Solved: Advice please on moving external network onto internal LAN

andrew_e_chapman · ‎10-17-2010

Hello all,

currently we have a DSL line connecting through a Cisco 1800 router thence into an ISA server. The router address and external address on the ISA belong to a C class network range that we own but which is not used for the internal network, which is a NAT network. We are about to upgrade our internet connection to a fibre connection. However, because of the physical layout of our campus, the 1800 router will be located several hundred metres away from the ISA server rather than physically adjacent to it, as it is now.

So currently: INTERNAL --> ISA --> 1840 Router --> DSL --> Internet

Shortly: INTERNAL ( INTERNAL --> ISA --> 5550 --> 2950G -> 2960G ) --> 1840 Router --> fibre --> Internet

We have several internal VLANs already, several address ranges using several 10.0.0.0 subnets for our campuses and a 192.168.240.0 address range for our student guest network. When we connect the fibre, I basically want to keep the networking the same as it is now, but obviously I'm going to have to route the traffic through the internal network via the 5550 (which does our VLAN routing) and the 2960.

Can someone advise me as the best way of doing this? I figure that I'm going to have to create a VLAN for the external network to traverse the internal switches, but then also create some access control lists and change the static routes. I don't want to accidently expose the internal network to the outside, nor bypass the ISA for all outgoing traffic. Quite possibly there is some other better method that I'm not aware of.

Jon Marshall · ‎10-18-2010

andrew_e_chapman wrote:
Yes, the internal interface of the ISA is the default gateway for the entire site. All internet traffic from inside goes out through this port on the ISA. The routing for the internal site is managed by the same 3550 that I am proposing will also manage the non-routed connection between the ISA's external port and the 1841. Let's see if I can draw it here:
( many switches) ---> 3550 ->  (internal) ISA (external) -> 3550 -> 2950 -> 2960 -> 1841 --> Internet --->
[---- routed A CLASS internal VLANs----]        [------non-routed C CLASS external VLAN------]
The 3550 on both sides of the ISA is the same device. The external side of the ISA would connect to the non-routed public C class VLAN; the internal side connects the routed internal private A class VLAN(s). Note, though, that the 2950 and 2960 also serve the internal network VLANs. The non-routed C class will just be trunked through them. Does that seem clear (and plausible)?

Andrew

A lot clearer now, thanks for the updated diagram. So you actually have clients connected to the 2950 and 2960 that route off the 3550 ? So they need to route to the 3550 to be sent to the internal ISA interface, then to the external interface and then to the 1841 ?

That aside, which isn't a problem by the way, yes what you propose is perfectly plausible and will be secure because the vlan is only routed off the 1841. What i would recommend though is if you are using the same switches and trunking between them, then implement the following standards (if you haven't already) -

1) do not use vlan 1 for anything ie. not for clients, not servers and not for managing the switches

2) Have a dedicated vlan for managing the switches and make sure no clients are in this vlan

3) the native vlan. Create another vlan for the native vlan and don't allocate any ports to this vlan. Make sure there is not a L3 vlan interface on the 3550 for the native vlan as it never needs to be routed. You can clear the native vlan off the trunks as well.

4) Only allow the vlans that need to be allowed on the trunk links

Edit - one thing i forgot to ask - is there a firewall anywhere in the setup or are you running the firewall feature set on your 1841 router ?

Edit 2 - is the ISA acting as your firewall ?

Jon

View solution in original post

Jon Marshall · ‎10-18-2010

andrew_e_chapman wrote:
Hello all,
currently we have a DSL line connecting through a Cisco 1800 router thence into an ISA server. The router address and external address on the ISA belong to a C class network range that we own but which is not used for the internal network, which is a NAT network. We are about to upgrade our internet connection to a fibre connection. However, because of the physical layout of our campus, the 1800 router will be located several hundred metres away from the ISA server rather than physically adjacent to it, as it is now.
So currently:      INTERNAL --> ISA --> 1840 Router --> DSL --> Internet
Shortly: INTERNAL ( INTERNAL --> ISA --> 5550 --> 2950G -> 2960G ) --> 1840 Router --> fibre --> Internet
We have several internal VLANs already, several address ranges using several 10.0.0.0 subnets for our campuses and a 192.168.240.0 address range for our student guest network. When we connect the fibre, I basically want to keep the networking the same as it is now, but obviously I'm going to have to route the traffic through the internal network via the 5550 (which does our VLAN routing) and the 2960.
Can someone advise me as the best way of doing this? I figure that I'm going to have to create a VLAN for the external network to traverse the internal switches, but then also create some access control lists and change the static routes. I don't want to accidently expose the internal network to the outside, nor bypass the ISA for all outgoing traffic. Quite possibly there is some other better method that I'm not aware of.

Andrew

There are a few things that need clarifying.

You say the ISA and the 1841 are on the same subnet. Do you mean the internal interface of the 1841 or the external. If external are you bridging through the 1841 ?

Secondly, your new diagram shows ASA -> 2950G to 2960G. Why are you using 2 switches and not one ? is it because of the distance between the 1841 and the ASA ?

Thirdly where are you currently routing your vlans ? is it done on the 1841 ?

Finally, the ASA is not really a good device for inter-vlan routing, it wasn't designed for this. If that is all you have then okay but a L3 switch for routing your internal vlans would be a much better option.

Jon

andrew_e_chapman · ‎10-18-2010

The external interface of the ISA and the ethernet port on the 1841 are on the same VLAN. This VLAN is not routed and uses our external C class network addressing. The routing of the other VLANs is performed by the 3550G (I mistyped it above as a 5550). And yes, the reason that the internal route goes through so many switches in the second diagram is because of the distance. The 3550 is in the building with the ISA; the route then goes via fibre to another building and switch cabinet (the 2950), then via fibre to another building (the 2960), then out to our new fibre connection to the internet.

In thinking and reading about this more yesterday, I realised that I could just make a non-routable VLAN for the ISA -> 3550 -> 2950 -> 2960 -> 1841 leg. This would seem to be the most straightforward method. I don't think it presents any particular security vulnerabilities (or does it? That's what I'm worried about most).

Jon Marshall · ‎10-18-2010

andrew_e_chapman wrote:
The external interface of the ISA and the ethernet port on the 1841 are on the same VLAN. This VLAN is not routed and uses our external C class network addressing. The routing of the other VLANs is performed by the 3550G (I mistyped it above as a 5550). And yes, the reason that the internal route goes through so many switches in the second diagram is because of the distance. The 3550 is in the building with the ISA; the route then goes via fibre to another building and switch cabinet (the 2950), then via fibre to another building (the 2960), then out to our new fibre connection to the internet.
In thinking and reading about this more yesterday, I realised that I could just make a non-routable VLAN for the ISA -> 3550 -> 2950 -> 2960 -> 1841 leg. This would seem to be the most straightforward method. I don't think it presents any particular security vulnerabilities (or does it? That's what I'm worried about most).

Andrew

A non-routable vlan generally doesn't have security issues simply because you can't get to it from any other vlan. Still not entirely clear how this will work. You show in this thread ISA -> 3550 so does this mean all clients need to go through the ISA ??

If it is just the diagram that is a bit misleading ie. the clients go to the 3550 for routing and the ISA shares a vlan with the 1841 and is not routed on the 3550. But then what is the ISA used for and do the clients need to get to it because if you do the above the clients have no way of getting to the ISA unless they route via the 1841 because there is no routed interface on the 3550 for the ISA subnet.

Jon

andrew_e_chapman · ‎10-18-2010

Yes, the internal interface of the ISA is the default gateway for the entire site. All internet traffic from inside goes out through this port on the ISA. The routing for the internal site is managed by the same 3550 that I am proposing will also manage the non-routed connection between the ISA's external port and the 1841. Let's see if I can draw it here:

( many switches) ---> 3550 -> (internal) ISA (external) -> 3550 -> 2950 -> 2960 -> 1841 --> Internet --->

[---- routed A CLASS internal VLANs----] [------non-routed C CLASS external VLAN------]

The 3550 on both sides of the ISA is the same device. The external side of the ISA would connect to the non-routed public C class VLAN; the internal side connects the routed internal private A class VLAN(s). Note, though, that the 2950 and 2960 also serve the internal network VLANs. The non-routed C class will just be trunked through them. Does that seem clear (and plausible)?

Jon Marshall · ‎10-18-2010

andrew_e_chapman wrote:
Yes, the internal interface of the ISA is the default gateway for the entire site. All internet traffic from inside goes out through this port on the ISA. The routing for the internal site is managed by the same 3550 that I am proposing will also manage the non-routed connection between the ISA's external port and the 1841. Let's see if I can draw it here:
( many switches) ---> 3550 ->  (internal) ISA (external) -> 3550 -> 2950 -> 2960 -> 1841 --> Internet --->
[---- routed A CLASS internal VLANs----]        [------non-routed C CLASS external VLAN------]
The 3550 on both sides of the ISA is the same device. The external side of the ISA would connect to the non-routed public C class VLAN; the internal side connects the routed internal private A class VLAN(s). Note, though, that the 2950 and 2960 also serve the internal network VLANs. The non-routed C class will just be trunked through them. Does that seem clear (and plausible)?

Andrew

A lot clearer now, thanks for the updated diagram. So you actually have clients connected to the 2950 and 2960 that route off the 3550 ? So they need to route to the 3550 to be sent to the internal ISA interface, then to the external interface and then to the 1841 ?

That aside, which isn't a problem by the way, yes what you propose is perfectly plausible and will be secure because the vlan is only routed off the 1841. What i would recommend though is if you are using the same switches and trunking between them, then implement the following standards (if you haven't already) -

1) do not use vlan 1 for anything ie. not for clients, not servers and not for managing the switches

2) Have a dedicated vlan for managing the switches and make sure no clients are in this vlan

3) the native vlan. Create another vlan for the native vlan and don't allocate any ports to this vlan. Make sure there is not a L3 vlan interface on the 3550 for the native vlan as it never needs to be routed. You can clear the native vlan off the trunks as well.

4) Only allow the vlans that need to be allowed on the trunk links

Edit - one thing i forgot to ask - is there a firewall anywhere in the setup or are you running the firewall feature set on your 1841 router ?

Edit 2 - is the ISA acting as your firewall ?

Jon

andrew_e_chapman · ‎10-18-2010

Thanks for that. We already have points 1 and 2 implemented.

And yes, the ISA is our firewall. We are not using the security set on the 1841 (mainly because the people we bought it from couldn't get the security set to work without cutting off the internet, and they were the 'experts', but that is another story).

Thanks for your help.