topic Re: IP Address assignment on LAN Interface ASDM /CLI in Network Security

IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Mon, 28 Mar 2022 18:13:05 GMT

Hi,

Have Cisco Firepower 1200 /ASDM and inside Ethernet 2 (inside) has 192.168.1.x IP address by default for the management purposes.
Question:
a) Is this port (Ethernet 2) and remaining other ports (Ethernet 3 - Ethernet 😎 belongs to same vLAN?
b) Can I leave Ethernet 2 (inside) as it is with it's default IP addressing scheme, or there is some other best practices?Firepower, Cisco Adaptive Security Appliance (ASA), Other Network Security Topics
c) How I can use Ethernet ports (3 - 😎 as LAN ports, same vLAN (but different from what Ethernet 2 belongs to) and IP address assignment etc.?

Thanks!

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Mon, 28 Mar 2022 18:31:58 GMT

@amh4y0001 as default the ASA interfaces are unconfigured. Generally you assign the inside interface of the ASA with a dedicated /30 or /29 routed link to the connected core switch. You then define static routes on the ASA for the local networks.

So you could continue to use eth2, just define static routes via the core switch for the connected vlans.

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Mon, 28 Mar 2022 18:46:16 GMT

It's OK for me to leave Eth2 as it is and continue to use eth3 -eth8 as LAN configuration.
Can't I have /8 /16 or /24 network?
How to achieve it using GUI and CLI, suggested guide?

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Mon, 28 Mar 2022 18:52:14 GMT

@amh4y0001 the ASA is a firewall, not a switch. I wouldn't use such a large network. Use a dedicated vlan between the ASA and the switch, just to route the traffic. Use multiple vlans on the switch, let the switch do the intervlan routing, with a default route via the ASA.

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Mon, 28 Mar 2022 19:19:19 GMT

@Rob Ingram thanks for reply. Agree, that a L2 switch should exist for best practice.

Have mix scenarios, one of them requires only 2 LAN ports at the same time number of devices should not increase i.e. no L2 switch should be added, rather have to use 2 LAN ports from the ASA ... is it possible?

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Mon, 28 Mar 2022 19:35:56 GMT

@amh4y0001 ok understand you may not have a switch. Perhaps you could use a BVI, this was supported on the older ASA 5506 hardware, not sure if it works on your firepower 1120 hardware though. Here is an example.

Alternatively you could just define 2 routed interfaces on the ASA.

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Mon, 28 Mar 2022 20:00:57 GMT

@Rob Ingram Do you recommend any guide or example how to define 2 routed interfaces on the ASA?
As I think in my situation it looks promising (so far at least).

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Mon, 28 Mar 2022 20:05:09 GMT

@amh4y0001 they are just normal interfaces, here is an example:-

interface gigabitethernet 0/3 nameif INSIDE_1 ip address 192.168.11.1 255.255.255.0 no shut security-level 100interface gigabitethernet 0/4
 nameif INSIDE_2
 ip address 192.168.12.1 255.255.255.0
 no shut
 security-level 100
!
object network INSIDE-1 subnet 192.168.11.0 255.255.255.0 nat (inside_1,outside) dynamic interfaceobject network INSIDE-2
 subnet 192.168.12.0 255.255.255.0
 nat (inside_2,outside) dynamic interface

Just plug in the endpoints to the interfaces, assign an IP address in the correct network range.

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Mon, 28 Mar 2022 20:14:46 GMT

@Rob Ingram I think that would be sufficient for my current task, thanks again for prompt reply and suggestions.

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Tue, 29 Mar 2022 12:50:14 GMT

@Rob Ingram In FP1200 ASA, is it NOT possible to have two ports in the same network (without having L2 switch).

In the above configuration, I am able to configure the interfaces as per your suggestion but:

1. Internet is not available when I connect end-point to Ethernet 3 and Eth 4.

2. I cannot ping from 192.168.11.x network to 192.168.12.x network (this is why I asked if it's possible to have two interface belonging to same network ...).

Note: Ethernet1 is connected to WAN and have assigned static IP address with security level 100, see screenshot, if that could explain why Internet is not available on LAN.

Any thoughts would be appreciated.

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Tue, 29 Mar 2022 12:51:03 GMT

@amh4y0001 well ideally you'd use a switch but you can configure the command same-security-traffic permit inter-interface. This command allows traffic to enter an interface of certain security level and then exit from another interface of the same security level. Therefore ensure both interfaces are configured with the same security level.

You'd have to provide your nat configuration to determine why you cannot access the internet.

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Tue, 29 Mar 2022 12:58:20 GMT

@Rob Ingram
Thanks, I have not configured NAT configuration other than you provided as below:

nat (inside_2,outside)

dynamic interface

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Tue, 29 Mar 2022 12:58:31 GMT

@amh4y0001 please provide the output of "show nat detail" and "show run interfaces"

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Tue, 29 Mar 2022 13:07:41 GMT

@Rob Ingram , thanks

ciscoasa# show nat detail

Auto NAT Policies (Section 2)
1 (Site-A_LAN-P3) to (outside) source dynamic Site-A_LAN-P3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.11.0/24, Translated: X.Y.Z.40/28

2 (Site-A_LAN-P4) to (outside) source dynamic Site-A_LAN-P4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.12.0/24, Translated: X.Y.Z.40/28

3 (any) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: X.Y.Z.40/28

-------------------------------

ciscoasa# sh run interface
!
interface Ethernet1/1
nameif outside
security-level 100
ip address X.Y.Z.40 255.255.255.240
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
nameif Site-A_LAN-P3
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet1/4
nameif Site-A_LAN-P4
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address dhcp setroute

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Tue, 29 Mar 2022 13:11:02 GMT

@amh4y0001 you've got zero hits on all the of that nat rules, how are you testing?

Run packet-tracer from the CLI and provide the output for review. Example:

packet-tracer input Site-A_LAN-P3 tcp 192.168.11.10 3000 8.8.8.8 80

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Tue, 29 Mar 2022 13:29:59 GMT

@Rob Ingram Thanks, see below. I was trying to ping 8.8.8.8 and even open a browser to see if I have internet access.
Have enabled ICMP Echo requests for IPv4 on both end-points.

ciscoasa# packet-tracer input Site-A_LAN-P3 tcp 192.168.11.10 3000 8.8.8.8 80

Result:
input-interface: Site-A_LAN-P3
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x0000562d87f3ff8e flow (NA)/NA

------------------------------------------------------------------------------------------------

ciscoasa# packet-tracer input Site-A_LAN-P4 tcp 192.168.12.10 3000 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Result:
input-interface: Site-A_LAN-P4
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x0000562d87f3ff8e flow (NA)/NA

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Tue, 29 Mar 2022 13:31:24 GMT

@amh4y0001 Drop-reason: (no-route) No route to host - do you have a default route configured?

route outside 0 0 <next hop ip address>

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Tue, 29 Mar 2022 13:57:47 GMT

@Rob Ingram my bad, I have not configured the default route. However, I have configured now, but still no internet access.

ciscoasa# show nat detail

Auto NAT Policies (Section 2)
1 (Site-A_LAN-P3) to (outside) source dynamic Site-A_LAN-P3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.11.0/24, Translated: X.Y.Z.40/28
2 (Site-A_LAN-P4) to (outside) source dynamic Site-A_LAN-P4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.12.0/24, Translated: X.Y.Z.40/28
3 (any) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: X.Y.Z.40/28
ciscoasa# packet-tracer input Site-A_LAN-P3 tcp 192.168.11.10 3000 8.8.8.8 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop x.y.z.33 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Site-A_LAN-P3
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562d87f37680 flow (NA)/NA
ciscoasa# packet-tracer input Site-A_LAN-P4 tcp 192.168.12.10 3000 8.8.8.8 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop x.y.z.33 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Site-A_LAN-P4
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562d87f37680 flow (NA)/NA

Re: IP Address assignment on LAN Interface ASDM /CLI

Rob Ingram — Tue, 29 Mar 2022 13:59:44 GMT

@amh4y0001 can you provide your full configuration, remove confidential information (change public IP addresses etc).

Re: IP Address assignment on LAN Interface ASDM /CLI

amh4y0001 — Tue, 29 Mar 2022 14:07:57 GMT

@Rob Ingram do you mean contents of "show running-config"?