connecting 2 subnets between 2 firewalls

Toggle sidebar Toggle sidebar
S

scobin

Reputable
Aug 12, 2014
1
0
4,510
Hi there!

I have a bit of an issue at a customers site.

Their primary FW is a Clavister SG55 that has it's own internet connection and it's LAN IP is [removed]

In the other end of the bulding there is a cisco ASA 5505 with it's own internet connection with a LAN IP of [removed]

The clients on the 192-net wants to reach the 172-net.
What ive done is, I picked the aux port on the clavister FW.. gave it a static ip in the 172-net..plugged a cable in that is running all the way to the cisco asa.. futhermore I created a static route on the clavister to 172-net using the aux interface. Then I created two FW rules that ALLOWS traffic between nets.

On the cisco I created a static route to the 192-net with GW of the aux-ip on the clavister.
There I also creted two rules allowing traffic between the nets..

Sadly its not working. I have connection between the firewalls since I can ping the clavister IP from the cisco and vise vera..

Any help is appreciated. Sorry if this is confusing..

IP information removed by moderator. - G
 
Solution
B
I forget my ASA stuff over the years of not working with it. If you connected the second firewall to the ASA and assigned it a IP in the same subnet as the users you likely are going to get async traffic paths. What happens is the users on the 172 net will send the traffic to the ASA gateway to get to the 192. network. The ASA "maybe" will send the traffic to the 172 address of the other firewall. The traffic going the other direction though will go to the other firewall and then be sent directly to the end user on the 172 network rather than back though the ASA. It may physically pass though but at a layer 2 level.

You have 2 issues here. First if I remember correctly the ASA will not allow traffic to come in and go out the...
Sort by date Sort by votes
abailey

abailey

Distinguished
Mar 23, 2014
944
0
20,960
I am not sure why the moderator removed the IP addresses from your post as they are common internal private addresses that don't identify your network in any way. Since he did that it makes it more difficult to help you out.
I assume that the Cisco has the 172 network behind it and the Clavister has the 192 behind it. Did you plug the cable from the Clavister directly into the Cisco? If so did you give the Cisco interface a 172 address? If so you now have multiple interfaces on the Cisco with 172 addresses?
Personally I would create a separate network for the two interfaces between the Cisco and Clavister.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,367
2,766
125,640
I forget my ASA stuff over the years of not working with it. If you connected the second firewall to the ASA and assigned it a IP in the same subnet as the users you likely are going to get async traffic paths. What happens is the users on the 172 net will send the traffic to the ASA gateway to get to the 192. network. The ASA "maybe" will send the traffic to the 172 address of the other firewall. The traffic going the other direction though will go to the other firewall and then be sent directly to the end user on the 172 network rather than back though the ASA. It may physically pass though but at a layer 2 level.

You have 2 issues here. First if I remember correctly the ASA will not allow traffic to come in and go out the same interface. You need to use a command SAME-SECURITY-TRAFFIC PERMIT to allow it to hairpin though the firewall. Even if you do this many times the firewall gets upset because it will detect half open tcp session because it will never see the syn ack packets going back the other way. You will likely have to disable that rule also.

I agree with abailey you are best off defining a brand new subnet between your firewalls and then the routing should be consistent .
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom