Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Basic FW Design

Hi All,

Looking at the attached design, should it work?

my trace route from the local network dies at the FW with the FW reporting the network unreachable when I try to ping out to the Internet.

Is there anything fundamentally wrong with my design?

Forget the private IP addresses I have put on the design, I just wanted to illustrate the subnet boundaries.

The switch is L2 only, and has VLANs 10 and 20 configured on it. No routing exists on the switch.

Just to let you guys know, there is a default route on the FW's pointing at ISP router 2. There is no default route/gateway configured on the switch.

The FW's are running VRRP on all interfaces (internal and DMZ ints not shown on diagram) and all clients machines gateways point to the VRRP address of the specific network.

When I trace route from the internal network the FW reports destination net unreachable.

Any help would be great,



Re: Basic FW Design

looks ok to me.

can the firewalls ping each other/ISP rtr/internet?

New Member

Re: Basic FW Design

they can ping each other, but not the ISP router or Internet. However, the connection out of ISP rtr1 works ok, just not out of ISP2.

My question was really based around whether the FW would be able thandle the comms between VLANS 10 and 20, seeing there was no L3 on the switch.

Thanks for your response,


Re: Basic FW Design

A firewall is just a router with fancy ACL stuff on top. It can only use one default route at a time, so if you're using ISP#1 for internet (i.e. that is your default route) then you'd have to put specific routes via ISP#2 inorder to use that.

You should be able to ping ISP rtr#2, so if you can't:

is there an ACL on that router?

do the firewalls have an ARP entry for rtr#2?

There is nothing fundamentally wrong with your setup but you must be mindful of the routing. This setup will be fine if, for example, you surf via ISP#1 and use ISP#2 for L2L VPNs, where you can add a route for the peer on the firewalls via ISP#2.

New Member

Re: Basic FW Design

Yeah, they use ISP 1 for VPNs and ISP 2 for surfing. The default route is via ISP2, and there are statics via ISP1 for the VPNs etc. This setup replaced a single exisitng FW yet the VRRP addresses used are the same as the physical addresses were on the existing FW so any ACLS shouldnt matter. We got the ISP to clear the ARP table on the router after the change but no joy. We copied the routing table from the old FW to the new primary FW, and no IP addresses have changed.

Thanks for your answer,


Re: Basic FW Design

I think if you pinged from the firewall it would use its real IP not the VRRP.

I'm confused about what the problem is - they can't surf? DNS working?

do the firewalls have an ARP entry for the router?

New Member

Re: Basic FW Design

the problem is that all traffic destined for the Internet (via ISP2) drops at the FW. On a trace route the FW reports that the network (anything out of ISP2), is unreachable. Its as if the FW doesnt have a route to the ISP2 router, although its default route points to it.



Re: Basic FW Design

First you must make sure everything on VLAN20 is ok, the three devices can see each other. Then we can check why traceroute, surfing etc doesn't work.

I take it it's not a Cisco firewall, you cheeky boy!

have you got CLI on the firewall?

If so check the ARP cache (is ISP rtr#2 there?), check the routes.

Can you ping between firewalls, is VRRP ok?

Traceroute might fail because the ICMP time-exceeded or UDP >30000 is getting blocked.

New Member

Re: Basic FW Design

no, you caught me, its a checkpoint!

thanks a lot for your help buddy, I will get to test all of this shortly.

Thanks again,