I am trying to get some general information about a topic I know very little about . First I'd like to give some background info on my setup:
We have a small cisco 1800 series workgroup router that seperates our network from the outside world. The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0. fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3). These sub-interfaces correspond to a desktop and server vlan on our network. The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2).
Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network. The firewall was set up between the router and switch 1 in transparent, multi-context mode. There are 2 security contexts, 1 for the desktop vlan and 1 for the server. Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.
The issue I'm seeing is this. When the firewall wasn't connected, I could pass the management vlan traffic through the the switches just fine, but now with the firewall in place I can no longer ping switch 1 from the router. This is a problem because we use Solarwinds to manage all our network devices and I'm afraid it will no longer be able to "see" the switches from the remote location where we need to manage it.
I had a co-worker who had a similar problem and he got around it by using the management interface for the management vlan, but I was informed I couldn't do this when in multi-context mode. I also thought of creating a 3rd sub-interface on the router and also a 3rd context to handle it, but the license we purchased was only for 2 security contexts . Since it is a management vlan and doesn't need any security applied, is there still a way I can tell it to just pass this info through?
I'm just trying to get my head around the problem and see if anyone can offer a solution to resolve it. The only thing I can think of now is to move the firewall down a level so it's hanging off switch 1 and using vlan magic to force all traffic through it, but I'd rather keep the firewall physically between the router and switch if at all possible. As far as the authentication and all that working..it works beautifully..no issue at all there..the only issue is no management vlan traffic is getting through. I'm attaching a crude MS Paint diagram of my setup. The 2 smaller lines are just logical, there is only a single physical cable between all the devices (router to firewall, firewall to switch 1)
I'm not sure how much of the config I can post so I'm trying to get any suggestions to try first. I am reeeally trying to get this set up in our lab and shipped off in a couple days if at all possible! Thanks for your help in advance!
Which vlan were you using for management traffic between the devices? If this was the default untagged Vlan 1, then you don't have an ASA context configured for this traffic to pass. One option would be to configure another context for that ( providing you have enough context licences), or pull a cable from the router to the switch, bypassing the ASA, if you have enough physical ports..
Sent from Cisco Technical Support iPad App
Hello Stojanr, thanks for your reply.
Yes unfortunately the license we have is only for 2 security contexts . Also, the Cisco 1841 router is a small workgroup router with only 2 physical interfaces so there is no extra one to use.
I just wanted to get some confirmation on this. It looks like my only option is to connect the firewall to 2 interfaces on the switch and force all desktop/server vlan traffic through those ports before they can get to any of the access ports.
I had done that before using vlans (setting the inbound vlans as something different than the access port vlans and having the firewall "translate" so that traffic coming out was on the vlans the access ports were expecting). I was just wondering if there was a better way to do it.