cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

348
Views
0
Helpful
5
Replies
Beginner

ASA - Routing Outside with Sub-Interfaces

Greetings

I'm attempting to use an ASA to route two VLANs to an outside interface that uses NAT/Port Forwarding on the outside IP to access several servers within one of the aforementioned VLANs. The following diagram shows the topology.

 

 

Untitled Diagram-Page-2.jpg

 

 

The router is only here for testing purposes. On deployment, I'll simply have a gateway IP. I realise it adds some complexity, but the router is already configured for the test and works.

The ASA is where I'm stumped at. From the gi1/1 interface, I can ping the router on the gi0/0 interface. However, if I attempt to ping either of the sub-interfaces, or the server below the firewall, I can't access it. The ASA logs are showing that the ICMP packets are coming in, but it's as if they disappear afterward. I ultimately need other traffic other than ICMP to flow, but for now I can't manage to get this through.

It's unclear if the problem is with NAT, ACLs or I'm just doing something stupid that I shouldn't be doing. Here's a portion of the config on the ASA:

 

int gi1/1
nameif outside
security-level 0
ip address 10.170.2.89 255.255.255.0 standby 10.170.2.90
int gi1/2.400
vlan 400
nameif goofy_400
security-level 100
ip address 172.16.101.3 255.255.255.0 standby 172.16.101.4
int gi1/2.401
vlan 401
nameif goofy_401
security-level 100
ip address 172.16.102.3 255.255.255.0 standby 172.16.102.4
object network servers_subnet
subnet 172.16.102.0 255.255.255.0
nat (goofy_401,outside) dynamic interface
object network netmgmt_subnet
subnet 172.16.101.0 255.255.255.0
nat (goofy_400,outside) dynamic interface
access-list to-server extended permit icmp any any
access-list to-server extended deny ip any any
access-group to-server in interface goofy_400
access-group to-server in interface goofy_401
nat (goofy_400,outside) after-auto source dynamic any interface
nat (goofy_401,outside) after-auto source dynamic any interface

Any advice here would be greatly appreciated.

Everyone's tags (3)
5 REPLIES 5
Frequent Contributor

Re: ASA - Routing Outside with Sub-Interfaces

Hi There,
When you say you can't ping either of the ASA sub interfaces or the server behind the ASA, where are you sourcing / initiating the ping from?
Also, the server, what ip / vlan is its GW?
Highlighted
Beginner

Re: ASA - Routing Outside with Sub-Interfaces

I had a laptop that was parked on the other end of R1 in the 10.170.2.X/24 subnet that I was attempting to use to hit SRV1 (I believe I set a static IP of 10.170.2.50). I forgot to mention that the gi0/1 IP is the gateway of the 10.170.2.X subnet with an IP of 10.170.2.1. The pings were sent from that laptop. When those failed, I moved to R1 and tried the pings from it, and while I could see the 10.170.240.89 address, I wasn't able to ping beyond it to any of the directly connected VLAN interfaces on F1.
The server is running ESXi, and the VMs on it are intended to communicate through multiple port groups targeting different VLANs, so it gets a trunk. However, it's management IP is 10.170.101.10 on the 400 VLAN.
Frequent Contributor

Re: ASA - Routing Outside with Sub-Interfaces

Let's take the issues one at a time.

When you have laptop hanging off R1, I'm assuming you can hit the R1 interface / GW and that the path up to the ASA outside interface is OK from perspective of the laptop.

 

On the firewall itself, to be able to ping through it you need to first ensure you are inspecting icmp. Do you have the following configured on the ASA? If not, add the inspect icmp command under global policy, like below. 

policy-map global_policy
   class inspection_default
   inspect icmp

If you now send icmp traffic from laptop to server, the ASA will keep track of that traffic traffic. That should be the path from laptop to server sorted, however now focus on the return path from server. The return traffic will hit the ASA but looks like it is going to get NAT'd to the ASA Outside interface before being sent out. Is this what you want? For testing you may want to remove those NATs and then maybe look at adding a static NAT for the server once you prove connectivity.

As for not being able to ping the sub interfaces. If you were trying to do this whilst coming in from the Outside then this is not possible by design. You cannot ping another ASA interface IP whilst coming in via a different interface.

Frequent Contributor

Re: ASA - Routing Outside with Sub-Interfaces

Also, since your icmp traffic is coming from the Outside you will need an ACL allowing the traffic on the outside interface. This is because you cannot go from a lower security level to higher security level interface unless permitted via ACL.
Frequent Contributor

Re: ASA - Routing Outside with Sub-Interfaces

One last thing does the ASA have a route back to the 10.170.2.x/24 network? Pointing up to the router.