topic Hi; in Network Security

HSRP and ASA 5510

coolmon1981 — Tue, 12 Mar 2019 08:04:46 GMT

Hi Everyone,

This is my first post here and i hope you can help me or point me into the right direction. Please be gentle i'm a newbe

I'm trying to configure 2 x 3560 8 Ports as my distribution layer and 1 x 2960 8port as access layer, with ether channel between all links,
and configured HSRP. HSRP is working fine at this point, then i wanted to add a ASA firewall. but i can only get internet connectivity if i use the gateway of the vlan 10 i configured on the asa box. is it not possible to add that address to HSRP redundant default gateway functionality.
so i would be able to use example 10.1.10.1 af default gateway.

For the DHSW1 i have configured HSRP like this

vlan 10
name OFFICE
interface vlan 10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.50.20
standby 10 ip 10.1.10.5
standby 10 preempt
standby 10 priority 110
no shutdown
exit
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4094
switchport mode trunk
switchport nonegotiate
exit
!

and DHSW2

interface vlan 10
ip address 10.1.10.2 255.255.255.0
ip helper-address 10.1.50.20
standby 10 ip 10.1.10.5
standby 10 preempt
no shutdown
exit
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4094
switchport mode trunk
switchport nonegotiate
exit
!

and AHSW1

interface vlan 10
ip address 10.1.10.3 255.255.255.0
ip helper-address 10.1.50.20
no shutdown
exit
!
interface gi0/1
switchport access vlan 10
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!

The ASA box is configured this way.

interface Ethernet 0/0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp setroute
no shutdown
!
interface Ethernet 0/1
speed 100
duplex full
no nameif
no security-level
no ip address
no shutdown
exit
!
interface Ethernet 0/2
speed 100
duplex full
no nameif
no security-level
no ip address
no shutdown
exit
!

interface redundant 1
description Redundant LAN Interface
member-interface ethernet 0/1
member-interface ethernet 0/2
no nameif
no security-level
no ip address
no shutdown
exit
!
interface redundant 1.10
vlan 10
description VLAN10
nameif inside
security-level 100
ip address 10.1.10.4 standby 10.1.10.5
no shutdown
exit.

http enable server
http 10.1.10.0 255.255.255.0 inside

object network VLAN10
subnet 10.1.10.0 255.255.255.0
nat (inside,outside) dynamic interface

then when i access my laptop that is connected to AHSW1 i get my ip address from my DHCP server with the default gateway of 10.1.10.1 and i can access the asa asdm on the ip address 10.1.10.4 but internet is not working. but if i change the default gateway to 10.1.10.4 internet is working perfectly.

So i guess my question are is this the way it supposed to work or am i missing some configuration some where.

Hope some one would help me.

Thank You.

Hi;

ahmedshoaib — Sat, 30 Jul 2016 10:12:03 GMT

Hi;

The reason you not access the internet is due to routing issue remaining your configuration is OK. You need to decide whether your user gateway will be on Firewall (10.1.10.4) or 3560 (10.1.10.5 VIP) switch and modify the default gateway config on DHCP server.

If you set as a firewall gateway and you already verify the internet is accessible.

If you want to configure Switch as a gateway then you need to divert the traffic from Switch to Firewall by configuring default route:

ip routing

ip route 0.0.0.0 0.0.0.0 10.1.10.4.

In addition there is a IP Address conflict is also there between Switch VIP (10.1.10.5) and Firewall Secondary IP (10.1.10.5). If you have only 1 Firewall then no need to configure standby IP on firewall, if you have 2 firewall then change the standby ip to (10.1.10.6 or else).

Thanks & Best regards;

Hi,

coolmon1981 — Sat, 30 Jul 2016 13:43:32 GMT

Hi,

Thanks ahmedshoaib,

I did try to make what you suggest but it did not work it give the same result. i did forget to mention that i run OSP.

router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.10.0 0.0.0.255 area 0
network 10.1.20.0 0.0.0.255 area 0
network 10.1.30.0 0.0.0.255 area 0
network 10.1.50.0 0.0.0.255 area 0
network 10.1.99.0 0.0.0.255 area 0

Thanks

Hi again,

coolmon1981 — Sat, 30 Jul 2016 14:05:04 GMT

Hi again,

I tried just to set the DHCP server to use the gw of the FW but if i do that my clients wont receive any ip address.

Thanks

Hi;

ahmedshoaib — Sun, 31 Jul 2016 02:26:35 GMT

Hi;

As per recommendation, your client/user gateway should be VIP (in your case 10.1.10.5) on your Distribution layer switch. Switch should have the route to reach outside network it’s either via static route or dynamic routing.

By default OSPF will exchange the route which is advertise in OSPF, It will not advertise default route (which is required to access the internet).

Now you have 2 options either configure the static default route on switch:

ip route 0.0.0.0 0.0.0.0 10.1.10.4

(OR)

Inject the default route in OSPF from ASA firewall.

Thanks & Best regards;

Hi;

coolmon1981 — Sun, 31 Jul 2016 22:39:35 GMT

Hi;

Im a little pusled about how to inject the default route from all vlans into ospf fra ASA Firewall,

i have tried to use ip route 0.0.0.0 0.0.0.0 10.1.10.4 but then it will only allow internet access for host on that vlan all other vlans are not allowed.

my head is twisting when it comes to routing, but i guess it will come to me in time.

i have desperately tried to add ip route like this
0.0.0.0.0 0.0.0.0 10.1.10.4
0.0.0.0.0 0.0.0.0 10.1.20.4
not working at all or only one of them.

I have tried to use this instead just for trying.

10.1.10.0 255.255.255.0 10.1.10.4
10.1.20.0 255.255.255.0 10.1.20.4

Not working also.

Thanks

Hi;

ahmedshoaib — Sun, 31 Jul 2016 22:52:34 GMT

Hi;

Can you confirm me that all the SVI are created on Cisco 3560 Switch? If yes then it should work, if there are other devices also then you can redistribute the default route into ospf so all other vlan also know the route toward firewall.

ip route 0.0.0.0 0.0.0.0 10.1.10.4

router ospf 1
network static subnets

Thanks & Best regards;

Hi;

coolmon1981 — Mon, 01 Aug 2016 09:59:48 GMT

Hi;

All the SVI are created on the cisco 3560 switch, and i have added all the subnet to ospf.

i will post my config file so you can see if its not to much trouble.

Thanks,

Hi;

ahmedshoaib — Mon, 01 Aug 2016 21:14:25 GMT

Hi;

Now you network topology is cleared after review the configuration and found the below are my recommendation:

First remove all the SVI from Access switch

no int vlan 10

no int vlan 20

no int vlan 30

no int vlan 40

no int vlan 60

Second native vlan don’t required any IP add (on all the switches, if you are using vlan 666 for some other purpose then no need to remove from 3560).

no int vlan 666

Third you need to decide whether you want to use DS Switches (3560) as a user’s default gateway (vlan 10 - 10.1.10.5) or Firewall will be default gateway (vlan 10 – 10.1.10.4).

Once you decide you need to remove all other SVI (Vlan 10 till Vlan 50) you need to remove.

Example 1: if you decide Firewall will be users gateway (vlan 10 – 10.1.10.4) then you need to remove all the SVI from your DS Switches (3560) and on DNS you need to modify the default gateway field to be Firewall IP Address:

no int vlan 10

no int vlan 20

no int vlan 30

no int vlan 40

no int vlan 60

Example 2: You decide DS (3560) will be user’s gateway (vlan 10 – 10.1.10.5) then you need modify the following configuration: And also need to create a separate vlan b/w DS switches and Firewall for back and forth traffic.

i.e. create new vlan 100 b/w distribution switch & Firewall.

DS1:

vlan 100

int vlan 100

ip address 10.1.100.1 255.255.255.0

standby 100 ip 10.1.100.5

standby 100 preempt

standby 100 priority 110

no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.100.4

router ospf 1

redistribute static subnets metric 10

DS2:

vlan 100

int vlan 100

ip address 10.1.100.2 255.255.255.0

standby 100 ip 10.1.100.5

standby 100 preempt

no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.100.4

router ospf 1

redistribute static subnets metric 100

Firewall:

no interface redundant 2.10

no interface redundant 2.20

no interface redundant 2.30

no interface redundant 2.40

no interface redundant 2.50

no interface redundant 2.99

interface redundant 2

description LAN

nameif LAN

security-level 100

ip address 10.1.100.4 255.255.255.0

no shutdown

exit

route inside 10.1.0.0 255.255.0.0 10.1.100.5

object network VLAN10

subnet 10.1.10.0 255.255.255.0