InterVlan Routing and an ASA5520

GattsuTaicho — Tue, 12 Mar 2019 03:06:57 GMT

Hey Guys,

I'm having problems getting something to work. First off, let me give you the topology and the configs:

Config R1

Vlan Database:

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1/1, Fa1/2, Fa1/3, Fa1/4

Fa1/5, Fa1/6, Fa1/7, Fa1/8

Fa1/9, Fa1/10

10 SERVER active Fa1/14

30 CLIENTS active Fa1/13

100 Inside active

101 LIFESIZE active Fa1/12

250 Mgmt active Fa1/11

1000 Outside active Fa1/15

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

Trunks:

Port Mode Encapsulation Status Native vlan

Fa1/0 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa1/0 1-1005

Port Vlans allowed and active in management domain

Fa1/0 1,10,30,100-101,250,1000

Port Vlans in spanning tree forwarding state and not pruned

Fa1/0 1,10,30,100-101,250,1000

Running Config:

interface FastEthernet1/0

switchport mode trunk

interface FastEthernet1/11

switchport access vlan 250

duplex full

speed 100

spanning-tree portfast

interface FastEthernet1/12

switchport access vlan 101

duplex full

speed 100

spanning-tree portfast

interface FastEthernet1/13

switchport access vlan 30

duplex full

speed 100

spanning-tree portfast

interface FastEthernet1/14

switchport access vlan 10

duplex full

speed 100

spanning-tree portfast

interface FastEthernet1/15

switchport access vlan 1000

interface Vlan1

no ip address

interface Vlan10

description SERVER

no ip address

interface Vlan20

description DRUCKER

ip address 10.11.20.254 255.255.255.0

interface Vlan30

description CLIENTS

ip address 10.11.30.254 255.255.255.0

interface Vlan101

description LifeSize

no ip address

interface Vlan250

description Management

ip address 10.11.250.254 255.255.255.0

ip default-gateway 10.11.250.251

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.11.250.251

ip route 10.0.0.0 255.0.0.0 10.11.250.251

Config ASA:

ASA Version 8.4(2)

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0

nameif Outside

security-level 0

ip address 186.89.54.20 255.255.255.248

interface GigabitEthernet1

description Trunk to SW

no nameif

no security-level

no ip address

interface GigabitEthernet1.10

vlan 10

nameif Server

security-level 100

ip address 10.11.10.251 255.255.255.0

interface GigabitEthernet1.30

vlan 30

nameif Clients

security-level 100

ip address 10.11.30.251 255.255.255.0

interface GigabitEthernet1.101

vlan 101

nameif DMZ

security-level 50

ip address 10.11.101.251 255.255.255.0

interface GigabitEthernet1.250

vlan 250

nameif Mgmt

security-level 100

ip address 10.11.250.251 255.255.255.0

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet5

nameif Martin

security-level 100

ip address 10.11.15.254 255.255.255.0

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list global_access extended permit ip any any

access-list Clients_access_in extended deny ip any 10.11.101.0 255.255.255.0 inactive

access-list Clients_access_in extended permit ip any 10.11.10.0 255.255.255.0 inactive

access-list Server_access_in extended permit ip any any

access-list Server_access_in extended deny ip 10.11.250.0 255.255.255.0 10.11.250.0 255.255.255.0 inactive

access-list Mgmt_access_in extended deny icmp any 10.11.10.0 255.255.255.0 inactive

access-list Mgmt_access_in extended permit ip any any inactive

pager lines 24

logging enable

logging buffered debugging

mtu Outside 1500

mtu Server 1500

mtu Clients 1500

mtu DMZ 1500

mtu Mgmt 1500

mtu Martin 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

access-group Server_access_in in interface Server

access-group Clients_access_in in interface Clients

access-group Mgmt_access_in in interface Mgmt

access-group global_access global

route Mgmt 10.11.0.0 255.255.0.0 10.11.250.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.0.0.0 255.0.0.0 Martin

http 10.11.250.0 255.255.255.0 Mgmt

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

management-access Mgmt

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map global-class

match default-inspection-traffic

policy-map global-policy

class global-class

inspect dns

inspect ftp

inspect http

inspect icmp

inspect icmp error

inspect rtsp

inspect sip

inspect snmp

inspect tftp

service-policy global-policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:e5a96d671ff3b5453c8f1de5c39f1f63

: end

Problem:

What I'm planning is, having an InterVlan routed network that is done by the switch and only certain Networks should be protected by the ASA.

The Networks that should not be protected will have the GW of the L3 SVI
The protected hosts will have the GW of the ASA and send their traffic there first
The ASA has a Trunk to the Switch receiving all L2 Vlans from there (E1)
The ASA has an Interface called Mgmt to which it can send all the traffic back (Asymmetric Routing problem?)
The Inside (called Mgmt, sorry for the confusion) has a default route pointing to the Switch R1
Mgmt 10.11.0.0 255.255.0.0 10.11.250.254
I'm stuck with the basics

What won't work:

From R1 i can ping Mgmt and Client Network but not Server and DMZ
Pinging from R1 (10.11.250.254) to ASA Server (10.11.10.251) Interface gives me this Teardown but i have a global permit any any?

%ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/20 gaddr 10.11.10.251/0 laddr 10.11.10.251/0

%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:03

%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:03

R2 (Server Host) has the ASA Gateway for its interface and it can ping it. But when i'm trying to ping another interface on the ASA that i can ping from R1, it's like it is not even reaching the ASA. I can see no traffic at all.

Can somebody tell me what what i'm doing wrong and why? I'm kinda getting a little bit frustrated since i've been working on this from quite some time but i fail to get it working properly.

Cheers

Re: InterVlan Routing and an ASA5520

GattsuTaicho — Fri, 22 Nov 2013 08:04:31 GMT

I'm sorry very sorry i'm responding so late i've been very busy lately.

This forum doesn't show the topology diagram i posted so let me try that again first:

Now, as you can see, R2 has the GW of the ASA which is 10.11.10.251/24. R1 is the L3-Switch and doesn't have an Interface IP for the Server and DMZ but a default-gateway and default-network pointing to 10.11.250.251/24 which is the Mgmt Interface of the ASA. Additionally, it has has a Trunk Port to the ASA to pass all L2-Vlans.

The ASA can ping all L3-Vlans of the Switch R1 e.g. 10.11.30.254/24 and the host 10.11.30.5/24
The L3-Switch can only ping the Mgmt to which it is directly connected and in the same Network 10.11.250.0/24 but not all other Interfaces
Pinging fom 10.11.250.254/24 (L3 Interface of R1) to 10.11.10.251/24 (Server Interface ASA) gives me this logging output:

%ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/3 gaddr 10.11.10.251/0 laddr 10.11.10.251/0

%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:05

%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:05

And that is the major problem for me right now. I don't know what i'm doing wrong.

Thx

Re: InterVlan Routing and an ASA5520

GattsuTaicho — Fri, 22 Nov 2013 10:30:32 GMT

Solved it!

I did everything right. The problem was, i was trying to ping an interface that was too far to reach and that is actually a security feature of the ASA existing since the PIX era.

Example:

From R1 which is directly connected through the Mgmt Interface 10.11.250.0/254, i was able to ping the ASA because it is on the same network. But reaching a "too far" interface like 10.11.10.251/24 which is also on the ASA but not "directly connected" or directly adjecent won't work by design.
Beginner Mistake

But thank you for looking into my problem! Appreaciate that.

topic Re: InterVlan Routing and an ASA5520 in Network Security

InterVlan Routing and an ASA5520

InterVlan Routing and an ASA5520

InterVlan Routing and an ASA5520

InterVlan Routing and an ASA5520

Re: InterVlan Routing and an ASA5520

Re: InterVlan Routing and an ASA5520

InterVlan Routing and an ASA5520