07-19-2006 01:46 AM - edited 03-09-2019 03:38 PM
Hi All,
Looking at the attached design, should it work?
my trace route from the local network dies at the FW with the FW reporting the network unreachable when I try to ping out to the Internet.
Is there anything fundamentally wrong with my design?
Forget the private IP addresses I have put on the design, I just wanted to illustrate the subnet boundaries.
The switch is L2 only, and has VLANs 10 and 20 configured on it. No routing exists on the switch.
Just to let you guys know, there is a default route on the FW's pointing at ISP router 2. There is no default route/gateway configured on the switch.
The FW's are running VRRP on all interfaces (internal and DMZ ints not shown on diagram) and all clients machines gateways point to the VRRP address of the specific network.
When I trace route from the internal network the FW reports destination net unreachable.
Any help would be great,
Dan
07-19-2006 01:54 AM
looks ok to me.
can the firewalls ping each other/ISP rtr/internet?
07-19-2006 02:01 AM
they can ping each other, but not the ISP router or Internet. However, the connection out of ISP rtr1 works ok, just not out of ISP2.
My question was really based around whether the FW would be able thandle the comms between VLANS 10 and 20, seeing there was no L3 on the switch.
Thanks for your response,
Dan
07-19-2006 02:41 AM
A firewall is just a router with fancy ACL stuff on top. It can only use one default route at a time, so if you're using ISP#1 for internet (i.e. that is your default route) then you'd have to put specific routes via ISP#2 inorder to use that.
You should be able to ping ISP rtr#2, so if you can't:
is there an ACL on that router?
do the firewalls have an ARP entry for rtr#2?
There is nothing fundamentally wrong with your setup but you must be mindful of the routing. This setup will be fine if, for example, you surf via ISP#1 and use ISP#2 for L2L VPNs, where you can add a route for the peer on the firewalls via ISP#2.
07-19-2006 02:45 AM
Yeah, they use ISP 1 for VPNs and ISP 2 for surfing. The default route is via ISP2, and there are statics via ISP1 for the VPNs etc. This setup replaced a single exisitng FW yet the VRRP addresses used are the same as the physical addresses were on the existing FW so any ACLS shouldnt matter. We got the ISP to clear the ARP table on the router after the change but no joy. We copied the routing table from the old FW to the new primary FW, and no IP addresses have changed.
Thanks for your answer,
Dan
07-19-2006 03:17 AM
I think if you pinged from the firewall it would use its real IP not the VRRP.
I'm confused about what the problem is - they can't surf? DNS working?
do the firewalls have an ARP entry for the router?
07-19-2006 04:09 AM
the problem is that all traffic destined for the Internet (via ISP2) drops at the FW. On a trace route the FW reports that the network (anything out of ISP2), is unreachable. Its as if the FW doesnt have a route to the ISP2 router, although its default route points to it.
Cheers,
Dan
07-19-2006 04:31 AM
First you must make sure everything on VLAN20 is ok, the three devices can see each other. Then we can check why traceroute, surfing etc doesn't work.
I take it it's not a Cisco firewall, you cheeky boy!
have you got CLI on the firewall?
If so check the ARP cache (is ISP rtr#2 there?), check the routes.
Can you ping between firewalls, is VRRP ok?
Traceroute might fail because the ICMP time-exceeded or UDP >30000 is getting blocked.
07-19-2006 04:34 AM
no, you caught me, its a checkpoint!
thanks a lot for your help buddy, I will get to test all of this shortly.
Thanks again,
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide