topic Re: Management Vlan configuration! in Network Security

Management Vlan configuration!

Imma — Fri, 21 Feb 2020 17:26:44 GMT

Hello all,

I want to configure management vlan for all the devices on network: router, FW and SW.

The topology ist as below:

Internet---Router---ASA--subint,10,12,13,30--2960SW---PC(on access port vlan10)

I did the below configuration:

1. create subinterface MGT, Projektet, ... on ASA:

interface GigabitEthernet1/1
description LAN
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.10
vlan 10
nameif Projektet
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/1.12
vlan 12
nameif MGT
security-level 100
ip address 192.168.12.1 255.255.255.0
!...

2. create interface vlan and default-GW on switch:
interface Vlan12
ip address 192.168.12.12 255.255.255.0
!
ip default-gateway 192.168.12.1

interface vlan12 native is up/up:

Vlan12 192.168.12.12 YES manual up up

show vlan brief
12 MGT active Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/25, Gi1/0/26
Gi1/0/27, Gi1/0/28

3.interface trunk configuration
interface GigabitEthernet1/0/24
switchport trunk native vlan 12
switchport mode trunk

#show inter trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/24 on 802.1q trunking 12

4. SSH config on switch:
#hostname coreswitch
#ip domain-name xxx.al
#username xxxx password yyyy
#crypto key generate rsa
#ip ssh version 2
#line vty 0 15
# transport input ssh telnet

from the PC I cant ping default gateway of the native vlan 192.168.12.1. Any idea please? What I am missing or doing wrong?

Thank you in advanced,

Denisa

Re: Management Vlan configuration!

balaji.bandi — Fri, 30 Aug 2019 16:02:16 GMT

Try on Switch port

3.interface trunk configuration
interface GigabitEthernet1/0/24
switchport trunk native vlan 12

switchport trunk allowed vlan 1,12 <<- example to test
switchport mode trunk

Make sure PC connected port belong to Access port vlan as example :

interface GigabitEthernet1/0/2

description PC connected
switchport access vlan 12

Re: Management Vlan configuration!

Imma — Sat, 31 Aug 2019 08:27:25 GMT

hi,

thank you for your reply.

#show inter trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/24 on 802.1q trunking 12

Port Vlans allowed on trunk
Gi1/0/24 1-4094

Port Vlans allowed and active in management domain
Gi1/0/24 1,10,12-13,20,30

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/24 1,10,12-13,20,30

I want the PC to be on a vlan that is different from the MGT-vlan (12vlan in this case-192.168.12.0/24).

So I have the PC 192.168.10.11 (vlan10) and I cannot ping vlan12 (sub-int:192.168.12.1), neither the inter-vlan on switch (192.168.12.12).

I am able to open ping the router also ssh,http it. But can't ping the subinterfaces on the ASA.

not able to ping from one vlan to another. for example from vlan 13 to vlan 10.

thank you,

Denisa

Re: Management Vlan configuration!

balaji.bandi — Sat, 31 Aug 2019 20:41:54 GMT

by default ASA not allowed to ping each other subinterface, you need to have access rules to allow.

have a look at the ASA logs while pinging, you will understand better.

like example : icmp permit any or same-security-traffic permit inter-interface

Re: Management Vlan configuration!

Imma — Mon, 02 Sep 2019 06:27:52 GMT

Hello Balaji,

Yes, you are right.

The problem is that I have configured:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

and it is not allowed inter-vlan communication.

Also:

policy-map global_policy
class inspection_default
...
inspect icmp

I am going to add also "icmp permit any". to see what changes.

Any other idea?

Thank you,

Denisa

Re: Management Vlan configuration!

balaji.bandi — Mon, 02 Sep 2019 07:18:21 GMT

How are you managing this ASA, using ASDM ? you can do log analysis for this to understand where the packet dropping,

or post complete config of ASA to look.

Re: Management Vlan configuration!

Imma — Mon, 02 Sep 2019 10:58:55 GMT

Hi Balaji,

in the ASDM syslog messages I cannot see any blocking.

I have connected two laptops (one on vlan10 and one on vlan20). I am able to ssh and telnet the switch. But I am not able to ping from one laptop to another. I removed both the laptops from Bitdiffender. The ASA configuration as below:

ASA Version 9.8(2)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
description LAN
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.10
vlan 10
nameif Projektet
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/1.12
vlan 12
nameif MGT
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface GigabitEthernet1/1.13
vlan 13
nameif Services
security-level 100
ip address 192.168.13.1 255.255.255.0
!
interface GigabitEthernet1/1.20
vlan 20
nameif Dyqani
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet1/1.30
vlan 30
nameif Servisi
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif LAN-B
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif ConnToMikrotik
security-level 0
ip address 172.30.30.2 255.255.255.0
!
interface Management1/1
management-only
nameif management
security-level 0
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup ConnToMikrotik
forward-reference enable
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 172.30.30.1
host 172.30.30.1
object network 192.168.10.1
host 192.168.10.1
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
pager lines 24
logging enable
logging asdm informational
mtu Services 1500
mtu Projektet 1500
mtu Dyqani 1500
mtu Servisi 1500
mtu MGT 1500
mtu management 1500
mtu ConnToMikrotik 1500
mtu LAN-B 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Services
icmp permit any Projektet
icmp permit any Dyqani
icmp permit any Servisi
icmp permit any MGT
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Dyqani,ConnToMikrotik) source static any interface
nat (Servisi,ConnToMikrotik) source static any interface
nat (Services,ConnToMikrotik) source static any interface
nat (Projektet,ConnToMikrotik) source static any interface
nat (MGT,ConnToMikrotik) source static any interface
route ConnToMikrotik 0.0.0.0 0.0.0.0 172.30.30.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 LAN-B
http 192.168.12.0 255.255.255.0 MGT
http 192.168.10.0 255.255.255.0 Projektet
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 Projektet
ssh 192.168.12.0 255.255.255.0 MGT
ssh 192.168.5.0 255.255.255.0 LAN-B
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.10.10-192.168.10.200 Projektet
dhcpd dns 8.8.8.8 8.8.4.4 interface Projektet
dhcpd enable Projektet
!
dhcpd address 192.168.20.10-192.168.20.200 Dyqani
dhcpd dns 8.8.8.8 8.8.4.4 interface Dyqani
dhcpd enable Dyqani
!
dhcpd address 192.168.12.10-192.168.12.200 MGT
dhcpd dns 8.8.8.8 8.8.4.4 interface MGT
dhcpd enable MGT
!
dhcpd address 192.168.5.130-192.168.5.200 LAN-B
dhcpd dns 8.8.8.8 8.8.4.4 interface LAN-B
dhcpd domain pcstore.al interface LAN-B
dhcpd enable LAN-B
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username yyyyyyyyyyyy password xxxxxxxxxxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxxxxx
: end

Thank you,

Denisa

Re: Management Vlan configuration!

Imma — Mon, 02 Sep 2019 14:33:49 GMT

Hi,

Balaji, no need to investigate further. Thank you for your help.

Ping was being blocked by the windows Defender firewall.

Kind Regards,

Denisa

Re: Management Vlan configuration!

balaji.bandi — Mon, 02 Sep 2019 14:50:42 GMT

glad to to know all resolved and working, can we mark as solution here.

Re: Management Vlan configuration!

rashidrahman911 — Mon, 17 Oct 2022 17:30:09 GMT

How to Management vlan create & vary easy learning click this link

https://www.youtube.com/watch?v=EniF2PQuR7U&t=2s