this

to be used via internet 1, it cant be accessed. We arent using dns resolution.It is a simple IP over http.

As i checked, the traffic for this comes via internet 1 in to the fw1 & fw 2, but somehow it doesnt

seem to come on to FW3(off which this server resides). Routing is fine across these two sections as i can

reach other things via ping across these two sections.

Any advise would be greatly appreciated.


Community Member

Re: firewall not passing server traffic

There's alot of details here that might be needed to troubleshoot this issue...

But here's a basic issue that you should address: A device can only generally use 1 default gateway at a time.

Now that's not true in some situations, but it might be the issue here. Your 'server' is already configured to access the internet via one path. Now your trying to access it via a different path. The traffic will get to the server, but the server may only have 1 default gateway configured. So the traffic goes back out that gateway which is a different path then the way the request came in.

This can create asymmetric data paths, which firewalls do not like at all.

One solution would be to PAT the incoming traffic from one of the internet connections to a local LAN IP, if the traffic is destined for the server. That would enable routing and everything to work correctly.

Community Member

Re: firewall not passing server traffic

Thanks for highlighting, i will get the gateway details for this server to probe from that angle.( this server is hosted in dmz zone & is accessible from withing lan segment as well).

i havent been able to get the last suggestion you made about PAT with local IP.Can you please elaborate.

Appreciate your help!

CreatePlease to create content