topic Re: Routing between interfaces on ASA 5520 in Network Security

Routing between interfaces on ASA 5520

birdy1982 — Mon, 11 Mar 2019 23:29:49 GMT

Hi,

We have an ASA 5520 which is in multiple context mode.

We are trying to pass traffic from the outside interface to the dmz interface.

I may be fundamentally wrong in the way i'm configuring this, but this is one ting im hoping someone may be able to help with. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.

So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28

Inside Interface GigabitEthernet0/2 with 192.168.20.0/24

DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29

So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.

I hope this makes sense? Im sure im doing something stupid, im just stuck, and hoping someone can help.

I can provide more info if required.

Thanks

Birdy

Routing between interfaces on ASA 5520

Karsten Iwen — Wed, 11 Jul 2012 16:03:03 GMT

That really should work. There are some things you should be aware of:

- If your g0/0 is a shared interface you should enable individual MAC-addresses per context so that the ASA can classify the traffic.

- Using a native VLAN on an interface that is also handling subinterfaces is not seen as a best practice. Better use only subinterfaces and the major interfaces should not be configured with any firewalling-settings.

- Your ACLs allow the traffic from outside to DMZ?

- If you still have nat-control enabled (you didn't write which version you are using), then you need a nat-config (nat-exemption) also for the communication between interfaces with public IP addresses.

Routing between interfaces on ASA 5520

birdy1982 — Wed, 11 Jul 2012 16:25:17 GMT

Hi,

Thanks for your reply.

g0/0 isnt a shared interface.

I'll look into the sub-interfaces, thanks for the tip.

Yes i have ACL's allowing traffic outside to DMZ

Im not sure how to configure the NAT exemption rules? Version 8.2

Im sure i disabled nat-control. Do you know how i can check? I cant find in my config.

Thanks again

Re: Routing between interfaces on ASA 5520

Karsten Iwen — Wed, 11 Jul 2012 17:01:37 GMT

what is the output of:

show run nat

show run nat-control

show run static

Routing between interfaces on ASA 5520

birdy1982 — Thu, 12 Jul 2012 09:15:15 GMT

Hi,

sh run nat:

nat (outside) 0 access-list outside_nat0_outbound outside

sh run nat-control:

no nat-control

sh run static:

Has static NAT definitions, none of which map to DMZ, only to management interfaces currently. There are static routes which are:

0.0.0.0 0.0.0.0 1.2.3.193

192.168.20.0 255.255.255.0 192.168.20.254

Thanks

Re: Routing between interfaces on ASA 5520

Karsten Iwen — Thu, 12 Jul 2012 13:23:37 GMT

what is your NAT-exemption on your outside-interface for? There could be something involved that drops your traffic.

Try the packet-tracer to simulate your traffic.

Routing between interfaces on ASA 5520

birdy1982 — Thu, 12 Jul 2012 14:06:54 GMT

Apologies. I had not considered that i was sharing an interface between the admin context and the main context. submitted the mac-address auto command in the system context which has resolved this particular issue, although it does lock me out of the admin context!

Apologies again for missing the interface sharing, i know you pointed that out at the beginning and i just missed it.

Thank you for your time and help

Chris

Routing between interfaces on ASA 5520

Karsten Iwen — Thu, 12 Jul 2012 14:22:24 GMT

No problem. But your admin-context should of course still work after that change. Any nearby devices with static arp-entries or L2-security enabled?

Routing between interfaces on ASA 5520

birdy1982 — Tue, 17 Jul 2012 14:47:38 GMT

Hi,

Sorry, i was away on another project.

Im still having the problem where i cant connect to the admin context if i enable mac-address auto to solve the previous problem.

I do have a Cisco 1921 in front, i havent added any L2 security unless it is on by default. I do notice that the mac address for the admin context changes when i do a sh arp on the 1921, so the address for .194 (admin context ip address) is a different mac-address to .195 (which is the other context). Both go to the g0/0

Im sure im missing something obvious again, but im just not sure what it is.

Thanks

Chris

Routing between interfaces on ASA 5520

Ramraj Sivagnanam Sivajanam — Tue, 17 Jul 2012 15:27:17 GMT

Hi Bro

This is how I would do it, if I were you. In your Cisco ASA (multi-context mode), you will have 3 contexts namely ADMIN CONTEXT, C1 CONTEXT and C2 CONTEXT. I would then allocate Management0/0 to ADMIN CONTEXT, GE0/0 and GE 0/1 to C1 CONTEXT and GE 0/2 and GE0/3 to C2 CONTEXT.

C1 CONTEXT = Catered for INSIDE LAN users

C2 CONTEXT – Catered for DMZ Servers

In C1 CONTEXT, GE0/0 will hold the Public IP for example 202.188.1.2/27 (default gateway is 202.188.1.1 i.e. Cisco Router 1921 LAN interface) and GE0/1 will hold the Private IP Address 192.168.20.1/24.

Meanwhile in C2 CONTEXT, GE0/2 will hold the Public IP for example 202.188.1.3/27 (default gateway is 202.188.1.1 i.e. Cisco Router 1921 LAN interface) and GE0/3 will hold the Private IP Address 192.168.30.1/24.

Next, in the C2 context, for all network traffic coming from the Internet to the DMZ Servers, you’ll need to enable static NAT e.g. 202.188.1.30 ••à 192.168.30.30. Please do ensure your Cisco Router has a host route for this entry.

Finally, for outbound traffic in C1 and C2, you could apply dynamic NAT instead, translate to the respective context’s OUTSIDE interface.

There are other factors to look into as well, e.g. ACL, routing etc. If you’d like, you could paste your configuration here, and I could advice further.

You’re in safe hands, as I’ve carried out many such deployments in the past.

Re: Routing between interfaces on ASA 5520

Karsten Iwen — Tue, 17 Jul 2012 15:35:31 GMT

so from the standpoint of the adjacent router it looks fine with the different MAC-addresses. Please explain what you mean with "locked out of the admin context". What exactly desn't work?

Routing between interfaces on ASA 5520

birdy1982 — Tue, 17 Jul 2012 15:51:17 GMT

Hi,

Thanks for the replies.

I cannot connect on ASDM, SSH or telnet to the .194 address. Nor can i ping etc. So i cant manage the ASA when mac-address auto is applied. (I schedule a reload before i apply this).

So even though the router is showing a different mac-address in it's arp table, the ASA wont accept connections on the admin context and that IP address. I cant thknk of anything in the ASA that i've configured that would block/filter on L2.

Thanks

Chris

Routing between interfaces on ASA 5520

birdy1982 — Tue, 17 Jul 2012 15:53:07 GMT

Hi,

Unfortunately we cannot use NAT, we run OpenSIP/Asterisk servers from the DMZ and NAT causes too many problems with SIP we've found.

I see what saying about the contexts though.

Thanks

Routing between interfaces on ASA 5520

Ramraj Sivagnanam Sivajanam — Tue, 17 Jul 2012 16:04:18 GMT

Hi Bro

If you want to have Public IP Address in your DMZ LAN, that's fine too 🙂 This means you'll need to breakdown the /27 to 2 /28. 1 /28 will be used on the OUTSIDE interface and the other /28 will be used in DMZ.

In C1 CONTEXT, GE0/0 will hold the Public IP for example 202.188.1.2/28 (default gateway is 202.188.1.1 i.e. Cisco Router 1921 LAN interface) and GE0/1 will hold the Private IP Address 192.168.20.1/24.

Meanwhile in C2 CONTEXT, GE0/2 will hold the Public IP for example 202.188.1.3/28 (default gateway is 202.188.1.1 i.e. Cisco Router 1921 LAN interface) and GE0/3 will hold the Private IP Address 202.188.1.17/28.

Next, in the C2 context, for all network traffic coming from the Internet to the DMZ Servers, you’ll need to either enable no nat-control or static(dmz,outside) 202.188.1.16 202.188.1.16 netmask 255.255.255.240 . Please do ensure your Cisco Router has the proper route for this entry i.e. ip route 202.188.1.16 255.255.255.240 202.188.1.3 name DMZ_SERVERS

Finally, for outbound traffic C2, you can just forward them either via nat (dmz) 0 access-list nonat or the same way as done in C1.

Good luck bro! May the force be with you 🙂

P/S: If you think this comment is helpful, please do rate it nicely 🙂

You’re in safe hands, as I’ve carried out many such deployments in the past.

Routing between interfaces on ASA 5520

birdy1982 — Tue, 17 Jul 2012 16:18:00 GMT

Thanks again.

Only issue is that the 1921 has only 2 interfaces. One is for the internet connection and the other connects to the ASA.

Thanks

Chris

Routing between interfaces on ASA 5520

Ramraj Sivagnanam Sivajanam — Tue, 17 Jul 2012 16:28:28 GMT

Hi Bro

Your Cisco Router 1921 has 2 interfaces, that's fine. In fact, that's all we need. The LAN interface will hold the IP Address 202.188.1.1/28 and the C1 OUTSIDE CONTEXT IP Address will be 202.188.1.2/28 and C2 OUTSIDE CONTEXT IP Address will be 202.188.1.3/28 🙂

Routing between interfaces on ASA 5520

birdy1982 — Tue, 17 Jul 2012 16:31:26 GMT

Ahhh sorry, i see now.

Ok i'll have a look.

I'll let you know how i get on.

Thanks!

Chris

Routing between interfaces on ASA 5520

Karsten Iwen — Tue, 17 Jul 2012 18:06:13 GMT

personally, I wouldn't change my infrastructure just because one feature doesn't work as expected. Better look for the couse of the problem. After changing the MAC-addresses on the ASA, have you tried to clear the arp-cache on the router?

Routing between interfaces on ASA 5520

birdy1982 — Wed, 18 Jul 2012 08:18:36 GMT

Hi,

Having had a look, my configuration doesnt differ much from what was suggested anyway.

Yes i have cleared the arp cache on the router after changing the mac-addresses.

Thanks

Chris

Routing between interfaces on ASA 5520

Karsten Iwen — Thu, 19 Jul 2012 16:58:33 GMT

Anything on the Switch between the ASA and the Router?