ASA5525-X and Cisco 3850 Traffiic routing

danielashleysmith · ‎01-19-2015

Hi,

I apologise if this question has been answered already, I tried searching but found nothing.

I have a Cisco 3850X and an ASA5525 firewall, and I want to create a specific route from a particular VLAN in order to filter the traffic.

I am using VLAN 15, which is intended for wireless access only.

I want to;

Route all wireless hosts traffic on VLAN 15 to the firewall for filtering through two physical interfaces grouped together in a channel-group

Route filtered traffic back from the firewall into the same switch via the same channel-group (same physical interfaces.)

Allow filtered traffic to communicate with other VLANs via their gateways

If somebody could point me in the right direction with this I would appreciate it. I have attached a drawing of the physical cabling to give you a better idea of how the equipment is connected.

Thank you.

Collin Clark · ‎01-19-2015

Take your EtherChannel and make it trunk. Put VLAN15 on the trunk and build the SVI for that VLAN on the ASA. You would also trunk your 'inside' VLAN back to the switch.

danielashleysmith · ‎01-20-2015

Hi Collin,

Thank for your reply.

Unfortunately the 5525-x only allows me to create an etherchannel, I can't make trunk. I've made a trunk on the switch side, using two link aggregated ports which includes VLAN 15.

I created port-channel 1 on the firewall, with an address of 10.196.15.1, however I am unable to ping this from a host sitting on VLAN 15 connected to the switch.

I know I could probably create a trunk up to the firewall using one cable, and then use the other cable for the downlink back to the switch. Only allowing the downlink port access the gateway to talk to other VLANS. So basically, for any .15 vlan hosts, they are forced to go via the firewall and back into the switch.

But I would prefer to try and do this logically, so have a 2GbE uplink to the firewall, where only traffic that has been filtered can travel back down the 2GbE uplink and access the gateway. Giving 2GbE throughput and 1+1 redundancy.

Sorry, I'm stuck on this one. I tried doing what you said but I'm still not sure. I've attached a screenshot of the ASDM interface config if it helps.

If you could help clarify a bit further I'd really appreciate it.

Thanks

Collin Clark · ‎01-20-2015

Lets first address why you can't trunk. Are you getting an error somewhere?

danielashleysmith · ‎01-20-2015

The firewall just isn't accepting any of the commands I would normally use to build a trunk.

For example:

--------------------------------------------------
ciscoasa(config)# int gi0/3
ciscoasa(config-if)# switchport mode trunk
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-if)# vlan 15
^
ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# int gi0/2.15
ciscoasa(config-subif)# switchport mode trunk
^
ERROR: % Invalid input detected at '^' marker.

--------------------------------------------------

Even when configuring sub-interfaces the CLI just will not accept any form of switchport command.

Is there a separate set of commands for building trunks in ASA5525's? I've googled around a lot and all the examples I have seen show people using the standard trunk commands.

I restored the firewall back to factory defaults, but still no joy.

I've attached a copy of the running config if that reveals any config issues?

Thanks

Collin Clark · ‎01-20-2015

Here's an example of creating a port-channel and then trunking the port-channel in the CLI.

interface GigabitEthernet0/0
speed 1000
duplex full
channel-group 10 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
speed 1000
duplex full
channel-group 10 mode on
no nameif
no security-level
no ip address

interface Port-channel10
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface Port-channel10.225
vlan 225
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
!
interface Port-channel10.226
vlan 226
nameif dmz
security-level 50
ip address 192.168.99.254 255.255.255.0 standby 192.168.99.253
!

danielashleysmith · ‎01-21-2015

Hi Collin,

Thanks, I've now managed to create the trunk following your instructions.

I have set the switch up so that the trunks native vlan is 15, but vlans 10-15 are allowed. As follows:

------------------------------------------

Switch:

------------------------------------------
interface GigabitEthernet1/0/1
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active
!
interface GigabitEthernet1/0/2
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active

------------------------------------------

Firewall

------------------------------------------
interface Port-channel10.10
vlan 10
nameif inside
security-level 100
ip address 10.196.10.1 255.255.255.0
!
interface Port-channel10.15
vlan 15
nameif dmz
security-level 50
ip address 10.196.15.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
-------------------------------------------------------

I am able to ping the .15 gateway from a host sitting on VLAN15 on the switch, however, even with the 'same-security' configuration I am still unable to ping across to the .10 gateway.

I tried creating a route, 'route inside 10.196.15.0 255.255.255.0 10.196.10.0' however was returned an error message 'Cannot add route connected route exists'. However when I looked at sh route, no such route exists:

-------------------------

C 10.196.15.0 255.255.255.0 is directly connected, dmz
C 10.196.10.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, management

-------------------------

I should not that I have only used the gateway addresses 10.196.10.1 and 10.196.15.1 in the firewalls configuration, I have removed these gateway addresses from the switch, as I assumed the firewall should be used as the gateway, and didn't want the switch to route between the vlans internally bypassing the firewall.

I'm obviously still missing something, might I have to setup NAT to translate the two addresses?

Thanks again for your help

Andre Neethling · ‎01-21-2015

Have you tried configuring the Port Channel interface on the switch with the trunk configurations?

danielashleysmith · ‎01-21-2015

Hi Andre,

For the port channel config on the switch I have:

------------------------------------
interface Port-channel2
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
duplex full

------------------------------------

I assumed this would be ok?

Thanks

UPDATE:

I tried setting the security levels for both interfaces to 100, however still no joy. Which leads to think it may be something to do with the trunk itself?

I've uploaded the configs for both the switch and the firewall in case in helps.

Andre Neethling · ‎01-21-2015

ICMP is not inspected by default on the ASA. Try a different protocol, other than ping.

danielashleysmith · ‎01-21-2015

I tried pinging a host that was on the switch on vlan 11 however that did not work either. However the ping does work to vlan 15 gateway, setup on the firewall.

I tried some other things like tracert but I just can't get connectivity outside of vlan 15 through the firewall.

Andre Neethling · ‎01-21-2015

Ping and traceroute both use ICMP. Try RDP or any other TCP protocol. Also try to ping devices on both networks from the Asa.

danielashleysmith · ‎01-21-2015

Hi Andre,

I've tried pinging hosts on both the .15 and .10 network from the firewall and both hosts are responding. Both hosts are also able to ping their native gateways, ie. 10.196.10.21 can successfully ping 10.196.10.1 and 10.196.15.21 can ping 10.196.15.1.

However, 10.196.10.21 cannot ping 10.196.15.21.

I tried issuing an RDP command through telnet however it was not successful.

On the basis that both hosts can ping their gateways which only exist in the firewall and the firewall can ping back it looks as though the trunk may be working fine but the intervlan route between .10 and .15 is still not working.

I have tried some basic routing commands form googling around but to no avail. I may try restoring factory defaults and re-setting the firewall up again in case I've issued a command that's stopping it somehow, though I can't see anything obvious.

Collin Clark · ‎01-21-2015

You will never be able to ping the far side IP of the firewall (security feature). Please add these lines for ICMP:

icmp permit any inside
icmp permit any dmz

For DMZ to Inside traffic, like Andre stated, you will need to either NAT from DMZ to inside or set the security levels of bother interfaces to 100 and turn on same-security.

From a server on the inside you should be able to telnet to a server running RDP in the DMZ with the following command-

telnet 10.196.15.x 3389

danielashleysmith · ‎01-22-2015

Hi Collin and Andre,

Thanks, I can now ping across both vlans after permitting icmp.

I do however need to change the security levels back to DMZ 50 inside 100 however. I've been trying NAT configurations that I've found online all morning however I'm really struggling to get anything working.

Hosts on .15 vlan are issued IP's from a DHCP pool by the switch, I want to translate these into the .10 subnet range.

Do you have an example configuration I could look at?

Apologies I know I should read a bit more and work this out however I'm struggling and running out of time, if anybody could share an example config I'd really appreciate it.

Thanks