Solved: Re: Internal Firewall ASA

bkyuksel · ‎04-23-2023

Hello Dear Colleagues,

I have 4 vlans and all of them are communicating on Cisco Core L3 switch. Right now, I want to put a firewall for VLAN 40 to prohibit some access to other vlans. I also have external firewall for internet access. What I want to do is to put an internal firewall for prohibit some clients to access some other hosts on other vlans. I know I can do this with ACL but this is how it is supposed to be.

I deleted vlan 40 SVI on core switch and created it on ASA and created an access port on ASA to enable it to communicate with switch. All the traffic and interfaces should stay on core switch except vlan 40. I tried to route the traffic to ASA with trunk port and created vlan names on ASA but couldnt do it. Also checked all necessary things like ICMP inspection enabled. Routing is done like "vlan40 0.0.0.0 0.0.0.0 192.168.30.1 (vlan 30 SVI on the switch)

I couldn't do it, tried everything. Also created vlan 2 to create a connection between SW and ASA but didnt work.

I really appreciate for any kind of help. (I was successfull when I moved all the vlan interfaces to ASA but this is not wanted)

I need your step by step instructions with even port types and routing commands etc.

External firewall is OK, no need to configure it. All my problem is this internal firewall for this specific VLAN 40. IP routing is enabled on L3 core switch.

Thank you so much in advance.

Firewall is Cisco Firepower 1010 and switch is Cisco Layer 3 switch

vlan 10 - 192.168.10.1/24

vlan 20 - 192.168.20.1/24

vlan 30 - 192.168.30.1/24

vlan 40 - 192.168.40.1/24

MHM Cisco World · ‎04-25-2023

result
R1 have 10.0.0.10 and R2 have 20.0.0.20
R1 connect to NSK VLAN 100 and R2 connect to NSK VLAN 200
you can see the VLAN ID is change when the frame enter and exit the FW interface

View solution in original post

Flavio Miranda · ‎04-23-2023

Hi

If you want to filter traffic between vlan using the firewall, all vlan needs to be extended to the firewall.

Create a trunk between switch and firewall. Create vlan layer 2 on switch and layer 3 on firewall. And use the firewall as gateway for the PCs.

You dont need routing as long as the firewall is the gateway for all vlans.

bkyuksel · ‎04-23-2023

Hello again Flavio, isn't there any other solution rather than moving all the SVIs to firewall? Isn't it possible with a routing method? Otherwise, you remember my post I did it. I can move all the SVIs to firewall and can filter the traffic than I can route it to internet. But my concern is to not to touch current SVIs on the core switches but just to move 1 vlan to internal firewall

Flavio Miranda · ‎04-23-2023

I remember.

Well, the way I proposed I think is the easier way but is not the only way for sure.

If you want to extend only vlan to firewall, keep the vlan 40 as layer 2 on the switch, create a trunk between firewall and switch. This trunk must be connected to one interface on firewall, like inside1, for example.

The gateway for PC on vlan 40 must be the firewall.

Then, you create another interface on firewall, example inside2, and connect to an interface on core. It can be a layer 3 interface( like a transit vlan).

Then you can use routing.

On the firewall.

Ip route "vlan40" "vlan30" "core"

Do this to other vlans also.

Then on the core.

Ip routing "vlan30" vlan40" firewall.

(When I say vlan 40 I mean the network ok?)

This way the traffic will cross the firewall from vlan 40 and to vlan 40.

The vlan transit from firewall and core can be a new vlan or an layer3 interface on core.

MHM Cisco World · ‎04-23-2023

I suggest before transit vlan' check your previous post.

Now for this case use transit vlan and use pbr in l3sw you can forward traffic to FW and from there return it to any other destination.

bkyuksel · ‎04-25-2023

None of these methods are working. I did exactly the same thing, tried with different routing rules, tried with switchport, no switchport vlans etc.

bkyuksel · ‎04-25-2023

Hello again, I tried everything but not working. I created the vlans on the switch, created that specific vlan on the asa. then I created an uplink between switch&asa. added vlan interfaces, added trunk ports. Also created new vlan for transit, enabled them as access ports on both devices. I did the routing but it is not working. Also checked ICMP, it is choosen, all rules are any to any.

Flavio Miranda · ‎04-25-2023

Hello

Can you share the config from switch and ASA? Show running-config would be great.

Flavio Miranda · ‎04-25-2023

Hello

I did a small lab in the PacketTracer, I believe you have it right, as your picture looks like Packet Tracer.

And on this Lab, I simulated what I believe is what you are trying to do.

The switch has one Layer2 vlan (40) and it is connected to the Firewall. The firewall has 2 interfaces INSIDE1 and INSIDE2

Then, I create a transit interface in L3 between firewall and switch. And created 3 others vlan, 10.20 and 30 on the switch with L3.

As you can see the PC on vlan 40 (192.168.1.10) can ping a PC on vlan 10 through the Firewall.

I did not finished everything, this is just an example. You can finish it up if you want.

You just need to add Access list on Firewall and route to others vlans.

bkyuksel · ‎04-25-2023

I tried it as you sent, but couldn't do it. I had already applied Access rules as Any for all subnets.

bkyuksel · ‎04-25-2023

VLAN40 should has a SVI, otherwise this is just VLAN1 as default (192.168.1.10)

MHM Cisco World · ‎04-25-2023

I will run lab in GNS3 and check if the inter-vlan happened in L3SW or in internal FW,
by the way the traffic is not hit any FW from first view,
all traffic is inter-vlan in L3SW so you need to make some change.
I check both post you share,
the internal FW must config as transparent FW and other FW (internet) must config as route mode for internet.
this lab will done tonight,
thanks
MHM

bkyuksel · ‎04-25-2023

I thought to do it as transparent but I think it doesnt fit my needs. But if you could share me some details I will happily apply and try it as well.

bkyuksel · ‎04-25-2023

You guys are great !! @Flavio Miranda @MHM Cisco World I will also try it as you said. I will also wait for GNS3.

MHM Cisco World · ‎04-25-2023

NSK

ip route 0.0.0.0/0 100.0.0.30
vlan 1,10,20,100,200

interface Vlan10
no shutdown
ip address 10.0.0.1/24

interface Vlan20
no shutdown
ip address 20.0.0.1/24

interface Ethernet1/1
switchport mode trunk
switchport trunk allowed vlan 1,10,20

interface Ethernet1/2
no switchport
ip address 100.0.0.1/24
no shutdown

interface Ethernet1/4
switchport access vlan 100

interface Ethernet1/6
switchport access vlan 200

interface Ethernet1/9
switchport mode trunk
switchport trunk allowed vlan 1,100,200