topic Hi Depo, in Network Security

ASA 5510: dmz Interface segregation from one switch to another

dapo dimeji — Tue, 12 Mar 2019 06:58:28 GMT

I am using a Cisco ASA 5510 which has 4 interfaces: Inside, Outside, Failover and the DMZ. The
DMZ interface has two subinterfaces.
The Inside interface is setup as a Physical trunk with a subinterface having a Vlan (example: Vlan 10)
The Outside interface is setup as a stand alone interface
The DMZ interface is a physical trunk which has two subinterface (example: Vlan 20 & 30)

At the Moment all these interfaces from the ASA are connected to a Pair of stacked 3750-x switch. The
challenge i am having is moving the DMZ physical trunk (int0/2) with the two subinterfaces to a New DMZ switch.
The current interfaces on the ASA are below:

interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 321.456.25.253 255.255.255.0 standby 321.456.25.254

interface Ethernet0/1
speed 100
duplex full
no nameif
security-level 100
no ip address

interface Ethernet0/1.10
vlan 10
nameif inside
security-level 100
ip address 123.456.10.254 255.255.255.0 standby 123.456.10.253

interface Ethernet0/2
speed 100
duplex full
no nameif
no security-level
no ip address

interface Ethernet0/2.20
vlan 20
nameif section 1
security-level 45
ip address 15.150.20.1 255.255.255.0 standby 15.150.20.2

interface Ethernet0/2.30
vlan 30
nameif section 2
security-level 50
ip address 123.456.30.254 255.255.255.0 standby 123.456.30.254

I currently have a Vlan interface setup on the stacked switch which it's default gateway is the inside interface
on the ASA.

interface Vlan10
description ASA Vlan
ip address 123.456.10.2 255.255.255.0
standby 10 ip 123.456.10.1
standby 10 priority 120
standby 10 preempt

ip default-gateway 123.456.10.254
ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 123.456.10.254

At this stage i have now created another subinterface on the ASA-DMZ interface (int0/2) to manage traffic to the
new DMZ switch and also a Vlan interface on the New DMZ switch which is below.

interface Ethernet0/2.40
description DMZ
vlan 40
nameif DMZ
security-level 50
ip address 123.456.40.254 255.255.255.0 standby 123.456.40.254

I have now configured a Vlan interface on the DMZ(New) switch to segregate the network. Which is below.

interface Vlan40
ip address 123.456.40.6 255.255.255.0
standby 40 ip 123.456.40.1
standby 40 priority 120
standby 40 preempt

ip default-gateway 123.456.40.254
ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 123.456.40.254

I have tried moving the physical DMZ interface (with the two subinterfaces : (Ethernet0/2.20 & Ethernet0/2.30) of
the ASA from the stacked switch to the new DMZ switch however i was unable to get things working as expected.
Is there something obvious i am not doing right? Can anyone please help

Many Thanks

Dapo

Hi Depo,

Akshay Rastogi — Wed, 02 Dec 2015 06:18:26 GMT

Hi Depo,

When you say things not working as expected, could you please mention what communication are you trying to establish?

Also from the configuration, i could see that you have two sub-interfaces with the same Security-level(.30 and .40 with sec level of 50). Please configure 'Same-security-traffic permit intra-interface' if traffic needs to be established between them.

Also check if you are able to ping vlan 40 interface ip from new switch or from hosts behind it. Also check if port on switch is made as trunk and all the required vlans are allowed on that trunk.

Also check the access-list on ASA vlan 40 interface if traffic is allowed(as it would go from low security to high security).

Regards,

Akshay Rastogi

Hi Akshay,

dapo dimeji — Thu, 03 Dec 2015 21:32:48 GMT

Hi Akshay,

Thank you for your response. I am trying to get devices on Vlan 20 & 30 (DMZ Interface) to communicate with devices
on Vlan 10 (Inside Interface).

I have a trunk port setup on the new DMZ switch to allow vlans 20,30 & 40 from the DMZ interface of the ASA.
I dont have same-security-traffic configured on the ASA, would apply and test. I will try the below config.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I have this subnet connected to the stacked switch ( i.e: Vlan 50) which is on the inside interface.
Network address (example) 150.120.78.0 with two host address 150.120.78.26 & 150.120.78.27 and another
Network address 132.15.15.0 with a host 132.15.15.228 . See Static nat and routing on the ASA below:

static (inside,outside) 150.120.78.0 50.120.78.0 netmask 255.255.255.0
static (inside,outside) 132.15.15.0 132.15.15.0 netmask 255.255.255.0
static (inside,section2) 150.120.78.26 150.120.78.26 netmask 255.255.255.255
static (inside,section2) 150.120.78.27 150.120.78.27 netmask 255.255.255.255
static (inside,section1) 20.150.16.203 132.15.15.228 netmask 255.255.255.255
static (section2,outside) 123.456.30.33 123.456.30.33 netmask 255.255.255.255
access-group outside-in in interface outside
access-group inside-out in interface inside
access-group section1-in in interface section1
access-group section2-in in interface section2
route outside 0.0.0.0 0.0.0.0 10.10.10.4 1 (this is the router out of the network)
route section2 20.150.190.199 255.255.255.255 123.456.30.1 1
route inside 132.15.15.0 255.255.255.0 123.456.10.1 1
route inside 150.120.78.0 255.255.255.0 123.456.10.1 1

route section1 183.103.131.40 255.255.255.255 20.150.16.246 1

At this stage i have not added a static NAT rule or setup an access-group for the new DMZ interface on the ASA,
can you please advise?

Hi Akshay,

dapo dimeji — Thu, 03 Dec 2015 21:43:18 GMT

Hi Akshay,

I have got things working to a good level. I applied the same traffic config below:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I mainly had to create an interface for Vlan 50 with in IP Address on the DMZ switch which then got traffic moving from the INSIDE to the DMZ interface.

Thanks for your support.

Hi Depo,

Akshay Rastogi — Fri, 04 Dec 2015 01:48:39 GMT

Hi Depo,

It is nice to hear that.

Regards,

Akshay Rastogi

Remember to rate helpful posts.