topic VLAN inter communication - almost there! in Network Security

VLAN inter communication - almost there!

clintonplubliclibrary2013 — Tue, 12 Mar 2019 01:21:35 GMT

I have been working on this for a few days. Im almost there!

I want my Management Vlan to be able to ping Computers in the DMZ vlan. Im not sure if its NAT issue or ACL issue.

Specifically im ping from 192.168.0.5(management comp) to 10.10.10.5(DMZ comp)

Packet tracer shows no errors and says it should be working.

I pick up a weird error in the log that says: Routing failed to locate next hop for ICMP from Management:192.168.0.5/256 to inside:10.10.10.5/0

Why is it saying the 10.10.10.5 is on the inside, when its on the DMZ?

name 10.10.10.0 DMZ description Public Computers

name 192.168.10.0 Inside description CPL Staff Network

name 192.168.0.0 Management description Cisco equipment Access only

name 192.168.1.0 default description Not in use

name 192.168.10.2 CPLServer description win3k server

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport trunk allowed vlan 11-13

switchport mode trunk

interface Ethernet0/2

switchport access vlan 11

interface Ethernet0/3

switchport access vlan 12

interface Ethernet0/4

switchport access vlan 13

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

shutdown

nameif default

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan11

description Inside

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

interface Vlan12

description DMZ

nameif DMZ

security-level 100

ip address 10.10.10.1 255.255.255.0

interface Vlan13

description Management

nameif Management

security-level 100

ip address 192.168.0.1 255.255.255.0

ftp mode passive

dns server-group DefaultDNS

domain-name CPL

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network obj-10.0.1.0

object-group network obj-10.0.2.0

access-list DMZtoInside extended permit ip host DMZ host CPLServer

access-list InsidetoDMZ extended permit ip Inside 255.255.255.0 host DMZ

access-list ManagementtoDMZ extended permit ip Management 255.255.255.0 DMZ 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging buffered debugging

logging asdm debugging

mtu default 1500

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu Management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any DMZ

icmp permit any Management

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (inside) 1 interface

global (DMZ) 1 interface

global (Management) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,Management) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

static (inside,DMZ) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Management 255.255.255.240 Management

http Management 255.255.255.0 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

VLAN inter communication - almost there!

Jouni Forss — Fri, 29 Mar 2013 19:42:17 GMT

Hi,

I think the problem most likely is the NAT configuration.

Is there a specific reason you are using Dynamic PAT from one interface to another ("nat" and "global" between local interfaces)? If this is not required I would suggest a different type of configuration for the whole NAT if you want to try it out. This would involve removing some of the existing configurations and will naturally effect the network operation while you do it.

Removing old ones

no global (inside) 1 interface

no global (DMZ) 1 interface

no global (Management) 1 interface

no static (inside,Management) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

no static (inside,DMZ) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

Adding new configurations

Existing ones

!global (outside) 1 interface

!nat (inside) 1 0.0.0.0 0.0.0.0

access-list INSIDE-NAT0 remark NO NAT between Local Networks

access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

access-list DMZ-NAT0 remark NO NAT between Local Networks

access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (DMZ) 0 access-list DMZ-NAT0

access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks

access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (Management) 0 access-list MANAGEMENT-NAT0

And naturally attach ACLs to interfaces to control traffic if needed

Hope this helps

- Jouni

VLAN inter communication - almost there!

Jouni Forss — Fri, 29 Mar 2013 19:50:36 GMT

Also,

I notice that your original NAT configuration has no "nat" statement for your DMZ and Management interfaces to be able to access the "outside" and networks behind it.

Wether if this is the intention I dont know.

For those the NAT configurations needed would naturally be

nat (DMZ) 1 10.10.10.0 255.255.255.0

nat (Management) 1 192.168.0.0 255.255.255.0

- Jouni

VLAN inter communication - almost there!

clintonplubliclibrary2013 — Fri, 29 Mar 2013 19:57:00 GMT

Wow Absolutly fixed what I was doing, and showed me another way to aproach the problem! Thanks!