Routing issue on firewall

Hi All,
As per attached network diagram I have 2 firewall connected to L3 switch. Since specific route is present already I am nt able to route same specific route to other firewall.
PBR cannot be done in ASA. So how can I fix this issue?

Hello Ravindra,
Where did you set the specific route?
Where are you trying to go ? To which network? is it behind both ASAs?
Please be more specific,
Regards,
Hey remember to rate all of the helpful posts, as important as a thanks (keep us motivated)

Similar Messages

  • Routing issue: SVI vs Firewall interface

    Greetings
    I have several switches interconnected in my network and multiple VLANs configured with SVI assigned to each. InterVLAN routing works just fine. The switchport connected to corporate firewall is the first port on the main switch (interface GigabitEthernet1/0/1 I recon).
    The firewall is VLAN unaware and it is managed by third party; I do not have access to it. The firewall is configured to route below two ranges only, and that is fine:
    155.111.215.254/25 (servers)
    10.15.245.254/24 (end users)
    In my network, these ranges are broken down to sub-ranges and assigned VLAN ip address. Other ranges that I have in my network (192.168.x.x) are used by peripheral devices within LAN only and do not need to reach the firewall (neither internet).
    So here is the problem I have:
    If I point end user machines and servers to corresponding firewall interfaces (assign default gateway accordingly), they can reach each other and have access to internet. But they would not be able to reach peripheral devices in 192.168.x.x range which are pointed to respective VLAN IP address (SVI).
    If I point end user machines and servers to respective VLAN IP address, they would reach peripheral devices, but there would be no connection to the internet. So what I need is access to internet for computers with ip address within firewall configured range, but with SVI as the default gateway rather than the firewall interfaces.  
    My request to add each VLAN to the firewall was rejected because it would cost money.
    For a workaround, I wonder whether there is something to do with the switchport connected to the firewall, or it is adding some rules on the firewall I need (like NAT). If it is the latter, then how to make a proper request to the firewall management team.
    I would appreciate a suggestion on how to deal with this.  Many thanks.
    PS: Attaching main switch config file just in case.

    Hi,
    You can tweak something in the firewall to make this work... you can have the firewall has the gateway for all VLAN's.... you can do NAT exemption in the firewall to reach those pheripheral devices.... and you should have the route from the firewall to reach that and access-list should allow that......
    same-security-traffic permit intra interface - to permit access to flow through same interface......
    Make sure you are able to reach those pheripheral vlan from ASA 1st... then do setp by step.... acl's, NAT exemption, same-sec., route... route shouwld be pointed to core devices, since that has the direct connectviity from pheripheral devices VLAN...
    Regards
    Karthik

  • Routing Issue with 3550

    I am having a routing issue with a 3550 switch. I have 5 vlans and I need one of the vlans to access a different router based on destination IP rather than our edge router. I have entered a static route on the 3550 that points to the secondary router whenever a certain network is tried to be accessed. My problem is I can't seem to get the traffic to flow correctly. When I trace route an address on the Internet the path shows as expected, the 3550 then my firewall then my edge router. When I trace an address that is on the other side of the secondary router I get the 3550 as the first hop, then nothing. I can ping the address so I know the path is up. What could be the issue? Thanks in advance.

    Hello,
    in addition to Mahmood´s post, what do you have defined as the next hop for the default route to the secondary router ? If you use an interface on the 3550 as the next hop, make sure that whatever is connected is in the same subnet, otherwise use the IP address of the next hop. So, let´s say your remote network is 192.168.1.0, and the secondary router is connected to FastEthernet0/1, your default route should look like this if the secondary router is in the same subnet (in this example, the IP address of the secondary router would be 172.16.1.2):
    interface FastEthernet0/1
    no switchport
    ip address 172.16.1.1 255.255.255.252
    ip route 192.168.1.0 0.0.0.255 FastEthernet0/0
    Otherwise, try:
    ip route 192.168.1.0 0.0.0.255 172.16.1.2
    where 172.16.1.2 would be the address of the secondary router.
    Does that make sense ?
    Regards,
    GNT

  • Replication Active Directory, ports issues in firewall

    Hi,
    i am facing some issue  in active directory replication between my Active Directory User  Database located in two different locations.
    I  am not doing any Port based ACL in the firewall, and there is no static  / dynamic NAT-ng used between the server ip ranges (nat 0).
    1) what could be the possible issue in this?2) do i need to issue any command in the FWSM Module to make use / open the dynamic ports ?3) How can i make sure that these ports are not opend or not blocked on the firewall.
    below are some of the ports used for this, based on the information from Microsoft Team.
    tcp 5389
    tcp 5722
    tcp 5729
    tcp3268
    tcp 3269
    tcp 445
    udp 445
    udp 88
    udp 2535
    udp 389
    tcp 1025 - 5000
    tcp 44152 - 65535
    Appreciate your valuable support.
    regards
    Sunny

    Hi Bro
    If you’re not doing any port based ACL in your FWSM, I can only assume you’re permitting the rules between both the AD by IP e.g. access-list inside permit ip host 1.1.1.1 host 2.2.2.2, am I right? I hope you can PING between both the AD, otherwise this could be a routing issue.
    Listed below are some commands that you could type to investigate this issue further;
    a)   show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
    b)   show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
    Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
    hostname(config)#xlate-bypass
    If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
    The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.

  • TMG Traffic For a Specific IP isn't leaving the server despite valid routes and no firewall

    Hi,
     I'm struggling to troubleshoot a TMG networking issue:
    I have a TMG server setup in my DMZ. Inbound traffic hits the a 3rd party firewall router, goes to the TMG server and is then routed back through the 3rd party firewall router to my internal network. I've setup web publishing rules and listeners for IIS
    sites and SMTP traffic using a different IP to listen for 2 different websites and another IP for SMTP.
    The issue I have is that my TMG server can't ping a server on the internal network on a specific IP:
    TMG can ping 192.168.11.190
    TMG cannot ping 192.168.11.191
    Firewall rules are configured to permit traffic (no deny connections are shown in the monitor).
    tracert and pings to 192.168.11.190 hit the internal IP of the 3rd party router
    tracert to 192.168.11.191 simply responds with * * * * before timing out
    Monitoring from within TMG shows the correct IP is being used in both cases (internal NIC 192.168.10.10).
    A route print from TMG has a valid route to the internal network:
    (network)192.168.11.128 (mask) 255.255.255.128 (gateway) 192.168.10.126
    In summary:
     - TMG can ping 192.168.11.190, but not 192.168.11.191
     - Valid routes exists 
     - No firewall rules are blocking communication
     - Traffic to 192.168.11.191 doesn't seem to be leaving the TMG server 
    Any advice on solving this would be appreciated.
    Cheers

    It can have many reasons, but it appears to me you are having a routing issue. I can't say for sure, because I don't have the entire IP Addressing sheme. I assume you have used separate subnets for the External DMZ and Internal DMZ.
    Have you configured the 192.168.11.128/25 subnet as a correct 'Address' range 192.168.11.128 - 192.168.11.255 on the 'Internal' interface within TMG?
    Boudewijn Plomp | BPMi Infrastructure & Security
    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

  • Possible internet routing issues driving me crazy!

    I've somehow hit a problem accessing a particular favourite website and it seems I may have a routing issue.
    I've spoken with a friend who is fairly network savvy and he's suggested I raise a case \ complaint with BT. I thought I'd use this forum to test if I'm missing something I could be doing to fix it before logging a problem with BT Helpdesk!
    I've a BT Homehub 2 (Current firmware    4.7.5.1.83.3.5 (Type B) and I can access pretty much all websites I care to look at without any issue at all, however the site I read most days is now no longer viewable on any of my 2 PC's nor my iPhone. When I try to access it I  get no error messages at all just a blank white page.
    Doesn't matter if I try using IE or Firefox or Chrome browers it's the same result - I just see a blank white page.
    The site in question www.celticquicknews.co.uk (or www.celticquicknews.com) and is definitely available, as I can access it when using a site such as http://www.free-internet-organization.tk/ on both my PC's and iphone so I know the web site is up and running and available for browsing but since Thursday lunchtime I've had no joy in being to access that particular site directly wihout resorting to using another middleman site to let me view it.
    I have tweeted the guy who hosts the www.celticquicknews.co.uk site and he's said his site is fine but has numerous similar queries around BTINTERNET folks having the same issue as I'm reporting.
    I run McAfee Internet Security and having disabled the various firewall \secure browsing functions no improvement still no joy.
    I did successfully somehow connect directy to the illusive web site this morning (Sunday 1st May) on my iphone at around 10am, but by the time I boiled the kettle to have a coffeee and sit and read the site it became inaccessable again on my iphone and both my PC's! So what's going on?
    www.celticquicknews.co.uk [217.174.253.143]
    www.celticquicknews.com [217.174.253.143]
    Homehub TCP\IP info is as below which I suspect is of value to the more techincal on the forum:
    Broadband network IP address    109.152.154.29
    Default gateway    217.32.142.102
    Primary DNS    194.72.0.114
    Secondary DNS    62.6.40.162
    ADSL line status
    Connection Information
    Line state    Connected
    Connection time    0 days, 01:11:16
    Downstream    15,978 Kbps
    Upstream    1,144 Kbps
    ADSL Settings
    VPI/VCI    0/38
    Type    PPPoA
    Modulation    G.992.5 Annex A
    Latency type    Interleaved
    Noise margin (Down/Up)    5.2 dB / 6.0 dB
    Line attenuation (Down/Up)    31.0 dB / 13.8 dB
    Output power (Down/Up)    23.6 dBm / 1.7 dBm
    C:\>tracert -d 217.174.253.143
    Tracing route to 217.174.253.143 over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms  192.168.1.254
      2    15 ms    15 ms    15 ms  217.32.142.102
      3    18 ms    17 ms    16 ms  217.32.142.142
      4    22 ms    22 ms    21 ms  213.120.163.26
      5    22 ms    20 ms    21 ms  217.32.27.30
      6    21 ms    21 ms    21 ms  217.32.27.178
      7    22 ms    21 ms    21 ms  109.159.250.78
      8    33 ms    35 ms    35 ms  109.159.250.13
      9    28 ms    28 ms    29 ms  62.172.102.1
     10    29 ms    28 ms    28 ms  195.66.224.98
     11    33 ms    34 ms    33 ms  88.208.255.61
     12    38 ms    32 ms    33 ms  88.208.255.102
     13     *        *        *     Request timed out.
     14     *        *        *     Request timed out.
     15     *        *        *     Request timed out.
     16     *        *        *     Request timed out.
     17     *        *        *     Request timed out.
     18     *        *        *     Request timed out.
     19     *        *        *     Request timed out.
     20     *        *        *     Request timed out.
     21     *        *        *     Request timed out.
     22     *        *        *     Request timed out.
     23     *        *        *     Request timed out.
     24     *        *        *     Request timed out.
     25     *        *        *     Request timed out.
     26     *        *        *     Request timed out.
     27     *        *        *     Request timed out.
     28     *        *        *     Request timed out.
     29     *        *        *     Request timed out.
     30     *        *        *     Request timed out.
    Trace complete.
    C:\>
    I've reset my HH several times over the weekend and am baffled as to how I can somehow have 1 site excluded from my browsing options for no obvious reason other than a suspected internet routing issue.
    My iPhone is on ORANGE and when disabling the wireless connection it too is unable to view the site in question so it's a real pain!
    Not sure where to go to progress this so any help \ guidance is very much appreciated.......
    Solved!
    Go to Solution.

    Appreciate the help....been out for most of the day and checked in to see if any additional posts.
    I tried pinging the site and it does seem to resolve OK and also tried accessing site via IP but same issue - blank white page.
    >ping www.celticquicknews.co.uk
    Pinging www.celticquicknews.co.uk [217.174.253.143] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Then tried the telnet command "telnet 217.174.253.143 80" and I do not get any errors and as suggested the command prompt goes blank but no matter what I type I get no errors or response from server 217.174.253.143.
    My IP address has changed from this morning and sadly still same issue for me.
    Internet connection configuration
    Connection Information
    Connection time
    0 days, 10:05:37
    Data Transmitted/Received (MB)
    10.8 / 29.4
    Broadband username
    [email protected]
    Password
    Not configured
    TCP/IP settings
    Broadband network IP address
    86.147.168.198
    Default gateway
    217.32.142.102
    Primary DNS
    194.72.0.114
    Secondary DNS
    62.6.40.162
    The tracert comments make sense so that's helped me understand, thanks for checking that out.
    So what's the best option for me? Am I wasting BT and my own time logging a case?
    I'd not usually bother pursuing this for the sake of a single web site but I'm bemused how this has happened since last week?
    Thanks again for all help and guidance.
    PJ

  • Routing Issue with 2 Nics on Windows Server 2008 R2

    Good Day
    My issue is I needed to set up port forwarding for a web server to communicate with our hotels management server to check availability.
    Initially the server has a single Nic configured in the 172.26.1.0 /24 network  , Its default gateway the Switch vlan interface 172.26.1.1
    We have many vlans for all the systems in the hotel and the server also needs to communicate with 3 other servers on different subnets which it does just fine.
    I now added an additional adsl line with a managed router which has an interface of 192.168.10.1 /24 , My servers second NIC has the IP address 192.168.10.2 with its gateway being the 192.168.10.1
    This 192.168.10.0 network is in a L2 Vlan and the rest of the network does not know it exists. It was working fine then just stopped asfter i added a static route to the server , which i did with RRas... I did this as the server could not communicate with
    just one of the servers..
    If i disable the 172.26.1.0 NIC the port forwarding works but then obviously the rest of the network goes down.. I know its a routing issue but am lost
    please help

    Hello,
    using multiple default gateways is not a good idea.
    See details in http://support.microsoft.com/kb/159168/en-us
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

  • Routing issue- seeing same IPs for two hops

    Hello All,
    I'm seeing two same IPs in the traceroute output. Is that due to routing issue that nexhop is as the same device for the first time?
    Log:
    6  10.30.102.26  61.060 ms 10.30.100.142  61.266 ms 10.30.102.26  61.071 ms
    7  10.30.102.26  61.139 ms  61.211 ms 10.61.191.2  60.948 ms
    Can you  guys help me to fix the issue??
    Regards,
    Thiyagu

    Are you load balancing anywhere?
    6 10.30.102.26  61.060 ms
       10.30.100.142  61.266 ms
       10.30.102.26  61.071 ms
    7 10.30.102.26  61.139 ms  61.211 ms
       10.61.191.2  60.948 ms
    HTH,
    John
    *** Please rate all useful posts ***

  • Routing Issue with Telia

    I think verizon has a routing issue with Telia.

    thought I would share this,   Telia has admited an issue on their network
    Twitter / Telia_service: @Ungvall routing problem? This ...
    https://twitter.com/Telia_service/status/179661595276881921
    Cached
    Similar
    Share
    View shared post
    BTW Apparently @Telia_service had routing problems on both the latest iOS and ... DNS problem and we are working with Akamai for a sollution to this problem

  • No airtunes with pppoE due to routing issues?

    I just switched to an optical fiber to the home internet connection (which is getting pretty popular here in Japan). Needless to say, the network is very fast, however, I can no longer use airtunes via my airport express network. The airport express stations (both of them) no longer show up in iTunes. My guess is that this is due to a routing issue and the same problem must have been encountered by others before and hopefully solved. The new internet connection uses pppoE to make a connection to the internet service provider. This gives me an internet address of the form 125.197.xx.yy. I still have my airport express set to get an address via dhcp (which the new optical fiber hub provides) and is of the typical private network form 192.168.1.4. When I am connected by pppoE to the internet, my iTunes cannot see my airport express due to routing issues I assume. Is there an elegant solution to this -- can I use my airtunes and the internet at the same time? Would modifying the internet routing help here (I have used this before when I have had multiple interfaces going (e.g. one in a secure local lan and the other supporting an internet connection via ssh to the outside world). Any advise would be much appreciated. I haven't tried asking my airport express to log in via pppoE -- is this the only solution?

    Well as I have for my last several posts -- I solved the problem myself. I am pretty sure that the root cause was a routing problem (pretty obvious in fact). By have the airport express base station connect via pppoE itself (I have a remote relay airport express as well) and switching to NAT and DHCP distribution of addresses via the airport express, I can both see my airtunes as well as my ethernet connection. It is a non-ideal solution as I have a fixed IP which would have been convenient to log in from outside to, but I guess I can live with that.

  • Audio tracks playing different audio tracks - routing issue?

    I'm having trouble with some routing issues I believe. Here's the deal:
    Some audio tracks are playing different audio tracks, when that region is not even in it. For instance:
    Track #2 is Soloed. Output is Output 1-2. I hear the audio file that is in Track #1, which is NOT Soloed and I shouldn't even hear. I don't hear anything from Track #2. The only way I can hear Track #2 is by playing it from the audio bin, which obviously isn't going to work out right.
    If I drag the audio region of Track #2 to a brand new audio track, I still don't hear anything. Is it possible this audio file(s) got corrupted somehow?
    Please help!

    Chris Joye wrote:
    I'm having trouble with some routing issues I believe. Here's the deal:
    Some audio tracks are playing different audio tracks, when that region is not even in it. For instance:
    Track #2 is Soloed. Output is Output 1-2. I hear the audio file that is in Track #1, which is NOT Soloed and I shouldn't even hear. I don't hear anything from Track #2. The only way I can hear Track #2 is by playing it from the audio bin, which obviously isn't going to work out right.
    If I drag the audio region of Track #2 to a brand new audio track, I still don't hear anything. Is it possible this audio file(s) got corrupted somehow?
    Please help!
    Check the parameters, in the left side of the arrange page window.
    To me, it sounds as if you have a bunch of arrange tracks, which are all playing back through audio track #1.
    Cheers

  • Pages not loading in firefox unless refreshed several times but loads in other browsers not an issue of firewall malware or ipv6

    a week ago firefox suddenly stopped loading pages unless refreshed several times but loads in other browsers, not an issue of firewall malware or ipv6 I've tried all that I uninstalled and reinstalled also. I also tried disabling my addons.

    Hey man,
    If I'd had that problem and done things that you'd done and seen no results. I'd delete FF again but this time fully - clean the registry as well. Then I'd remove java environment and everything related to it, sdk, jre etc...Reboot the PC and reinstall the newest version of FF, then download the latest versions of java platforms, sdk etc... and reinstall the as well.
    Hope this helps,
    LD

  • IB Routing issue. Unable to find routing to the corresponding incoming msg

    Hi All,
    We are facing a Routing issue. The flow of message across the DB is given below.
    1) Message will be triggered from 3rd party application to PeopleSoft portal with Service Operation A
    2) From portal one more service operation B will be invoked to communicate with CRM
    Both the service operations are synchronous. I have tested the Service operation in CRM and I am able to get the results. But in Portal if I test, I am getting the error like
    +"Unable to find routing corresponding to the incoming request message"+
    I have checked the routing alias name between Portal and CRM data bases and Its same.
    could you please give us a clue to debug this further?
    Thanks,
    Hari.A

    You should check which permission list the service operation is attached to, and check if the user has been granted to, Something like the following from the backend :
    SELECT   distinct c.roleuser
    FROM     psclassdefn a, psroleclass b, psroleuser c
    WHERE    a.classid = b.classid
    AND      b.rolename = c.rolename
    AND      a.classid = '<permission_list>' If nothing is returned for your user, then you could created a new role and give it to the user.
    Also, since you are on Peopletools 8.52, all this configuration settings can be done through Integration Network WorkCenter. I wrote articles about that (and you can find something about permission list for a given service operation as well) :
    http://gasparotto.blogspot.nl/2012/11/peopletools-852-integration-network.html
    Nicolas.

  • Download connections doesn't close after I cancel the download, it keep like I am download and only close when I disable the network adapter or reset the router or the firewall

    download connections doesn't close after I cancel the download, it keep like I am downloading and only close when I disable the network adapter or reset the router or the firewall.
    I use pfsense as my firewall and see the traffic not reseting to zero when I cancel download.
    Also, IE doesn't have this problem. When I cancel the download the traffic drops to zero.

    And this problem seems to be systemwide. Since I created a new user and under which problem still exists.
    Hope apple will look into it

  • NO HELP WITH ROUTING ISSUES FROM VERIZON

    Spend 2 hours with technical support to no avail. Have routing issues where I can’t get from my FIOS residential account to remote web site abroad. Trace route fails at so-0-0-0.XT1.AMS2.ALTER.NET [146.188.14.209]. FIOS technical support is incapable of doing any troubleshooting beyond basic customer premises equipment, refusing to escalate the case to network engineering team. I was basically told by FIOS tech support supervisor {edited for privacy} that this is not Verizon’s problem and no help will be provided. What is even more frustrating that Verizon agents are not capable of receiving emails from customers with details such as trace route.
    Is there anyone at Verizon monitoring this and able to help? Just in case, ticket number that I have with Verizon is {edited for privacy}
    Here is trace route details.
    tracert 212.44.136.226
    Tracing route to brserv.bridgetour.ru [212.44.136.226]
    over a maximum of 30 hops:
      1     1 ms    <1 ms     1 ms  Wireless_Broadband_Router.home [192.168.1.1]
      2    12 ms     9 ms     9 ms  L100.BSTNMA-VFTTP-71.verizon-gni.net [98.118.28
    1]
      3    16 ms    19 ms    19 ms  G0-6-4-1.BSTNMA-LCR-21.verizon-gni.net [130.81.
    75.132]
      4    45 ms    15 ms     8 ms  ae3-0.BOS-BB-RTR1.verizon-gni.net [130.81.151.6
      5    19 ms    19 ms    19 ms  0.xe-3-2-0.IL1.NYC9.ALTER.NET [152.63.26.81]
      6    21 ms    19 ms    19 ms  0.ge-1-2-0.IL1.NYC12.ALTER.NET [152.63.26.86]
      7   107 ms   108 ms   107 ms  so-0-0-0.XT1.AMS2.ALTER.NET [146.188.14.209]
      8     *        *        *     Request timed out.
      9     *        *        *     Request timed out.
     10     *        *        *     Request timed out.
     11     *        *        *     Request timed out.
     12     *        *        *     Request timed out.
     13     *        *        *     Request timed out.

    BT help aren't always that helpful, but BT engineers claim that it is a BT sales issue and nothing to do with them seems a bit extreme.
    Are you sure your daily speed is 8Mbits, not 8Mbytes?  How are you measuring this?  Is it the number coming from the BT speedtest?
    If it really is 8Mb, then I think it's worth checking with the mods;  at: http://bt.custhelp.com/app/contact_email/c/4951 .  But be aware they take 3 working days to reply: sometimes more if busy. 

Maybe you are looking for