Re: Connecting a second subnet to dmz

mayanquetza · ‎11-03-2010

We just dropped a SAN into our dmz and I've created a new network for it for it using a different subnet. The LAN itself works independently without a problem but as I try to connect the new network to our ASA 5520's I'm running into connectivity issue. I can't seem to get traffic from the dmz subnet to the san subnet. The DMZ and SAN interfaces are set to the same security level on the ASA and I have allowed same-security traffic to pass.

Can someone give me a sanity check here? I think I need an appropriate NAT entry for this to work but all of my attempts at that have yielded no progress. I've left out unrelated ACL and NAT entries and VPN config.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xxx.xxx.xxx 255.255.255.224 standby xx.xxx.xxx.xxx
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.254
!
interface GigabitEthernet0/2
nameif SAN
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu SAN 1500
ip local pool vpnpool 10.0.5.1-10.0.5.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link failover GigabitEthernet0/3
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
monitor-interface outside
monitor-interface inside
monitor-interface management
monitor-interface SAN
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 xx.xxx.xxx.xxx

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

access-group PERMIT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.150.232.161 1
route inside 10.0.5.0 255.255.255.0 10.0.0.1 1

Maykol Rojas · ‎11-03-2010

Hello,

My name is Mike and I will try to help you out, I dont see the DMZ anywhere I can see the SAN interface only. Are the DMZ and SAN on the same interface? Would the ASA do the routing for this subnets? Would you please draw us a topology for this?

Let me know.

Mike

mayanquetza · ‎11-03-2010

Will a visio diagram suffice? I've attached our layout. I've added the lighter weigted lines to the diagram indicating what I'm trying to do.

The background colors take the place of physical connections to the appropriate LAN switch.

The DMZ, as of right now, is signified by the "inside" and "san" interfaces on the ASA config I pasted. The ASA will be doing the routing for these subnets, that's not what I wanted but it also isn't my call.

Maykol Rojas · ‎11-03-2010

Hello,

Ok so the Inside will be the DMZ and the SAN will be... well.... the SAN network, I dont see any NAT configuration, woulc you please do a packet tracer command from the DMZ to the SAN network? I will be like this

packet-tracer input inside tcp 1025 80

With this we will be able to see what is the reason for the drop.

Thanks!

Mike.

Mike

mayanquetza · ‎11-04-2010

Is the packet-tracer command valid on ASA 7.0(X) software?

IOS isn't recognizing it.

Panos Kampanakis · ‎11-04-2010

Unfortunately, it was introduced in 7.2, so you will not have it in 7.0.

PK

mayanquetza · ‎11-05-2010

My apologies, the devices are fairly new and I haven't had the downtime to upgrade them. This isn't a showstopper is it?