cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12546
Views
0
Helpful
29
Replies

Adding Subnets to ASA 5505

ken.hoover1
Level 1
Level 1

I am very new to configuring firewalls. I will be adding virtual servers to our network that attach to a Layer 3 HP 2920 switch.  There are also subnets configured on the switch (for the virtual cluster). I need to know how to configure my ASA 5505 firewall to allow these subnets to talk to the domain and be protected.  I have attached a network diagram of sorts.  I would prefer to perform the configuration via the ASDM, if possible, as I have never been good at CLI.

I have had some answers to previous posts, but still am having no communication through the firewall.

Any help would be greatly appreciated.  I inherited this task and have never configured a firewall before.  Can this be done with a basic license?

I have attacheda diagram of what I am trying to accomplish.

29 Replies 29

I can see that on the jn_switch you were able to add a default route, and to the cg_switch you were not able to, also for testing purposes can you do this on the switch:

- no ip routing
- ip routing

 After that try to test the InterVLAN routing and also try once again to add the default route provided before to the switch:

ip route 0.0.0.0 0.0.0.0 10.10.0.3

On the ASA you will need to set up a capture to see if that traffic is hitting the firewall if the InterVLAN routing does not work, such as:

 

access-list CAP permit ip 10.10.X0.0 255.255.255.0 10.10.0.0 255.255.255.0

access-list CAP permit ip 10.10.0.0 255.255.255.0 10.10.X0.0 255.255.255.0 

Define the VLAN; from where you are sending the traffic:

           capture CAP interface Inside access-list CAP

then deploy the capture:

           show cap CAP

Copy the traffic captured and put in a notepad and have it attached plz.

Then a capture to monitor the traffic being dropped due to something blocking it in the ASA:

                 capture ASP type asp-drop all 

Then deploy the capture and filter it, copy the dropped traffic and send it out on a notepad:

            show cap asp | in 10.10.X.X

Please proceed to rate and mark as correct this post if it helped you, keep me posted!

David Castro,

I did not set the JN switch up. That was done by our software company, but they do not do setups anymore, so I am attempting this all for the first time.

The switch will not take the command you gave to add the default route.

On the ASA, I set up the capture, but it won't let me put the results into notepad from the ASDM interface.

Attached please find the results of the show cap CAP in notepad. 

On the next one - show cap asp | in 10.10.x.x, what should be in place of the x's? Should it be the ip address I am trying to reach?

according to this capture, clearly you may see the pkts reaching the ASA,biut there is not returning traffic. how did you set up the capture??

 786: 02:12:24.867051 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 787: 02:12:29.868409 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 788: 02:12:34.869080 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 789: 02:17:44.912962 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 790: 02:17:49.913420 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 791: 02:17:54.913816 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 792: 02:23:04.954418 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 793: 02:23:09.953945 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48
 794: 02:23:14.954326 802.1Q vlan#1 P0 10.10.0.254.123 > 10.10.30.11.123:  udp 48

on the asp capture, do a: show cap asp | in 10.10.0.254

I set up the capture following the commands that you sent. Also, when I do a show cap asp | in 10.10.0.254, I get no results displayed.

Alright, so far it seems that the traffic is coming from the Switch to the firewall but it is not coming back, so I need to know what is the desired flow, because I told you about interVLAN routing, so the traffic should be routed within the same L3 Switch and no necessarily going to the Firewall, though it seems that it is not working that way so far. On the ASA, we have the U-turn and routes are properly configured. I so the switch the VLANs are configured differently, One VLAN tag and the other does not tag, so can you try for testing purpose ICMP from VLAN10 to VLAN20 or VLAN1, you may find the differences here:

vlan 10
   name "Oasis360"
   tagged 1/7-1/12,2/7-2/12
   ip address 10.10.10.1 255.255.255.0
   exit
vlan 20
   name "Poller1"
   tagged 1/7-1/12,2/7-2/12
   ip address 10.10.20.1 255.255.252.0
   exit
vlan 30
   name "iLo"
   untagged 1/21-1/22,2/21-2/22
   ip address 10.10.30.1 255.255.255.0
   exit
vlan 40
   name "Switch_Management"
   ip address 10.10.40.1 255.255.255.0
   exit

Keep me posted!

David Castro,

I am still at a loss on this.  I have attached the results of a packet trace on the ASA from my office computer to the iLO on the server. It says the packet is being dropped in NAT( NAT Rule attached). I have also attached the running configs for the L3 switch and the ASA. I hope this helps.

Add a static NAT as follow:

static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Let me know how it works out!

I added this static NAT and was able to access the iLO on the server. However, with this NAT rule in place, my Poller started crashing. It kept saying that it could not create files on the SQL server (where it stores the data) and would shut down.

When I removed this static NAT rule, everything on the network returned to working normally.  The packet tracer shows that the traffic is being dropped due to a dynamic rule (packet Tracer results are attached). I have also attached the running configs for the ASA and the switch. 

Adding a static route should not cause this to happen should it?

Hello Ken,

I saw you marked as correct the previous answer, I was wondering about the SQL server, how is that going?

Thanks,

David Castro,

I don't remember a problem with SQL Server, but the problem that I had seems to be solved at this point. I was experiencing intermittent problems access the servers themselves, but it appears to have been a bad NIC. I will know for sure when I get the replacement.

well, as soon as you get it replaced, please keep me posted. If something else is required. 

Have a great day :)

David Castro,

I tried a packet trace from my office computer(10.10.0.217) to the iLO(10.10.30.11) and have attached the result. It looks like everything is OK until it hits a NAT rule, which I have also attached.

Am I missing something, or do I just have to add something to the pool?

I also have attached the ip route for the switch I am trying to get working (CG) and the one at our other casino that was already set up (JN).

I have added a super route. How would I go about the NAT?  Also the super route still does not allow me to access the iLO, would the NAT solve this?