Thanks Peter. So the obvious

itops · ‎08-28-2015

Hi all,

Hope you can help me figure out an issue I am struggling to fix with my Firewalls. To give you and overview of what the current setup is like, I have ASAs between internet router and a Layer3 switch

Internet ==ASA==Layer3Switch-LAN(multiple subnets)

Gigabit0/0 is the outside Interface
Gigabit0/1 is inside interface

I have two networks on 10.0.0.0/24 & 10.0.2.0/24 connected to the inside interface and there is a static route for the LAN network on the firewall pointing to the VIP address of the Layer3switch. This static route covers both networks and the interface I have chosen to route traffic is the inside interface. 10.0.0.0/22 via inside to 10.0.0.245. All works well for the 10.0.0.0 and 10.0.2.0 networks.

What I want to do now is create a few environments and protect access by using the firewall. The idea is to use firewall as the gateway address and have access lists to protect the networks. For that to work, I have create a new VLAN (10.10.1.0/24) on my core switches (VLAN100), the switch has an interface IP address 10.10.1.1, firewall also has a subinterface E0/1.100, VLAN id is 100 & interface IP address is 10.10.1.254

A client with IP address 10.10.1.10, with a default gateway of 10.10.1.1, can communicate to every single subnet on my LAN as the Layer3 switch is doing the routing for me. With this setup however, I am unable to access the internet.

Traceroute to 8.8.8.8 is below

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1 4 ms 5 ms 2 ms 10.10.1.1 - The is the interface IP address of switch VIP on new VLAN (100)
2 <1 ms <1 ms <1 ms 10.0.0.254 - This is the default route on the core switch (interface is on the inside VLAN)
3 <1 ms <1 ms <1 ms xxx.xxx.xxx.xxx
4 2 ms 2 ms 2 ms port-40-199.xxxxxxx
5 2 ms 2 ms 2 ms port-98-199.xxxxxxx

Traceroute does go out but ping or browsing does not work.

When I change the clients (10.10.1.10) default gateway to the firewall (10.10.1.254), internet access works, my external static natting works but I am unable to access internal network anymore or connect from the internal network to the client.

Traceroute to the core switch VIP on a different VLAN is below

C:\Users\syedr>tracert 10.0.0.245

Tracing route to 10.0.0.245 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.10.1.254 0 VLAN100 Interface IP address of the Firewall
2 <1 ms <1 ms <1 ms xxx.xxx.xxx.xxx - Internet Gateway router ??
3 250 ms 2 ms 2 ms

For some reason traffic to all my internal networks is being forced out of the firewall using the gateway of last resort 0.0.0.0/0.0.0.0 -> Internet gateway router. There are static routes on the firewall, albeit all of the routes defined are using interface inside to route traffic into the core network but that shouldn't stop traffic traversing the firewall should it ?

For the remote VLANs, traffic gets to the new network via the coreswitch VIP. So all switches internally have static routes pointing to 10.10.1.0/2 gateway address 10.0.0.245 (VIP for core switch). For the Firewall to talk to these remote networks, they all have gateway address as 10.0.0.245.

Can anyone advise what the issue is really ?

Thanks,

Richard Bradfield · ‎08-28-2015

to me it looks like you need a static route to the Internet

the gateway for the 10.10.1.0/24 subnet will be 10.10.1.1 but on the 10.10.1.1 switch/router need to add

IP route 0.0.0.0 0.0.0.0 10.10.1.254

Vibhor Amrodia · ‎08-30-2015

Hi,

It seems to be Asymmetric routing causing this issue when you are using the Switch as the default Gateway.

Can you provide the outputs from the ASA device:-

show route

show int ip b

show nameif

show run nat

Client Ip that does not work with the ASA device interface as Default Gateway:-

Thanks and Regards,

Vibhor Amrodia

itops · ‎09-01-2015

Hi Vibhour,

I suspect it to be an asymetric routing issue as well.

Show route:

S* 0.0.0.0 0.0.0.0 [1/0] via 154.59.***.***, INTERNET-WAN
S 10.0.0.0 255.255.252.0 [1/0] via 10.0.0.245, DEFAULT
C 10.0.0.0 255.255.255.0 is directly connected, DEFAULT
L 10.0.0.254 255.255.255.255 is directly connected, DEFAULT
C 10.0.2.0 255.255.255.0 is directly connected, HARDWARE
L 10.0.2.254 255.255.255.255 is directly connected, HARDWARE
S 10.0.4.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.5.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.8.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.9.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.10.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.11.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.12.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.13.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.14.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.15.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.17.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.18.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.20.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.30.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.40.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.50.0 255.255.254.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.60.0 255.255.254.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.100.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.101.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.111.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.150.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.155.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.200.0 255.255.248.0 [1/0] via 10.0.0.245, DEFAULT
S 10.0.208.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
C 10.0.254.0 255.255.255.0 is directly connected, MGMT
L 10.0.254.254 255.255.255.255 is directly connected, MGMT
C 10.0.255.16 255.255.255.248 is directly connected, FAILOVER-LAN
L 10.0.255.17 255.255.255.255 is directly connected, FAILOVER-LAN
C 10.0.255.24 255.255.255.248 is directly connected, STATEFULL-FAILOVER
L 10.0.255.25 255.255.255.255 is directly connected, STATEFULL-FAILOVER
S 10.2.0.0 255.255.0.0 [1/0] via 10.0.0.245, DEFAULT
S 10.3.0.0 255.255.0.0 [1/0] via 10.0.0.245, DEFAULT
S 10.4.0.0 255.255.0.0 [1/0] via 10.0.0.245, DEFAULT
C 10.10.1.0 255.255.255.0 is directly connected, PROD-INF-SRVRS
L 10.10.1.254 255.255.255.255 is directly connected, PROD-INF-SRVRS

Show IP Int Br:

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 154.59.137.108 YES CONFIG up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/1.1 10.0.0.254 YES manual up up
GigabitEthernet0/1.2 10.0.2.254 YES manual up up
GigabitEthernet0/1.100 10.10.1.254 YES manual up up
GigabitEthernet0/1.254 10.0.254.254 YES manual up up
GigabitEthernet0/2 192.168.200.10 YES manual up up
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
GigabitEthernet0/6 10.0.255.17 YES unset up up
GigabitEthernet0/7 10.0.255.25 YES unset up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset down down
Internal-Data0/1 unassigned YES unset down down
Internal-Data0/2 unassigned YES unset up up
Management0/0 unassigned YES unset administratively down down

Show NameIf:

Interface Name Security
GigabitEthernet0/0 INTERNET-WAN 0
GigabitEthernet0/1 LAN-WAN 0
GigabitEthernet0/1.1 DEFAULT 100
GigabitEthernet0/1.2 HARDWARE 100
GigabitEthernet0/1.100 PROD-INF-SRVRS 100
GigabitEthernet0/2 P2P-COLODC 100
Management0/0 management 100

Show Run Nat:

nat (INTERNET-WAN,DEFAULT) source static any any destination static repo-1-PUBLIC repo-1-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static perc-01-PUBLIC perc-01-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static OWL-PUBLIC OWL-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static stg-PUBLIC stg-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static mon-01-PUBLIC mon-01-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static test-PUBLIC test-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static uat-PUBLIC uat-PRIVATE no-proxy-arp
nat (INTERNET-WAN,PROD-INF-SRVRS) source static any any destination static HO-Loadtest01-PUBLIC HO-Loadtest01-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static HO-1-PUBLIC HO-1-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static HO-3-PUBLIC HO-3-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static test2-PUBLIC test2-PRIVATE unidirectional no-proxy-arp
nat (DEFAULT,INTERNET-WAN) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_10.0.16.0_24 NETWORK_OBJ_10.0.16.0_24 no-proxy-arp route-lookup

The IP address of the client is 10.10.1.10, gateway address 10.10.1.254.

Internet access works ok

External Natting works ok

Access from internal networks does not work !

Peter Koltl · ‎09-04-2015

Apparently you haven't read the design principles in my article (-:

Management network topology and asymmetric routing

itops · ‎09-04-2015

Thanks Peter. So the obvious question here is if there is anything that can be done to address the problem I am having without doing a redesign of the environment ?

I would like to ensure that new clients on the 10.10.1.0/24 use Firewall as the gateway but the existing clients on 10.0.0/24, 10.0.2/24 etc all have their gateway as the core switch.

Peter Koltl · ‎09-06-2015

the later you fix the topology the more it hurts

the quick and dirty fix is to add static routes to all hosts

route 10.0.0.0/8 via 10.10.1.1

default gateway: 10.10.1.254

ASA 5525-X Logical Interface