Firewall Troubleshooting 1: Routing issue

Firewall Troubleshooting 1: Routing issue


Hi, This is Trevor.Shi. I am an IT support working in Toronto.
My company has 4 Branches in different Locations, A, B, C, and D.
Currently, My company implemented the new firewall in-branch D as a VPN connection point and gateway.
The initial config has been set up by the vendor.
We got the report, the client said they can't connect to their office pc.
So we troubleshoot this issue, we did some network connection test.

Network:
We have 3 branches B, C, D, and 1 head office A.

Branch A IP: 192.168.50.0/24

Branch B IP: 192.168.52.0/24

Branch C IP: 192.168.54.0/24

Branch D IP: 192.168.56.0/24

Branch D firewall use S2S VPN connecting to quester office A.
Branch B and Branch C use MPLS connecting to head office A.


 Diagram:
 

Test result:
A can reach B, C, and D.
B and C and reach to each other
D can reach A,
But D can not reach B and C.
The VPN users can reach D and A, but can not reach B, C.

Troubleshooting:
We checked the firewall routing config, find there had two static routings:
192.168.50.0/24 to Branch A gateway
Any to Internet

From these two routing records, we can tell the traffic from D/VPN to A 192.168.50.0 will route to Branch A gateway, other wire the traffic will route to the internet or drop it.
The traffic from D to C and B will drop by Firewall D cause the Firewall D could not find the routing record.
So we believed it is the routing issue in the Branch B firewall.

Solution:
Since all of the internal networks are in the 192.168.x.x range, we modified the tunnel to route all traffic to the 192.168.0.0/16 subnet across. The issue fixed.

Comments

Post a Comment

Popular posts from this blog

To Be A CyberMan: Installing PfSense on a WatchGuard Firebox

Image
OX01 Preface My company recently upgraded its firewall to FortiGate Firewall.  They eliminated 3 of the licenses expired WatchGuard Firebox Firewalls. The WatchGuard FireBox models are XTM5 Series, M400, and M470. I was wondering if I can install the opensource Firewall application such as PfSense on FireBox to use as Testing Lab Environment. 0X02 Information      XTM5 Series comes with a 1GB CF card, free space is not enough for the lastest Pfsense,  need to add additional Hard Disk as PfSense system booting drive.     M400 comes with a 4 GB CF card, can use CF card as a PfSense system booting drive.     M470 comes with mSTAT SSD.  can SSD as a PfSense system booting drive. 0X03 Installing PfSense on M400 1. Preparation:           WatchGuard Firebox M400 Appliance          A USB Flash Drive          A CF Card USB reader          A console cable (not necessary) 2. download Pfsense       https://www.pfsense.org/download 3. Download Rufus https://rufus.ie/ 4. Use Rufus to create a Pfsens
Read more

How I passed the CSX Fundamentals within one month

Image
  How I passed the CSX Fundamentals within one month Hi Guys, My name is Trevor Shi. I just passed the CSX within one month. I would like to share some experience maybe it will help you guys to prepare the exam. One of the funny things was, I used one month to learn it. But I spent the other one month to book the exam. I re-booked 5 times of exam as ISACA PSI online exam application has lots of issues.  I met every situation you can imagine. The first-time ISACA website down, the second-time they canceled my booked without excuse, the third-time application couldn't open, and the Fourth time was my fault, I just missed the exam. Finally, I got this certificate. We had a small group named CyberRookie, It just like an unorganized cyber knowledge self-studying group, we are trying to be more organized. So t he purpose of this article is as a guideline of the CyberRookie Project CSX certification learning method . A. The Cybersecurity Fundamentals Certificate
Read more

To be A CyberMan: The Exchange Mobile Access Rules Troubleshooting - not able to see device on Quarantined Devices list

Image
  To be A CyberMan: The Exchange Mobile Access Rules Troubleshooting 0X00: Preview Knowlege The company deceived only allows certain employees can have access to their email through mobile.  we created the Device Access Rules on the Exchange admin center. We put all Andriod and iPhone Device into Quarantined that we can decide to block or allow.  So when mobile devices try to connect to email, the user account will go to the Quarantined Devices list on the Exchange admin center, the IT department will grant access to certain employees. 0X01: Issue Some employees were not able to log into Mobile email, got the notification from exchange says: ------------------- Your device is temporarily blocked from synchronizing using Exchange ActiveSync until your administrator grants it access. Your request is currently pending. Thank You,  IT Department Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to
Read more