Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to check if server is behind a firewall or not.

 

Hi Everyone,

 

For one of our customer remote sites i need to open some specific ports between the servers.

For this i need to config the ACL on firewalls.

Say Source is 192.168.50.x 

       Source is 172.16.10.x

       Source is 172.30.50.x

Destination is 172.16.10.x

 

I do not know deatiled network topology at the remote site.

I know the servers default gateway and traffic from source server to  to destination goes via few firewalls.

Need to confirm if i need to track which firewalls traffic flows from source to destination server best way is to remote in to server gateway and

do the sh ip route 172.16.10.x? and check the next hop device if it is firewall or not?

 

Also in some case source and destination server have same subnet so in this case i can assume no ACL is needed as they are behind same network?

Regards

Mahesh

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Mahesh,If your remote partner

Mahesh,

If your remote partner is using the same private network addressing as you (172.16.10.0 network) then you will have to use some NAT to change how they appear to your sources. Otherwise they won't be able to distinguish the path to "your" 172.16.10.0 subnet from "theirs". You will also have to NAT your sources in the 172.16.10.0 network to appear as something else to them or else they will have the same problem.

There a couple of good external sites with examples of how this works. Please refer to this packetu.com posting and this packetpushers one.

1 REPLY
Hall of Fame Super Silver

Mahesh,If your remote partner

Mahesh,

If your remote partner is using the same private network addressing as you (172.16.10.0 network) then you will have to use some NAT to change how they appear to your sources. Otherwise they won't be able to distinguish the path to "your" 172.16.10.0 subnet from "theirs". You will also have to NAT your sources in the 172.16.10.0 network to appear as something else to them or else they will have the same problem.

There a couple of good external sites with examples of how this works. Please refer to this packetu.com posting and this packetpushers one.

1268
Views
0
Helpful
1
Replies
CreatePlease to create content