Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1174
Views
0
Helpful
4
Replies

ACL and multiple default routes?

kpulford123
Level 1
Level 1

‎11-30-2010 09:51 AM - edited ‎03-06-2019 02:16 PM

Hi all,

I think I have painted myself into a corner.  I have a multiple vlans routed on my 3750 core router. I all of these can talk to all others by design its the way it was intended on our end.  Now I have a new vlan that I have an ACL on to limit access to other vlans.  The acl permits DHCP, DNS and access to two specific servers on the other vlans, but due to the implied deny all at the end prevents any other access.  So this is a good thing too, sort of.

Now my 3750 connects to an asa firewall.  So I have created a sub interface on the asa for this semi private vlan. (Vlan 110) When I connect to the vlan with a PC, I can get an IP address from my DHCP server and I can get to the 2 internal servers.  I can even retrieve ip addresses from the DNS servers internally.  What I can't do it get the traffic to the asa and out ot the Internet.

I suspect the problem is that my 3750 has a default route pointing to the asa for all traffic it doesn't know about.  But since my new Vlan 110 can't really see that vlan it can't complete the default route statement.  So the traffic doesn't go out to the asa.  I can ping the asa from the PC on vlan 110, by that I mean I can ping the sub interface on vlan 110 of the asa.

So the question here is this.  Can I have a route within my vlan that tells this vlan 110 traffic that it doesn't know what to do with to send that data to the asa sub interface?

Ip addresses might help here so here they are:

Vlan 100 - 10.131.0.0 - default routes to 10.131.251.253 (ASA)

vlan 200 - 10.141.0.0 - default routes to 10.131.251.253 (ASA) - we have a static return route for this on the asa as well.

vlan 110 - 192.168.191.0 - Presumably default routes currently to 10.131.251.253 since that is the 3750s route of last resort.

The acl I have applied to the vlan 110 on the 3750 looks like this:

access-list 103 permit udp any any eq bootpc
access-list 103 permit udp any any eq bootps
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit tcp any any eq domain
access-list 103 permit tcp any eq domain any
access-list 103 permit udp any eq domain host 10.131.10.1
access-list 103 permit tcp any eq domain host 10.131.10.1
access-list 103 permit udp any eq domain host 10.131.10.14
access-list 103 permit tcp any eq domain host 10.131.10.14
access-list 103 permit ip any host 10.131.10.3
access-list 103 permit ip host 10.131.10.3 any
access-list 103 permit ip any host 10.131.10.202
access-list 103 permit ip host 10.131.10.202 any

And it is applied on the Vlan 110 sub interface of the 3750 like this:

ip access-group 103 in

So what I have been hoping to do with this vlan is allow very specific access to internal servers (Numbers are 100 plus servers internally) but I only need to provide access to 2 servers plus the DHCP and DNS.  I also want to provide full Internet connectivity through my inside interface of the ASA to the outside interface of the asa.  Now I think baring the vlan 110 interface on my asa, if I can get the unknown traffic to the asa it will get me to the Internet and back.

So if I have painted myself into a corner so to speak I am open to some other configuration, or I am hoping some suggestions on how to get my current config to work if possible.

Thank you all so much for taking a look at this.  I appreciate all of your comments.

Sincerely,

Kevin Pulford

Labels:
0 Helpful
4 Replies 4

mikearama
Level 1
Level 1

‎11-30-2010 10:02 AM

I believe the issue is your ACL... you've gone with PERMITS in the statements, and the implicit DENY at the end.

Reverse this.  Create specific DENIES to the vlans/subnets that you do not want 110 devices to get to... satisfying your security posture.  Once the DENIES are specified, finish with an ALLOW IP ANY ANY, which will grant your 110 devices access to anything not specifically DENIED.  Hello internet.

0 Helpful

kpulford123
Level 1
Level 1
In response to mikearama

‎11-30-2010 10:13 AM

Thank you for your reply.  That just absolutely gave me a new way of looking at this.  So thank you for that

for sure.  I was sort of mentally locked into the permit specifically and deny all others.

Now the question is if I do as you suggest, I beleive that will attempt to route my 192.168.191.0 traffic out my default route to the asa.  Whcih I believe will allow me to get at leas tto the asa. (I will have to add a static coute back on the asa for this subnet.)

But if I wanted it to go out the sub interface on the asa that was in the 192.168.191.0 subnet and the same vlan would there be a way to do that as well?  Or should I just route it all through my default vlan to the internet?

If I do end up just going through my default vlan for internet traffic, then I would be able to drop the sub interface / vlan from my asa I suppose.

I will give it a go.

Thanks so much for your time and help.

Sincerely,

Kevin Pulford

0 Helpful

mikearama
Level 1
Level 1
In response to kpulford123

‎11-30-2010 10:27 AM

"I will have to add a static route back on the asa for this subnet."

Only if they're not directly connected.  But as you say:

" if I wanted it to go out the sub interface on the asa that was in the 192.168.191.0 subnet "

... in this case, the ASA knows all about your 192.168.191.0 subnet... no routes on the ASA required.  They're directly connected.

In our situation, we hang a dozen vlans on a central core router... a pair of 6506's.  Gateways for all vlans is on the core.  It has the typical default gateway pointing at our pair of ASA's.  The path to the ASA's is a completely unique subnet, not shared with any vlan.  So we don't have sub-ints on our ASA's.

If, however, you don't have a core housing your vlan gateways, and each vlan points to the ASA as its gateway, then you have no choice but to use sub-ints.

Hope that helped.

Mike

0 Helpful

kpulford123
Level 1
Level 1
In response to mikearama

‎11-30-2010 11:06 AM

Thanks Mike,

Well our core is the 3750 switch / router.  The port on the switch that is directly connected ot the asa is trunked to the asa with a native vlan.  I did this for a seperate issue a while back invovling a private vlan that does use a subinterface on the asa and uses the asa as the gateway.

In all other cases the default route on our vlans all point to the 3750.  And you are right even without the subinterface on teh asa it seems to find its way back to me when I ping it from the more restricted vlan 110.

So I have what I think you were talking about with the ACl setup, but I must be missing something.  I have 2 problems.

1) I can't ping the vlan int on the 3750 for my secured vlan.  In other words I can't ping 192.168.191.254 whcih is the assigned ip of the vlan 110 sub interface on

     the 3750. (when the acl is applied.)

2) I can ping the asa using the 10.131.251.253.

So when I do a tracert from my PC connected to the vlan 100 and I tracert www.yahoo.com It resolve the ip but then in one hop comes back and reports that 192.168.191.254 (My vlan default gateway) reports : destination net unreachable.

I also don't see any sort of traffic on the asa for this vlan's ip address. I would expect it to at least show an attempt was made and not rule to allow is present.

Now if I remove the acl from vlan 110 I can get to the internet with the 192.168.191.0 subnet of the vlan 110 with no problem.

Here is the new acl I have put together..

access-list 103 permit udp any any eq bootpc
access-list 103 permit udp any any eq bootps
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit tcp any any eq domain
access-list 103 permit tcp any eq domain any
access-list 103 permit udp any eq domain host 10.131.10.1
access-list 103 permit tcp any eq domain host 10.131.10.1
access-list 103 permit udp any eq domain host 10.131.10.14
access-list 103 permit tcp any eq domain host 10.131.10.14
access-list 103 permit ip any host 10.131.10.3
access-list 103 permit ip host 10.131.10.3 any
access-list 103 permit ip any host 10.131.10.202
access-list 103 permit ip host 10.131.10.202 any
access-list 103 permit ip any 10.131.251.0 0.0.0.255
access-list 103 permit ip 10.131.251.0 0.0.0.255 any
access-list 103 deny   ip any 10.0.0.0 0.255.255.255
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any

So what I have tested the following still appear to work.  DHCP, DNS and access to the specifc servers I need and also the vlan 251 subnet with everything else denied.  So I can ping 10.131.251.253 (ASA in the 251 vlan) and the 2 servers explicitly allowed.

I would have expected to be able to ping the vlan 110 sub interface of the 3750 (ip 192.168.191.254) but it comes back destination un reachable.

My default route in the 3750 looks like:

D*EX 0.0.0.0/0 [170/3072] via 10.131.251.253, 5d21h, Vlan251

But this is through a routing protocol (EIGRP)  But 10.131.251.253 I can ping from the 192.168.191.2 workstation with the ACl applied.

As you may have guessed I am not terribly familiar with acls to begin with and only a novice route guy.

I appreciate your time and any help you can offer.

Sincerely,

Kevin Pulford

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card