Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sahiln
Explorer

CPD Traffic dropped from GW-2 to GW-1 in VMware

Below is my configuration of my lab :-

1. Mgmt PC - 172.16.31.22 (Vmnet 1) 

2. Mgmt Server - 172.16.31.110 (Vmnet 1)

3. GW-1 - 172.16.31.1 (Vmnet 1) --------------------Internal network

4. GW-1 - 192.168.1.251 ( Bridged to WIFI network) ----------------outside network || Also enabled NAT on this interface. Nat IP - 192.168.1.251

5. GW-2 - 192.168.1.250  ( Bridged to WIFI network) ----------------outside network

--------------------------------------------------------------------------------------------------------

Default gateway of Mgmt PC and Mgmt Server is the IP address of GW-1  (172.16.31.1)

Policies installed : -

1. Mgmt Pc - GW-1 and GW-2 --------------Accept the traffic of https/http/icmp/dns.

2. Mgmt Server - GW-2 ------------------Accept all the traffic.

 

Now, when I add the gateway in Mgmt server, the status will turn into Green, but when I install the above policies - I got the message that connection is lost with GW-2 and when I checked the logs, it said that CPD traffic drop from GW-2 to GW-1 (port 18191).

 

Please provide the solution of my query.

 

 

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

The Management Server traffic heading to GW2 is being NATted behind GW1.
Since GW2 doesn't see this as being from the management, it's dropping the relevant traffic.

Generally speaking, there should be bidirectional connectivity between management server and gateway.
Allocate an address for the management server on 192.168.1.x, configure that on the NAT tab of the management server, and push policy to both gateways.
0 Kudos
Maarten_Sjouw
Champion
Champion

Add a No-NAT rule above your hide NAT for Mgmt to GW2.
Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin

That assumes routes are in place to route back to the management from GW2 😬
0 Kudos
VictorSingh28
Explorer

Dear Team, Good Evening,

This is Victor here and I am new to this community. Even I am also facing the same issue for same scenario and setup on Vmware. I have two sites setup namely HQ and Branch. From a PC on HQ site I am trying to do an HTTPS connection for the Branch Firewall which is not working. I have configured Hide NAT for the HQ network , HTTPS service rule is also configured. Traffic for rule is also accepted but when I am checking the logs I can see The HQ FW is dropping the CPD 18191 traffic from the Branch FW to HQ FW due to the CleanUp rule but the Branch FW is accepting the same traffic due to the Implied rule.

FYI: Both sites are UP and running, no connectivity issues yet. 

Kindly help or suggest if I am missing something or have wrongly configured things.

Kindly see the attachment pic for clarity of the issue.

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

NAT for management is generally recommended with Static NAT (not HIDE NAT).
It’s possible you will need an explicit rule to permit this communication.

0 Kudos
VictorSingh28
Explorer

Thanks a lot for the help, noted your point, will implement as suggested.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events