topic Could you run a packet in Network Security

Splitting network into two VLANs, while keeping one active directory

Kjetil Fleten — Tue, 12 Mar 2019 04:58:39 GMT

I'm splitting up the network on a small school, separating the teachers from the pupils. Until now, both teachers and pupils have been domainusers on the same AD server. We want to keep it that way. I have created a new VLAN for the teachers. The AD servers are in the pupils VLAN.

I have set the ASA as DHCP server in the teachers VLAN, but I still want to use the AD DNS server and AD login. The new DHCP settings for teachers VLAN, looks like this:

dhcpd address 172.16.1.100-172.16.1.200 Teacher
dhcpd dns 10.10.1.30 10.10.1.31 interface Teacher
dhcpd domain [mydomain] interface Teacher
dhcpd auto_config Pupil interface Teacher
dhcpd enable Teacher

Teacher VLAN has a higher security level than pupils. I can ping 10.10.1.30 and 10.10.1.31 in VLAN pupil from VLAN teacher, so I guess NAT and ACL's should be fine ?

Anyway, DNS lookup does not work.

I don't know if this is an ASA or a Windows server problem. We have added 172.16.1.0/24 as a new subnet in AD "Sites and services", but still no success.

Any suggestions ?

regards

Kjetil

Do you have a drawing of the

david-swope — Wed, 22 Oct 2014 22:59:38 GMT

Do you have a drawing of the topology? Do you not have a L3 switch in place for segmentation? I would highly recommend leaving that to a L3 switch and the firewall for securing the edge.

As it is now, it looks like you are leveraging the ASA for DHCP and also using the ASA to do your inter-vlan routing eh?

Is there a reason why you have different security levels on the Pupil and Teacher interfaces? I would keep this as simple as possible is why I ask, this can get extremely convoluted quickly otherwise and hard to troubleshoot.

So at the least you should have say a L2 switch with ports configured on their respective access vlans.

Does your end client receive an IP from the ASA? If so, can it ping it's default gateway (ASA Interface)?

I have attached a drawing of

Kjetil Fleten — Thu, 23 Oct 2014 08:33:08 GMT

I have attached a drawing of the topology. I have no L3 switch.

I'm leveraging the ASA for DHCP in the new teachers network. Pupils DHCP server is the AD server. The ASA does the inter-vlan routning, yes.

The only reason why I have different security levels, is because I thaught that was an easy way to create ACL's. Traffic is allowed from higher security levels to lower (teacher to pupils), but not vice versa. I have created a rule that allows IP from AD servers to teacher VLAN though. If that's not the simplest way, I'll be happy to change it.

L2 switches are in place in separate VLAN's, see drawing.

Clients in Teacher VLAN receives IP from the ASA. They can ping the GW, which is the ASA interface at 172.16.1.1. They can also go on the Internet, as long as they use another DNS than 10.10.1.30 or 10.10.1.31

Well I can see now why you

david-swope — Fri, 24 Oct 2014 05:13:12 GMT

Well I can see now why you are leveraging the ASA in the manner you are. You only have two unmanaged switches

If you have a L3 switch we could clean this up rather simply. Just in case you have one I would recommend something like this

hostname Core-SW1

int vlan 4

description Pupils

ip address 10.0.0.254 255.255.255.0

int vlan 5

description Teachers

ip address 172.16.1.254 255.255.255.0

int vlan 10

description Management

ip address 10.0.1.254 255.255.255.0

*** Of course create your L2 vlans as well to match the above L3 SVI's:

vlan 4

name Pupils

vlan 5

name Teachers

vlan 10

Management

exit

***

interface G0/1

description To ASA Eth0/1

switchport mode access

switchport access vlan 10

spanning-tree portfast

interface G0/2

description Pupil PC1

switchport mode access

switchport access vlan 4

spanning-tree portfast

interface G0/3

description To Pupil PC2

switchport mode access

switchport access vlan 4

spanning-tree portfast

interface G0/4

description To Teacher PC1

switchport mode access

switchport access vlan 5

spanning-tree portfast

interface G0/5

description To Teacher PC2

switchport mode access

switchport access vlan 5

spanning-tree portfast

ip route 0.0.0.0 0.0.0.0 10.0.1.253 (ASA Inside Interface IP)

So as you see above we let the L3 switch handle our inter-vlan routing and forward traffic to the ASA for inspection etc. This is a typical configuration and way easier to troubleshoot and grow the network as time goes on. If you need the switch to handle DHCP we can do that as well

ip dhcp pool Pupils

network 10.0.0.0 255.255.255.0

default-router 10.0.0.254

domain-name abc.com

dns-server 4.2.2.2 8.8.8.8

Now any pupil patched into an access port on vlan 4 will receive an IP from our pool above. Also, any reason why you have selected an entire /16 for the Teachers segment?

Again, this is just an example, if you don't have the luxury of this option lets look more at what you have now. You can use AD for DHCP for the Teachers if you like, and if you want to do that you need to remove the dhcpd statements from the ASA.

As it is now, can you ping the AD servers and machines on that from the Teachers/Pupils vlans and vice versa? We need to verify basic routing between these segments first.

Could you run a packet

Marius Gunnerud — Fri, 24 Oct 2014 10:25:07 GMT

Could you run a packet tracer

packet-tracer input Teacher udp 172.16.1.x 12345 10.10.1.30 53 detail

if that is successful / allowed, please do a packet capture on the ASA between the two IPs

access-list cap extended permit ip host 172.16.1.x host 10.10.1.30
access-list cap extended permit ip host 172.16.1.x host 10.10.1.31
access-list cap extended permit ip host 10.10.1.30 host 172.16.1.x
access-list cap extended permit ip host 10.10.1.30 host 172.16.1.x

capture capTeach interface Teacher access-list cap
capture capPup interface Pupils access-list cap

show capture capTeach
show capture capPup

remember to send som DNS traffic before you do the show commands.

Idealy you should see traffic entering and leaving both interfaces. If you see traffic entering the Teacher interface and leaving the Pupils interface, but you do not see the return traffic entering the Puplis interface, then I would suggest taking a closer look at the DNS servers and/or the network between the ASA and the DNS servers.

If you see return traffic entering the Pupils interface but never leaving the Teachers interface then there is something going on with the rule base on the ASA.

Would help to see the running configuration of the ASA for further troubleshooting. Remember to remove any public IP addresses and passwords.

Please remember to select a correct answer and rate helpful posts

Thanks Marius. The packet

Kjetil Fleten — Sat, 25 Oct 2014 22:05:29 GMT

Thanks Marius. The packet tracer showed that I missed one outgoing rule on the pupils network. Now the packet tracer is successfull, and I guess the DNS will work as well. I'll let you know in a few days when we have tested...

Test ok :-)

Kjetil Fleten — Wed, 05 Nov 2014 09:34:27 GMT

Test ok 🙂