01-19-2015 07:27 AM - edited 03-11-2019 10:22 PM
Hi,
I apologise if this question has been answered already, I tried searching but found nothing.
I have a Cisco 3850X and an ASA5525 firewall, and I want to create a specific route from a particular VLAN in order to filter the traffic.
I am using VLAN 15, which is intended for wireless access only.
I want to;
Route all wireless hosts traffic on VLAN 15 to the firewall for filtering through two physical interfaces grouped together in a channel-group
Route filtered traffic back from the firewall into the same switch via the same channel-group (same physical interfaces.)
Allow filtered traffic to communicate with other VLANs via their gateways
If somebody could point me in the right direction with this I would appreciate it. I have attached a drawing of the physical cabling to give you a better idea of how the equipment is connected.
Thank you.
01-22-2015 04:24 AM
Do you need to NAT? Or do you need to allow access? If both are internal address ranges, than you may just route the 2 subnets/VLANS in your internal network without changing the addressing.
If you are not comfortable with the CLI on the ASA, maybe you should use ASDM or Prime Security Manager to manage your policies. It will be much easier.
If you just need access from the DMZ (Security level 50) interface, to the INSIDE (security level 100) interface, you can achieve this by Access Rules. Which services/protocols do you want to allow between the DMZ and INSIDE interfaces?
01-23-2015 07:17 AM
Hi Andre,
I managed to get RDP working across the two vlans, I tried ASDM and created an access rule as suggested and it works fine.
The only real remaining issue I'm having is communicating back to the gateways on the switch and their related hosts.
When I setup gateways 10 and 15 on the firewall and remove them from the switch, it works fine, hosts on vlan 15 can talk to hosts on vlan 10. However, hosts on vlan 15 cannot talk to hosts on vlan 11, even though a rule is in place. The gateway for vlan 11 resides in the switch, if I remove the gateway IP address from the switch and configure it inside the firewall instead it works. But that means that all vlan 11 traffic then has to use the gateway within the firewall, even if it's to communicate with adjacent trusted vlans, which isn't what I want.
What I want is for vlan 15 traffic to communicate back to the switch via the gateways on the switch.
I've attached a drawing of what I mean, apologies for its crudeness.
Thanks again.
UPDATE: I tried pinging the gateways on the switch form the firewalls CLI but had no success. So that explains why traffic routed via the firewall coming back down the trunk cannot access gateways on the switch.
01-23-2015 07:26 AM
If I understand your problem correctly, you will need to put an IP for vlan 15 on the switch (not the gateway IP). Then on the ASA you will need to add a route to the other networks.
Example-
route inside 10.196.11.0 255.255.255.0 10.196.15.254
route inside 10.196.12.0 255.255.255.0 10.196.15.254
route inside 10.196.13.0 255.255.255.0 10.196.15.254
10.196.15.254 is the IP you would put on the switch for vlan 15.
01-23-2015 09:09 AM
Hi Collin,
But surely if the .15.1 (DMZ) IP address is allocated to vlan 15 on the switch, with IP routing turned on won't traffic bypass the firewall altogether?
That's why I wondered if the address 10.196.15.1 should be allocated to vlan 15 in the firewall instead, so to access other vlans traffic has no choice but to go via the firewall first.
01-23-2015 10:05 AM
Hi Daniel. Good to hear you are making progress.
What Colin is suggesting, is that you change the VLAN interfaces ip to .254 on the switch, and leave the gateway on the ASA as .1. This could work for you. You must also add the routes that Colin recommended.
Something else you can do is remove the VLAN interface 15 from your switch, because the ASA will route for VLAN15 and VLAN10. If it doesn't work immediately try adding a route to the ASA for subnet .15 & .10, if it isn't in the routing table of the switch after you remove the VLAN15 interface. Your access rule will take care of your network flow from the DMZ interface, and the inside interface will allow flows from a higher to a lower security level interface.
01-21-2015 05:18 AM
Hi Daniel.
The 2 interfaces do not have the same security level. If you are trying to connect from a host on the .15 subnet to a host on the .10 subnet, by default the flow will not be allowed, because you are trying to connect from an interface with a lower security level, to an interface with a higher security level. You may need an access rule to permit the traffic from lower to higher security level. Alternatively, you can set both security levels to 100, then the "Same-security" statements will take effect.
You do not need a route because both the routes are connected so the ASA will know how to route traffic between the 2 interfaces.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide