Multiple context transparent firewall issue - urgent, please advise

philipplant · ‎06-09-2010

Hi folks,

If you could please advise me on this problem urgently, I'd be extremely grateful. I am trying to get an ASA5510 to work in multiple context transparent mode, and I keep coming up against the following issue.

I have one logical network, 10.1.11.0/24 divided into two parts by the firewall. Pinging from the firewall, when I first configure the inside interface, I can ping hosts on the inside network. However when I also configure the outside interface, I can no longer ping the hosts on the inside although I can ping hosts on the outside.

Here are some highlights from my very simple configuration. First of all the system context:

ASA Version 8.2(1) <system>

firewall transparent

!

interface Ethernet0/1

description Trunk to sw1 gi0/22

!

interface Ethernet0/1.21

vlan 21

!

interface Ethernet0/2

description Backhaul

!

admin-context backhaul

context backhaul

allocate-interface Ethernet0/1.21

allocate-interface Ethernet0/2

config-url disk0:/backhaul.cfg

And now the backhaul context:

firewall transparent

hostname backhaul

!

interface Ethernet0/1.21

nameif inside

security-level 100

!

interface Ethernet0/2

nameif outside

security-level 0

!

ip address 10.1.11.20 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.1.11.16 1

Hosts on the inside network (e0/1.21) are reachable:

asa5510/backhaul# ping 10.1.11.124

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.11.124, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

asa5510/backhaul# ping 10.1.11.125

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.11.125, timeout is 2 seconds:

!!!!!

But hosts on the outside network are not:

asa5510/backhaul# ping 10.1.11.16

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.11.16, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

However when I disable the inside interface:

asa5510/backhaul# conf t

asa5510/backhaul(config)# int e0/1.21

asa5510/backhaul(config-if)# no nameif

! ... wait a few moments

asa5510/backhaul# ping 10.1.11.16

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.11.16, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Then I can ping hosts on the outside interface!

Please help, I don't understand!

I've also tried 8.2(2) with the same results.

Thanks,

Philip

Panos Kampanakis · ‎06-09-2010

It seems you are trying to bridge vlan 21 and the native vlan. The host probably resides in the native vlan on the switch.

Can you check if the spanning tree on the switch blocks the port connected to the ASA?

PK

philipplant · ‎06-09-2010

Hi PK,

Thank you for taking time to look at this.

The host doesn't reside on the native VLAN, and the e0/1 port is in trunked mode. The 'backhaul' network is a LAN extension service which bridges the 10.1.11.0/24 network off-site.

interface GigabitEthernet0/2

description server1 GB1

switchport access vlan 21

switchport mode access

end

interface GigabitEthernet0/22

description asa5510 e0/1

switchport mode trunk

end

VLAN0021

Spanning tree enabled protocol ieee

Root ID Priority 32789

Address 0025.x.7100

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32789 (priority 32768 sys-id-ext 21)

Address 0025.x.7100

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/2 Desg FWD 4 128.2 P2p

Gi0/22 Desg FWD 4 128.22 P2p

Gi0/24 Desg FWD 4 128.24 P2p

Do you have any other thoughts on what might be going on please?

Thanks,

Philip

philipplant · ‎06-09-2010

Previous reply edited to give more detail.

Thanks,

Philip

philipplant · ‎06-09-2010

Hi guys,

I could really do with some help on this one - the problem seems so odd. The setup is pretty simple though, I have a handful of servers on a switch, they're on VLAN 21. Then a trunked port goes from the switch to the ASA5510 which is connected directly to the 'backhaul' LAN extension service which is connected to the remote servers.

When I remove the nameif statement on the inside interface which has VLAN 21 on the backhaul context, I can ping the remote hosts at the far end of the LES, but I can't ping the local servers. When I put the nameif statement back, I can ping the local servers but not the remote ones.

It's driving me nuts, any advice would be greatly appreciated!

Thanks,

Philip

Panos Kampanakis · ‎06-09-2010

Try to traceroute from the ASA to see the path it takes.

Check if the ASA is sending the pings out and where they are going with a apcket capture on the ASA interfaces using the capture command.

PK

philipplant · ‎06-09-2010

Thanks again PK, I finally solved this.

I hadn't considered all the implications of connecting an ASA in layer 2 mode to a trunked port, and it was leaking BPDUs across the firewall from the switch to the third-party backhaul network, which consequently blocked the port until they stopped.

I hope this proves useful to any future readers, it may even save a grey hair or two :-)

Thanks again,

Philip

Panos Kampanakis · ‎06-09-2010

Ha! It had to be a spanning tree issue.

Rate helpful posts.

Take care,

PK