topic Re: Connecting a second subnet to dmz in Network Security

Connecting a second subnet to dmz

mayanquetza — Mon, 11 Mar 2019 19:04:28 GMT

We just dropped a SAN into our dmz and I've created a new network for it for it using a different subnet. The LAN itself works independently without a problem but as I try to connect the new network to our ASA 5520's I'm running into connectivity issue. I can't seem to get traffic from the dmz subnet to the san subnet. The DMZ and SAN interfaces are set to the same security level on the ASA and I have allowed same-security traffic to pass.

Can someone give me a sanity check here? I think I need an appropriate NAT entry for this to work but all of my attempts at that have yielded no progress. I've left out unrelated ACL and NAT entries and VPN config.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xxx.xxx.xxx 255.255.255.224 standby xx.xxx.xxx.xxx
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.254
!
interface GigabitEthernet0/2
nameif SAN
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu SAN 1500
ip local pool vpnpool 10.0.5.1-10.0.5.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link failover GigabitEthernet0/3
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
monitor-interface outside
monitor-interface inside
monitor-interface management
monitor-interface SAN
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 xx.xxx.xxx.xxx

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

access-group PERMIT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.150.232.161 1
route inside 10.0.5.0 255.255.255.0 10.0.0.1 1

Re: Connecting a second subnet to dmz

Maykol Rojas — Wed, 03 Nov 2010 19:02:15 GMT

Hello,

My name is Mike and I will try to help you out, I dont see the DMZ anywhere I can see the SAN interface only. Are the DMZ and SAN on the same interface? Would the ASA do the routing for this subnets? Would you please draw us a topology for this?

Let me know.

Mike

Re: Connecting a second subnet to dmz

mayanquetza — Wed, 03 Nov 2010 19:15:23 GMT

Will a visio diagram suffice? I've attached our layout. I've added the lighter weigted lines to the diagram indicating what I'm trying to do.

The background colors take the place of physical connections to the appropriate LAN switch.

The DMZ, as of right now, is signified by the "inside" and "san" interfaces on the ASA config I pasted. The ASA will be doing the routing for these subnets, that's not what I wanted but it also isn't my call.

Re: Connecting a second subnet to dmz

Maykol Rojas — Wed, 03 Nov 2010 19:21:51 GMT

Hello,

Ok so the Inside will be the DMZ and the SAN will be... well.... the SAN network, I dont see any NAT configuration, woulc you please do a packet tracer command from the DMZ to the SAN network? I will be like this

packet-tracer input inside tcp 1025 80

With this we will be able to see what is the reason for the drop.

Thanks!

Mike.

Re: Connecting a second subnet to dmz

mayanquetza — Thu, 04 Nov 2010 16:18:00 GMT

Is the packet-tracer command valid on ASA 7.0(X) software?

IOS isn't recognizing it.

Re: Connecting a second subnet to dmz

Panos Kampanakis — Thu, 04 Nov 2010 18:08:39 GMT

Unfortunately, it was introduced in 7.2, so you will not have it in 7.0.

Re: Connecting a second subnet to dmz

mayanquetza — Fri, 05 Nov 2010 13:13:53 GMT

My apologies, the devices are fairly new and I haven't had the downtime to upgrade them. This isn't a showstopper is it?