topic Re: Inter vlan port forwarding in Network Security

Inter vlan port forwarding

mark.stewart1 — Fri, 21 Feb 2020 17:15:52 GMT

Hi,

I currently have a vlan setup as below on a ASA5516, other ports are unconnected, this is connected to a Cat3650 switch with the vlans setup.

interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.10
vlan 10
nameif A
security-level 0
ip address 10.50.0.30 255.255.255.224
!
interface GigabitEthernet1/2.12
vlan 12
nameif B
security-level 0
ip address 10.50.0.62 255.255.255.224
!
interface GigabitEthernet1/2.20
vlan 20
nameif C
security-level 0
ip address 10.50.0.126 255.255.255.192

my issue is, i can ping and access within the same vlan, but am unsure how to go across vlans, but this has to be restricted, so for example only port 80 access between vlans A and B as an example.

I have atried a few things but with no luck up to now, as you can probably guss I am an absolute beginner with CISCO's, only ever used fortinets before.

please can somebody give me a starting point???

many thanks,

mark.

Re: Inter vlan port forwarding

Rob Ingram — Mon, 01 Jul 2019 20:06:46 GMT

Hi,

Do you have the command same-security-traffic permit inter-interface configured?

This command is used to allow communication between 2 interfaces with the same security level.

HTH

Re: Inter vlan port forwarding

mark.stewart1 — Mon, 01 Jul 2019 20:36:17 GMT

Hi, yes I tried inter and intra but no luck.
Mark.

Re: Inter vlan port forwarding

GRANT3779 — Mon, 01 Jul 2019 20:39:15 GMT

I think in this case it may require the following command -

same-security-traffic permit intra-interface (rather than inter)

Do you any ACLs currently in place? I'd try the above command first and then test going between vlans. Once that's good, focus on restricting with ACL.

Re: Inter vlan port forwarding

mark.stewart1 — Mon, 01 Jul 2019 20:47:42 GMT

Hi, I have no ACLS set yet, I'm sure I tried both ways but I'll have ago tomorrow morning when I'm in front of the ASA.

Thanks,

Mark.

Re: Inter vlan port forwarding

mark.stewart1 — Mon, 01 Jul 2019 20:54:03 GMT

I had read on one post on another site, that just enabling intra on a port won't allow inter clan access as you had to do something else?

Re: Inter vlan port forwarding

GRANT3779 — Tue, 02 Jul 2019 07:37:47 GMT

Hi Mark,

The switchport on the 3650 you have connected to physical ASA port GigabitEthernet1/2. What is the config from that switchport?

What is the native VLAN on the trunk? Let us know Output from -

show int trunk

On the ASA, do you have ACL applied?

show us output from

show run access-group

One last thing - How are you testing this? Via Pinging between hosts? If so, have you enabled ICMP Inspection? Have a look at the output from -
show run policy-map

If you do not see inspect icmp under the policy then please add it using the following commands.

policy-map global_policy
class inspection_default
inspect icmp

Re: Inter vlan port forwarding

mark.stewart1 — Tue, 02 Jul 2019 07:44:59 GMT

, I have added the inter setting, but still no inter vlan comms?

mark.

Re: Inter vlan port forwarding

mark.stewart1 — Tue, 02 Jul 2019 08:35:55 GMT

Hi GRANT3779,

Switchport from the ASA:-

interface GigabitEthernet1/0/2
switchport trunk native vlan 10
switchport mode trunk
!

Switch#show int trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/2 on 802.1q trunking 10
Po1 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/2 1-4094
Po1 1-4094

Port Vlans allowed and active in management domain
Gi1/0/2 1-2,10,12,20-21,501-503,665-668,901-902

below gives no output as shown

FW01(config)# show run access-group
FW01(config)#

FW01# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
FW01#

many thanks,

mark.

Re: Inter vlan port forwarding

GRANT3779 — Tue, 02 Jul 2019 08:55:05 GMT

Thanks Mark,

I would create a "dummy" vlan, e.g 666 and set this as the native VLAN. Bring the port down/up.

interface GigabitEthernet1/0/2
switchport trunk native vlan 666
switchport mode trunk

Also, on the ASA did you enter the "INTRA" command rather than "INTER"?

Re: Inter vlan port forwarding

mark.stewart1 — Tue, 02 Jul 2019 09:24:08 GMT

Hi, below is the full config, obvious things changed.....

like i said, I can now ping all the devices from the ASA, but still no from within the vlans.

FW01# show run
: Saved

:
: Serial Number: ---------------
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname FW01
domain-name LOCAL.local
enable password -----------------------------------------
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/2.2
vlan 2
nameif A
security-level 100
ip address 10.50.0.222 255.255.255.224
!
interface GigabitEthernet1/2.10
vlan 10
nameif B
security-level 100
ip address 10.50.0.30 255.255.255.224
!
interface GigabitEthernet1/2.12
vlan 12
nameif C
security-level 100
ip address 10.50.0.62 255.255.255.224
!
interface GigabitEthernet1/2.20
vlan 20
nameif D
security-level 100
ip address 10.50.0.126 255.255.255.192
!
interface GigabitEthernet1/2.21
vlan 21
nameif E
security-level 100
ip address 10.50.0.190 255.255.255.192
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name SCADA.local
same-security-traffic permit intra-interface
pager lines 24
mtu management 1500
mtu System_Device 1500
mtu Network_Device 1500
mtu Scada 1500
mtu Server 1500
mtu Control 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:-----------------------------
: end

Re: Inter vlan port forwarding

GRANT3779 — Tue, 02 Jul 2019 09:25:52 GMT

Hi,

Can you provide output from "show arp" on the ASA. Did you say you can ping your end hosts from the ASA directly?

Re: Inter vlan port forwarding

mark.stewart1 — Tue, 02 Jul 2019 09:29:32 GMT

Hi,

Show arp below:-

FW01# show arp
B 10.50.0.2 2004.0ff7.4c58 2
B 10.50.0.21 2004.0ff7.8728 25
B 10.50.0.9 1065.3080.8e24 136
D 10.50.0.70 6c2b.59d7.6afa 282
D 10.50.0.71 e4e7.49aa.3380 651
E 10.50.0.136 dc44.2780.4461 2712

Ye i can ping all teh devices shown above from the ASA directly, if I select the correct vlan interface.

Re: Inter vlan port forwarding

GRANT3779 — Tue, 02 Jul 2019 09:55:51 GMT

Is the ASA the GW for these hosts or are you running L3 with SVIs on your switch?

Re: Inter vlan port forwarding

mark.stewart1 — Tue, 02 Jul 2019 09:58:22 GMT

ok, just tried something ive seen on a video using packet-tracer , and i get the following:-

FW01# packet-tracer input D tcp 10.50.0.70 80 10.50.0.2 80 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbd661aea80, priority=1, domain=permit, deny=false
hits=2453, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Scada, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.50.0.2 using egress ifc B

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fbd663c9d60, priority=110, domain=permit, deny=true
hits=2143, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Scada, output_ifc=any

Result:
input-interface: D
input-status: up
input-line-status: up
output-interface: B
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

so it looks like access list is automatically blocking any inter vlan traffic?

mark.

Re: Inter vlan port forwarding

mark.stewart1 — Tue, 02 Jul 2019 09:59:01 GMT

the ASA is the gateway for the hosts.

mark.

Re: Inter vlan port forwarding

mark.stewart1 — Tue, 02 Jul 2019 10:10:27 GMT

Hi,

Many thanks, it looks like it was a combination of things, it looks like the native vlan was causing issues on the port as now with no native vlan and Inter (yes i know, i would of thought intra???) specified I can now access all vlans from each other.

many thanks for you help GRANT3779.

I'll mark you down as the answer.

thanks,

mark.