topic Take your EtherChannel and in Network Security

ASA5525-X and Cisco 3850 Traffiic routing

danielashleysmith — Tue, 12 Mar 2019 05:22:01 GMT

Hi,

I apologise if this question has been answered already, I tried searching but found nothing.

I have a Cisco 3850X and an ASA5525 firewall, and I want to create a specific route from a particular VLAN in order to filter the traffic.

I am using VLAN 15, which is intended for wireless access only.

I want to;

Route all wireless hosts traffic on VLAN 15 to the firewall for filtering through two physical interfaces grouped together in a channel-group

Route filtered traffic back from the firewall into the same switch via the same channel-group (same physical interfaces.)

Allow filtered traffic to communicate with other VLANs via their gateways

If somebody could point me in the right direction with this I would appreciate it. I have attached a drawing of the physical cabling to give you a better idea of how the equipment is connected.

Thank you.

Take your EtherChannel and

Collin Clark — Mon, 19 Jan 2015 18:08:06 GMT

Take your EtherChannel and make it trunk. Put VLAN15 on the trunk and build the SVI for that VLAN on the ASA. You would also trunk your 'inside' VLAN back to the switch.

Unfortunately the 5525-x only

danielashleysmith — Tue, 20 Jan 2015 12:43:40 GMT

Hi Collin,

Thank for your reply.

Unfortunately the 5525-x only allows me to create an etherchannel, I can't make trunk. I've made a trunk on the switch side, using two link aggregated ports which includes VLAN 15.

I created port-channel 1 on the firewall, with an address of 10.196.15.1, however I am unable to ping this from a host sitting on VLAN 15 connected to the switch.

I know I could probably create a trunk up to the firewall using one cable, and then use the other cable for the downlink back to the switch. Only allowing the downlink port access the gateway to talk to other VLANS. So basically, for any .15 vlan hosts, they are forced to go via the firewall and back into the switch.

But I would prefer to try and do this logically, so have a 2GbE uplink to the firewall, where only traffic that has been filtered can travel back down the 2GbE uplink and access the gateway. Giving 2GbE throughput and 1+1 redundancy.

Sorry, I'm stuck on this one. I tried doing what you said but I'm still not sure. I've attached a screenshot of the ASDM interface config if it helps.

If you could help clarify a bit further I'd really appreciate it.

Thanks

Lets first address why you

Collin Clark — Tue, 20 Jan 2015 14:17:23 GMT

Lets first address why you can't trunk. Are you getting an error somewhere?

The firewall just isn't

danielashleysmith — Tue, 20 Jan 2015 16:13:58 GMT

The firewall just isn't accepting any of the commands I would normally use to build a trunk.

For example:

--------------------------------------------------
ciscoasa(config)# int gi0/3
ciscoasa(config-if)# switchport mode trunk
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-if)# vlan 15
^
ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# int gi0/2.15
ciscoasa(config-subif)# switchport mode trunk
^
ERROR: % Invalid input detected at '^' marker.

--------------------------------------------------

Even when configuring sub-interfaces the CLI just will not accept any form of switchport command.

Is there a separate set of commands for building trunks in ASA5525's? I've googled around a lot and all the examples I have seen show people using the standard trunk commands.

I restored the firewall back to factory defaults, but still no joy.

I've attached a copy of the running config if that reveals any config issues?

Thanks

Here's an example of creating

Collin Clark — Tue, 20 Jan 2015 17:17:55 GMT

Here's an example of creating a port-channel and then trunking the port-channel in the CLI.

interface GigabitEthernet0/0
speed 1000
duplex full
channel-group 10 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
speed 1000
duplex full
channel-group 10 mode on
no nameif
no security-level
no ip address

interface Port-channel10
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface Port-channel10.225
vlan 225
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
!
interface Port-channel10.226
vlan 226
nameif dmz
security-level 50
ip address 192.168.99.254 255.255.255.0 standby 192.168.99.253
!

Hi Collin, Thanks, I've now

danielashleysmith — Wed, 21 Jan 2015 10:05:40 GMT

Hi Collin,

Thanks, I've now managed to create the trunk following your instructions.

I have set the switch up so that the trunks native vlan is 15, but vlans 10-15 are allowed. As follows:

------------------------------------------

Switch:

------------------------------------------
interface GigabitEthernet1/0/1
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active
!
interface GigabitEthernet1/0/2
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active

------------------------------------------

Firewall

------------------------------------------
interface Port-channel10.10
vlan 10
nameif inside
security-level 100
ip address 10.196.10.1 255.255.255.0
!
interface Port-channel10.15
vlan 15
nameif dmz
security-level 50
ip address 10.196.15.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
-------------------------------------------------------

I am able to ping the .15 gateway from a host sitting on VLAN15 on the switch, however, even with the 'same-security' configuration I am still unable to ping across to the .10 gateway.

I tried creating a route, 'route inside 10.196.15.0 255.255.255.0 10.196.10.0' however was returned an error message 'Cannot add route connected route exists'. However when I looked at sh route, no such route exists:

-------------------------

C 10.196.15.0 255.255.255.0 is directly connected, dmz
C 10.196.10.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, management

-------------------------

I should not that I have only used the gateway addresses 10.196.10.1 and 10.196.15.1 in the firewalls configuration, I have removed these gateway addresses from the switch, as I assumed the firewall should be used as the gateway, and didn't want the switch to route between the vlans internally bypassing the firewall.

I'm obviously still missing something, might I have to setup NAT to translate the two addresses?

Thanks again for your help

Have you tried configuring

Andre Neethling — Wed, 21 Jan 2015 11:02:40 GMT

Have you tried configuring the Port Channel interface on the switch with the trunk configurations?

Hi Andre,For the port channel

danielashleysmith — Wed, 21 Jan 2015 13:04:49 GMT

Hi Andre,

For the port channel config on the switch I have:

------------------------------------
interface Port-channel2
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
duplex full

------------------------------------

I assumed this would be ok?

Thanks

UPDATE:

I tried setting the security levels for both interfaces to 100, however still no joy. Which leads to think it may be something to do with the trunk itself?

I've uploaded the configs for both the switch and the firewall in case in helps.

Hi Daniel.The 2 interfaces do

Andre Neethling — Wed, 21 Jan 2015 13:18:35 GMT

Hi Daniel.

The 2 interfaces do not have the same security level. If you are trying to connect from a host on the .15 subnet to a host on the .10 subnet, by default the flow will not be allowed, because you are trying to connect from an interface with a lower security level, to an interface with a higher security level. You may need an access rule to permit the traffic from lower to higher security level. Alternatively, you can set both security levels to 100, then the "Same-security" statements will take effect.

You do not need a route because both the routes are connected so the ASA will know how to route traffic between the 2 interfaces.

HTH

ICMP is not inspected by

Andre Neethling — Wed, 21 Jan 2015 13:33:47 GMT

ICMP is not inspected by default on the ASA. Try a different protocol, other than ping.

I tried pinging a host that

danielashleysmith — Wed, 21 Jan 2015 13:43:15 GMT

I tried pinging a host that was on the switch on vlan 11 however that did not work either. However the ping does work to vlan 15 gateway, setup on the firewall.

I tried some other things like tracert but I just can't get connectivity outside of vlan 15 through the firewall.

Ping and traceroute both use

Andre Neethling — Wed, 21 Jan 2015 14:56:51 GMT

Ping and traceroute both use ICMP. Try RDP or any other TCP protocol. Also try to ping devices on both networks from the Asa.

Hi Andre,I've tried pinging

danielashleysmith — Wed, 21 Jan 2015 15:14:32 GMT

Hi Andre,

I've tried pinging hosts on both the .15 and .10 network from the firewall and both hosts are responding. Both hosts are also able to ping their native gateways, ie. 10.196.10.21 can successfully ping 10.196.10.1 and 10.196.15.21 can ping 10.196.15.1.

However, 10.196.10.21 cannot ping 10.196.15.21.

I tried issuing an RDP command through telnet however it was not successful.

On the basis that both hosts can ping their gateways which only exist in the firewall and the firewall can ping back it looks as though the trunk may be working fine but the intervlan route between .10 and .15 is still not working.

I have tried some basic routing commands form googling around but to no avail. I may try restoring factory defaults and re-setting the firewall up again in case I've issued a command that's stopping it somehow, though I can't see anything obvious.

You will never be able to

Collin Clark — Wed, 21 Jan 2015 17:50:26 GMT

You will never be able to ping the far side IP of the firewall (security feature). Please add these lines for ICMP:

icmp permit any inside
icmp permit any dmz

For DMZ to Inside traffic, like Andre stated, you will need to either NAT from DMZ to inside or set the security levels of bother interfaces to 100 and turn on same-security.

From a server on the inside you should be able to telnet to a server running RDP in the DMZ with the following command-

telnet 10.196.15.x 3389

Hi Collin and Andre,Thanks, I

danielashleysmith — Thu, 22 Jan 2015 11:34:21 GMT

Hi Collin and Andre,

Thanks, I can now ping across both vlans after permitting icmp.

I do however need to change the security levels back to DMZ 50 inside 100 however. I've been trying NAT configurations that I've found online all morning however I'm really struggling to get anything working.

Hosts on .15 vlan are issued IP's from a DHCP pool by the switch, I want to translate these into the .10 subnet range.

Do you have an example configuration I could look at?

Apologies I know I should read a bit more and work this out however I'm struggling and running out of time, if anybody could share an example config I'd really appreciate it.

Thanks

Do you need to NAT? Or do you

Andre Neethling — Thu, 22 Jan 2015 12:24:29 GMT

Do you need to NAT? Or do you need to allow access? If both are internal address ranges, than you may just route the 2 subnets/VLANS in your internal network without changing the addressing.

If you are not comfortable with the CLI on the ASA, maybe you should use ASDM or Prime Security Manager to manage your policies. It will be much easier.

If you just need access from the DMZ (Security level 50) interface, to the INSIDE (security level 100) interface, you can achieve this by Access Rules. Which services/protocols do you want to allow between the DMZ and INSIDE interfaces?

Hi Andre,I managed to get RDP

danielashleysmith — Fri, 23 Jan 2015 15:17:08 GMT

Hi Andre,

I managed to get RDP working across the two vlans, I tried ASDM and created an access rule as suggested and it works fine.

The only real remaining issue I'm having is communicating back to the gateways on the switch and their related hosts.

When I setup gateways 10 and 15 on the firewall and remove them from the switch, it works fine, hosts on vlan 15 can talk to hosts on vlan 10. However, hosts on vlan 15 cannot talk to hosts on vlan 11, even though a rule is in place. The gateway for vlan 11 resides in the switch, if I remove the gateway IP address from the switch and configure it inside the firewall instead it works. But that means that all vlan 11 traffic then has to use the gateway within the firewall, even if it's to communicate with adjacent trusted vlans, which isn't what I want.

What I want is for vlan 15 traffic to communicate back to the switch via the gateways on the switch.

I've attached a drawing of what I mean, apologies for its crudeness.

Thanks again.

UPDATE: I tried pinging the gateways on the switch form the firewalls CLI but had no success. So that explains why traffic routed via the firewall coming back down the trunk cannot access gateways on the switch.

If I understand your problem

Collin Clark — Fri, 23 Jan 2015 15:26:45 GMT

If I understand your problem correctly, you will need to put an IP for vlan 15 on the switch (not the gateway IP). Then on the ASA you will need to add a route to the other networks.

Example-
route inside 10.196.11.0 255.255.255.0 10.196.15.254
route inside 10.196.12.0 255.255.255.0 10.196.15.254
route inside 10.196.13.0 255.255.255.0 10.196.15.254

10.196.15.254 is the IP you would put on the switch for vlan 15.

Hi Collin,But surely if the

danielashleysmith — Fri, 23 Jan 2015 17:09:49 GMT

Hi Collin,

But surely if the .15.1 (DMZ) IP address is allocated to vlan 15 on the switch, with IP routing turned on won't traffic bypass the firewall altogether?

That's why I wondered if the address 10.196.15.1 should be allocated to vlan 15 in the firewall instead, so to access other vlans traffic has no choice but to go via the firewall first.