topic Re:Nat/Firewalling in ver 8.4 in Network Security

Nat/Firewalling in ver 8.4

sandevsingh — Mon, 11 Mar 2019 23:53:28 GMT

Hi, i have a use-case in which we need to firewall some of the security-sensitive-vlans to the ASA. In other words, there are few vlans that have their SVIs on the N5k (Layer-3 enabled) which talk to each other and there are some which have the layer-3 on the ASA. The ASA has sub-interfaces for those vlans. The N5k-sw and the ASA are interconnected on the same 1 physical link with a sub-interface on both ( /30) and the ASA is injecting default route to it in OSPF. They are advertising all of their networks in OSPF. I see all the routes in them. (Attached pic)

My issue is: I am unable to ping the other sub-interface on the ASA from the N5k. (If you check the attached diagram, i cannot ping 20.1.1.1 from the N5k, although i can reach my next-hop 10.1.1.2) I have made the security-level to 100 for the subinterfaces and the physical interface on the ASA, also have allowed ip,icmps in the ACLs on the sub-interfaces of vlan 10 and 20 in both directions , BUT still no luck.

IF I REPLICATE THIS SAME SETUP BY REPLACING THE ASA WITH ANOTHER L-3 ROUTER, IT ALL WORKS FOR ME.

So i am suspecting something NAT rule on the ASA, as i know a lot has changed in ver 8.4 for natting.

Nat/Firewalling in ver 8.4

Julio Carvajal — Wed, 12 Sep 2012 21:04:13 GMT

Hello Sandevsingh,

Before getting into the configuration file just for you to know the ASA was built in order to deny traffic to a far end ( distant) interface.

What is a far end interface:

If you are on the inside you will be able to ping the inside interface, you will be able to access outside users but you will NOT be able to ping, ssh, telnet,etc,etc,etc the outside interface Ip address of the ASA...

So in your case if you are on a specific vlan and try to ping the ASA sub-interface IP on another vlan you will be denied no matter what.

Any other question.. Let me know.. Just remember to rate all of my answers.

Julio

Nat/Firewalling in ver 8.4

lcambron — Thu, 13 Sep 2012 17:43:35 GMT

Hello,

Complitely agree with Julio, this is not possible on an ASA firewall.

See the Pinging Security Appliance Interfaces document:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1059645

Regards,

Felipe.

Nat/Firewalling in ver 8.4

sandevsingh — Fri, 14 Sep 2012 20:03:11 GMT

Thanks for your replies guys, agreed the far-end interface will never ping.

BUT i cannot reach the GW on vlan 20 if i attach a laptop to the n5k-sw in same vlan. (Ps refer my previous visio).

Here is my firewall relevant config -

poc-asa1/actNoFailover# sh run interface | begin 0/9

interface TenGigabitEthernet0/9

description Nexus-Lab2

nameif lab1

security-level 100

no ip address

interface TenGigabitEthernet0/9.10

vlan 10

nameif lab2

security-level 100

ip address 10.1.1.2 255.255.255.252

interface TenGigabitEthernet0/9.20

vlan 20

nameif lab3

security-level 100

ip address 20.1.1.1 255.255.255.0

poc-asa1/actNoFailover(config)# sh run access-list

access-list lab2-in extended permit ip any any

access-list lab2-in extended permit icmp any any

access-list lab3-in extended permit ip any any

access-list lab3-in extended permit icmp any any

access-list lab2-out extended permit ip any any

access-list lab2-out extended permit icmp any any

access-list lab3-out extended permit ip any any

access-list lab3-out extended permit icmp any any

poc-asa1/actNoFailover(config)#

poc-asa1/actNoFailover(config)# sh run access-gro

access-group lab2-in in interface lab2

access-group lab2-out out interface lab2

access-group lab3-in in interface lab3

access-group lab3-out out interface lab3

any clues or i am being nuts !!

Nat/Firewalling in ver 8.4

Julio Carvajal — Fri, 14 Sep 2012 20:43:32 GMT

hello,

Do the following

cap capin interface lab3 match icmp client_ip host 20.1.1.1

cap asp type asp-drop all circular-buffer

Then try to ping the 20.1.1.1

Provide me the following information

-show cap capin

-show cap asp | include 20.1.1.1

Any other question.. Let me know.. Just remember to rate all of my answers.

Regards

Nat/Firewalling in ver 8.4

lcambron — Fri, 14 Sep 2012 20:47:32 GMT

Are you able to ping the ASA from the switch?

If you try to ping the PC from the ASA do you see an arp entry?

Can you share the configuration on the switch interface that connects to TenGigabitEthernet0/9

Regards,

Felipe.

Nat/Firewalling in ver 8.4

sandevsingh — Fri, 14 Sep 2012 21:57:53 GMT

Sorry, will post all this info on moday as these poc subnets are not enabled over the vpn.

Nat/Firewalling in ver 8.4

sandevsingh — Mon, 17 Sep 2012 14:42:34 GMT

Folks, here is the int config on the n5k swich -

poc-sw#

interface Ethernet1/17

no switchport

speed 1000

interface Ethernet1/17.10

encapsulation dot1q 10

ip address 10.1.1.1/30

ip router ospf 100 area 0.0.0.0

interface Ethernet1/17.20

encapsulation dot1q 20

I cannot ping the laptop (20.1.1.100) from the ASA, no arp entry. There are no results in the capture filters and the above acls do not show any hit-counts. -

poc-asa1/actNoFailover# show cap

capture capin type raw-data interface lab3 [Capturing - 0 bytes]

match icmp host 20.1.1.100 any

capture asp type asp-drop all circular-buffer [Capturing - 6956 bytes]

poc-asa1/actNoFailover#

poc-asa1/actNoFailover# show cap asp | in

poc-asa1/actNoFailover# show cap asp | include 20.1.1

Looks like the traffic is not reaching the ASA sub-interface when exiting out of the switch`s sub-intf, so ...WTH??

Nat/Firewalling in ver 8.4

lcambron — Mon, 17 Sep 2012 18:18:18 GMT

I think you are trying to use a L3 switch as L2.

On interface E1/17.10 you configured an IP address with mask /30

On interface E1/17.20 you also need an IP address and this switch will do routing from the LAN network to the ASA.

Regards,

Felipe.

Nat/Firewalling in ver 8.4

sandevsingh — Mon, 17 Sep 2012 20:01:43 GMT

Did that, no luck..... Can ping b/w the ASA and the N5k-sw now..BUT the laptop still does not ping either of them... I am stumped !!

Nat/Firewalling in ver 8.4

Julio Carvajal — Mon, 17 Sep 2012 20:17:20 GMT

Post the configuration of the Nexus port connecting to the Laptop!

Nat/Firewalling in ver 8.4

sandevsingh — Mon, 17 Sep 2012 20:29:13 GMT

interface Ethernet1/9

switchport access vlan 20

speed 1000

Nat/Firewalling in ver 8.4

Julio Carvajal — Mon, 17 Sep 2012 20:55:35 GMT

Hello Sandevsingh,

From what I understood at the description of the problem you will use the ASA as the default gateway for vlan 20. So on the nexus side this interface ( the one connecting to the ASA) Should stay as a layer 2 trunk.

Now my question is witch interfaces are going to use the ASA as the default gateway? Can I have the vlans that will do that?

Regards

Re:Nat/Firewalling in ver 8.4

sandevsingh — Mon, 17 Sep 2012 21:58:56 GMT

Vlan 20 is goin to use the ASA as the gateway. I wanted to use the same physical interface on which the n5k recieves the def-route from the ASA (vlan 10 in my case) and all the other vlans have their respective sub-intf as gateway on the ASA. Could have achieved this by 2 seperate phy links, one as a layer3 link for ospf adjacency to recieve a def-route on the sw and other just a pure layer2 trunk-link to carry all the vlans tagged to the ASA's sub-intfes.

Sent from Cisco Technical Support Android App

Re:Nat/Firewalling in ver 8.4

Julio Carvajal — Mon, 17 Sep 2012 22:06:00 GMT

Indeed that is what needs to be done!

You must use one port as a dedicated layer 2 trunk.

You should create the vlan on the nexus switch

vlan 20

name test

Then just use x port to the asa

interface giga x/x

switchport mode trunk

switchport trunk allow vlan 20

Regards,