Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1318
Views
0
Helpful
11
Replies

Traditional Inter-Vlan routing setup confusion

Go to solution
LandonM
Level 1
Level 1

‎02-08-2024 05:42 AM

I am currently studying cybersecurity but came to realize I liked networking as well and I wanted to create a simulated air-gapped network to practice cybersecurity concepts on (whatever it may be), I figured a Traditional Inter-Vlan network setup would be simple enough to replicate, and the way I decided to go about it is by splitting a 48 port switch into two Vlans (say Vlan 10 and Vlan 20), I also used a asa firewall due to its various cybersecurity functions and its routing capabilities. With this hardware, I figured I could nat to get traffic outbound from the Vlan 10 network to the Vlan 20 network and vice versa. Since the switch I am using is L3 capable I decided it could handle DHCP, I want a DHCP server per Vlan because, in the overview of this project, It is simply simulating a network connected to the web where possibly attackers from outside, say Vlan 10, try to attack the inside, Vlan 20. So DHCP would help remove static IP assignments forcing attackers to use some sort of reconnaissance like port scanning. When I get to using the ASDM configuration in the firewall to set nat rules I figured I could start by using the feature of allowing traffic between interfaces of the same security level and just giving the interfaces standard gateway ips (on Vlan 10 for example the gateway is 10.0.10.1). I then plugged the ports into relating to the same subnet as they are on the switch and figured I try to ping another computer on the opposing network. DHCP works fine I can ping the gateway but not the other gateway or another computer on the other subnet. I was told by someone to move the DHCP servers to the firewall and have the switches just L2 and have the firewall handle DHCP by placing the servers on the interfaces. I also figured I would create a nat rule to allow traffic from the Vlan 10 int to go to the Vlan 20 int and block DHCP traffic from between them. When I plugged everything in I had no ips anymore, DHCP is not working, and forget ping since I had no ips. I figured I would look at the packets being sent and used wireshark on the network and it seems there are a lot of ARP requests being sent out and gratuitous ARP packets also being sent it also says there are duplicate ips and the ip that was duplicate was the gateway ip and it was the only ip that is statically assigned in the network and the other gateway ip is not in the same subnet so it can't be them interfering with each other. I feel as if I am missing a few crucial steps and misunderstanding what to do. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to LandonM

‎02-08-2024 09:17 AM

then both VLAN 10 and VLAN 20 inter-VLAN in SW (here the SW need to have ip routing command )
and the traffic not reach the FW (the inter-vlan not happened in FW)
MHM

View solution in original post

0 Helpful
11 Replies 11

Go to solution
MHM Cisco World
VIP
VIP

‎02-08-2024 05:48 AM

All steps are correct for me' the Q is are you use two link to interconnect SW to FW or you using trunk?

Are this trunk tag both vlan or use one of them as native vlan?

From here we start troubleshooting.

MHM

0 Helpful

Go to solution
LandonM
Level 1
Level 1
In response to MHM Cisco World

‎02-08-2024 06:23 AM

Two links, they come from one interface on the switch and go to the configured int on the FW.

0 Helpful

Go to solution
LandonM
Level 1
Level 1
In response to LandonM

‎02-08-2024 06:25 AM

Correction* two links, one coming from each Vlan on the switch to FW.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to LandonM

‎02-08-2024 06:30 AM

i.e. you use port1 in SW (this port assign with vlan10) and port2 in SW (this port assign with vlan20)
connect to FW that NOT use VLAN interface but use router interface with same security level for example 100
so you need 
same-security-traffic permit inter-interface 
for NAT, you dont need NAT between these two VLAN if both use private IP
MHM

0 Helpful

Go to solution
LandonM
Level 1
Level 1
In response to MHM Cisco World

‎02-08-2024 06:37 AM

So if I'm correct don't worry about NAT, double-check the same security level, and keeping DHCP on the switch is ok? 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to LandonM

‎02-08-2024 06:45 AM - edited ‎02-08-2024 07:09 AM

Keep DHCP in SW.

This other issue'

If the SW is l2 it can not assign any IP to host' the dhcp need l3 interface to assign IP to client and this can not be done in l2 sw' and if we make SW l3 SW then we need to check which gw the dhcp push to clients is it IP of ASA or IP of vlan SVI of SW

MHM

0 Helpful

Go to solution
LandonM
Level 1
Level 1
In response to MHM Cisco World

‎02-08-2024 09:10 AM

I am getting the gw from the SW.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to LandonM

‎02-08-2024 09:17 AM

then both VLAN 10 and VLAN 20 inter-VLAN in SW (here the SW need to have ip routing command )
and the traffic not reach the FW (the inter-vlan not happened in FW)
MHM

0 Helpful

Go to solution
LandonM
Level 1
Level 1
In response to MHM Cisco World

‎02-08-2024 09:29 AM

so I need to run the ip routing command on the switch and connect the two Vlans together and ignore the FW?

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to LandonM

‎02-08-2024 09:30 AM

If you want traffic to flow without inspect by fw  then YES you need that.

MHM

0 Helpful

Go to solution
LandonM
Level 1
Level 1
In response to MHM Cisco World

‎02-08-2024 09:51 AM

Ok its working, turns out I needed to enable the ports connected to the FW to be trunked, I can see the incoming packets on one of the clients and I was not seeing replies because the clients firewalls were blocking icmp echo replies. 

0 Helpful
Customers Also Viewed These Support Documents