cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
0
Helpful
6
Replies

ASA 5525-X Logical Interface

itops
Level 1
Level 1

Hi all,

Hope you can help me figure out an issue I am struggling to fix with my Firewalls. To give you and overview of what the current setup is like, I have ASAs between internet router and a Layer3 switch

 

Internet ==ASA==Layer3Switch-LAN(multiple subnets)

 

  • Gigabit0/0 is the outside Interface
  • Gigabit0/1 is inside interface 

I have two networks on 10.0.0.0/24 & 10.0.2.0/24 connected to the inside interface and there is a static route for the LAN network on the firewall pointing to the VIP address of the Layer3switch. This static route covers both networks and the interface I have chosen to route traffic is the inside interface. 10.0.0.0/22 via inside to 10.0.0.245. All works well for the 10.0.0.0 and 10.0.2.0 networks. 

What I want to do now is create a few environments and protect access by using the firewall. The idea is to use firewall as the gateway address and have access lists to protect the networks. For that to work, I have create a new VLAN (10.10.1.0/24) on my core switches (VLAN100), the switch has an interface IP address 10.10.1.1, firewall also has a subinterface E0/1.100, VLAN id is 100 & interface IP address is 10.10.1.254

A client with IP address 10.10.1.10, with a default gateway of 10.10.1.1, can communicate to every single subnet on my LAN as the Layer3 switch is doing the routing for me. With this setup however, I am unable to access the internet. 

Traceroute to 8.8.8.8 is below

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1     4 ms     5 ms     2 ms  10.10.1.1 - The is the interface IP address of switch VIP on new VLAN (100)
  2    <1 ms    <1 ms    <1 ms  10.0.0.254 - This is the default route on the core switch (interface is on the inside VLAN)
  3    <1 ms    <1 ms    <1 ms  xxx.xxx.xxx.xxx
  4     2 ms     2 ms     2 ms  port-40-199.xxxxxxx
  5     2 ms     2 ms     2 ms  port-98-199.xxxxxxx

Traceroute does go out but ping or browsing does not work.

 

When I change the clients (10.10.1.10) default gateway to the firewall (10.10.1.254), internet access works, my external static natting works but I am unable to access internal network anymore or connect from the internal network to the client.

Traceroute to the core switch VIP on a different VLAN is below

 

C:\Users\syedr>tracert 10.0.0.245

Tracing route to 10.0.0.245 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.10.1.254 0 VLAN100 Interface IP address of the Firewall
  2    <1 ms    <1 ms    <1 ms  xxx.xxx.xxx.xxx - Internet Gateway router ??
  3   250 ms     2 ms     2 ms

For some reason traffic to all my internal networks is being forced out of the firewall using the  gateway of last resort 0.0.0.0/0.0.0.0 -> Internet gateway router. There are static routes on the firewall, albeit all of the routes defined are using interface inside to route traffic into the core network but that shouldn't stop traffic traversing the firewall should it ?

 

 

 

For the remote VLANs, traffic gets to the new network via the coreswitch VIP. So all switches internally have static routes pointing to 10.10.1.0/2 gateway address 10.0.0.245 (VIP for core switch). For the Firewall to talk to these remote networks, they all have gateway address as 10.0.0.245.

 

Can anyone advise what the issue is really ?

 

Thanks,

 

 

6 Replies 6

to me it looks like you need a static route to the Internet

the gateway for the 10.10.1.0/24 subnet will be 10.10.1.1 but on the 10.10.1.1 switch/router  need to add 

IP route 0.0.0.0 0.0.0.0 10.10.1.254

Hi,

It seems to be Asymmetric routing causing this issue when you are using the Switch as the default Gateway.

Can you provide the outputs from the ASA device:-

show route

show int ip b

show nameif

show run nat

Client Ip that does not work with the ASA device interface as Default Gateway:-

Thanks and Regards,

Vibhor Amrodia

 

Hi Vibhour,

I suspect it to be an asymetric routing issue as well.

 

Show route:

S*       0.0.0.0 0.0.0.0 [1/0] via 154.59.***.***, INTERNET-WAN
S        10.0.0.0 255.255.252.0 [1/0] via 10.0.0.245, DEFAULT
C        10.0.0.0 255.255.255.0 is directly connected, DEFAULT
L        10.0.0.254 255.255.255.255 is directly connected, DEFAULT
C        10.0.2.0 255.255.255.0 is directly connected, HARDWARE
L        10.0.2.254 255.255.255.255 is directly connected, HARDWARE
S        10.0.4.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.5.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.8.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.9.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.10.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.11.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.12.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.13.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.14.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.15.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.17.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.18.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.20.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.30.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.40.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.50.0 255.255.254.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.60.0 255.255.254.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.100.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.101.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.111.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.150.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.155.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.200.0 255.255.248.0 [1/0] via 10.0.0.245, DEFAULT
S        10.0.208.0 255.255.255.0 [1/0] via 10.0.0.245, DEFAULT
C        10.0.254.0 255.255.255.0 is directly connected, MGMT
L        10.0.254.254 255.255.255.255 is directly connected, MGMT
C        10.0.255.16 255.255.255.248 is directly connected, FAILOVER-LAN
L        10.0.255.17 255.255.255.255 is directly connected, FAILOVER-LAN
C        10.0.255.24 255.255.255.248 is directly connected, STATEFULL-FAILOVER
L        10.0.255.25 255.255.255.255 is directly connected, STATEFULL-FAILOVER
S        10.2.0.0 255.255.0.0 [1/0] via 10.0.0.245, DEFAULT
S        10.3.0.0 255.255.0.0 [1/0] via 10.0.0.245, DEFAULT
S        10.4.0.0 255.255.0.0 [1/0] via 10.0.0.245, DEFAULT
C        10.10.1.0 255.255.255.0 is directly connected, PROD-INF-SRVRS
L        10.10.1.254 255.255.255.255 is directly connected, PROD-INF-SRVRS

 

Show IP Int Br:

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         154.59.137.108  YES CONFIG up                    up
GigabitEthernet0/1         unassigned      YES unset  up                    up
GigabitEthernet0/1.1       10.0.0.254      YES manual up                    up
GigabitEthernet0/1.2       10.0.2.254      YES manual up                    up
GigabitEthernet0/1.100     10.10.1.254     YES manual up                    up
GigabitEthernet0/1.254     10.0.254.254    YES manual up                    up
GigabitEthernet0/2         192.168.200.10  YES manual up                    up
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         10.0.255.17     YES unset  up                    up
GigabitEthernet0/7         10.0.255.25     YES unset  up                    up
Internal-Control0/0        127.0.1.1       YES unset  up                    up
Internal-Data0/0           unassigned      YES unset  down                  down
Internal-Data0/1           unassigned      YES unset  down                  down
Internal-Data0/2           unassigned      YES unset  up                    up
Management0/0              unassigned      YES unset  administratively down down

 

Show NameIf:

 

Interface                Name                                  Security
GigabitEthernet0/0       INTERNET-WAN               0
GigabitEthernet0/1       LAN-WAN                    0
GigabitEthernet0/1.1     DEFAULT                  100
GigabitEthernet0/1.2     HARDWARE                 100
GigabitEthernet0/1.100   PROD-INF-SRVRS           100
GigabitEthernet0/2       P2P-COLODC               100
Management0/0            management               100

 

Show Run Nat:

 

nat (INTERNET-WAN,DEFAULT) source static any any destination static repo-1-PUBLIC repo-1-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static perc-01-PUBLIC perc-01-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static OWL-PUBLIC OWL-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static stg-PUBLIC stg-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static mon-01-PUBLIC mon-01-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static test-PUBLIC test-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static uat-PUBLIC uat-PRIVATE no-proxy-arp
nat (INTERNET-WAN,PROD-INF-SRVRS) source static any any destination static HO-Loadtest01-PUBLIC HO-Loadtest01-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static HO-1-PUBLIC HO-1-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static HO-3-PUBLIC HO-3-PRIVATE no-proxy-arp
nat (INTERNET-WAN,DEFAULT) source static any any destination static test2-PUBLIC test2-PRIVATE unidirectional no-proxy-arp
nat (DEFAULT,INTERNET-WAN) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_10.0.16.0_24 NETWORK_OBJ_10.0.16.0_24 no-proxy-arp route-lookup

 

The IP address of the client is 10.10.1.10, gateway address 10.10.1.254.

Internet access works ok

External Natting works ok

Access from internal networks does not work !

 

Apparently you haven't read the design principles in my article (-:

Management network topology and asymmetric routing

Thanks Peter. So the obvious question here is if there is anything that can be done to address the problem I am having without doing a redesign of the environment ?

I would like to ensure that new clients on the 10.10.1.0/24 use Firewall as the gateway but the existing clients on 10.0.0/24, 10.0.2/24 etc all have their gateway as the core switch.

the later you fix the topology the more it hurts

 

 

the quick and dirty fix is to add static routes to all hosts

route 10.0.0.0/8 via 10.10.1.1

default gateway: 10.10.1.254

Review Cisco Networking for a $25 gift card