07-11-2012 08:15 AM - edited 03-11-2019 04:29 PM
Hi,
We have an ASA 5520 which is in multiple context mode.
We are trying to pass traffic from the outside interface to the dmz interface.
I may be fundamentally wrong in the way i'm configuring this, but this is one ting im hoping someone may be able to help with. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.
So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28
Inside Interface GigabitEthernet0/2 with 192.168.20.0/24
DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29
So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.
I hope this makes sense? Im sure im doing something stupid, im just stuck, and hoping someone can help.
I can provide more info if required.
Thanks
Birdy
07-17-2012 11:06 AM
personally, I wouldn't change my infrastructure just because one feature doesn't work as expected. Better look for the couse of the problem. After changing the MAC-addresses on the ASA, have you tried to clear the arp-cache on the router?
07-18-2012 01:18 AM
Hi,
Having had a look, my configuration doesnt differ much from what was suggested anyway.
Yes i have cleared the arp cache on the router after changing the mac-addresses.
Thanks
Chris
07-17-2012 08:35 AM
so from the standpoint of the adjacent router it looks fine with the different MAC-addresses. Please explain what you mean with "locked out of the admin context". What exactly desn't work?
07-17-2012 08:51 AM
Hi,
Thanks for the replies.
I cannot connect on ASDM, SSH or telnet to the .194 address. Nor can i ping etc. So i cant manage the ASA when mac-address auto is applied. (I schedule a reload before i apply this).
So even though the router is showing a different mac-address in it's arp table, the ASA wont accept connections on the admin context and that IP address. I cant thknk of anything in the ASA that i've configured that would block/filter on L2.
Thanks
Chris
07-19-2012 09:58 AM
Anything on the Switch between the ASA and the Router?
07-20-2012 03:01 AM
Hi,
Theres no switch between the router and the firewall. If i explain the topology a bit more that might help.
Internet > Cisco 1921 > ASA 5520 > Dell Blade, Poweredge Switch M6348.
The switch has 2 vlans, one for 192.168.20.0/24 network. The other is the DMZ, 1.2.3.208/29
The ASA has 2 contexts, admin, interface Gi0/0 1.2.3.194/29
ctx1 interface Gi0/0 1.2.3.195/28 - nameif outside
Interface G0/1 10.10.10.1/25 - nameif CMC (Management for blades)
Interface Gi0/2 192.168.20.254/24 nameif inside
Interface Gi0/2.1 1.2.3.208/29 nameif DMZ
I was primarily using NAT to reach various servers/management interfaces on the inside an CMC interfaces. Which worked fine, however we needed a publicly addressable space to run a SIP server and possibly some more things to come. Which is where the DMZ came from. However as the admin context and ctx1 share interface Gi0/0 and i need to route part of the public subnet to the DMZ i found i needed to turn on mac-address auto in the system context. This allows the NAT and the DMZ to work, however i cant access the admin context, The arp-cache updates immediately on the router so it sees the change but i just wonder if its something on the ASA that cannot accept traffic on that Mac-address?
Sorry for the long winded explanation, i hope this makes sense.
Thanks
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide