Solved: Introduction of Cisco ASA into Environment

Jinesh Patel · ‎12-22-2014

Hey,

I have just introduced a Cisco ASA into my environment but having major issues working out how to fit it in. I have tried to configure it as per the proposed solution but not really working

Currently

2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)

2960 has an

access port (vlan 101) to > 887va (10.10.1.2) > ISP

Proposed

2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)

2960 has an

access port (vlan 101) to > ASA 5505 (10.10.1.3 (vlan 101) outside/10.10.2.2 (vlan 102) inside) (for packet inspection)

2960 has an

access port 101 > 887va (10.10.1.2) > ISP

essentially, all 3 devices are connected independently to the switch

In an attempt to get this to work, I changed the default route on the 1921 to the ASA and the ASA's default route to the 887 but when trace routing, it seems to bypass the ASA altogether...however, when doing this, it does appear that the ASA is doing something as the ip any any ACL on ASA received a number of hits

I have the following vlans -

vlan 101 (10.10.1.0), 102 (10.10.2.0), 105, 106, 107, 108, 109, 110, 111

i'm running OSPF on all devices - 1921 advertises all vlan interfaces, the 887 advertises 10.10.1.0 and the ASA also advertises 10.10.1.0

neighbours are forming and routes are exchanged ok.

Natting on the 887

Your thoughts and ideas would be grateful; I'm obviously going wrong somewhere

Many thanks

Jay

Jon Marshall · ‎12-22-2014

Jay

Ask as many questions as you like :-)

The outside interface of the ASA should be facing the external network you are protecting yourself from (usually the internet) and the inside faces your internal network but because of the way you have addressed it your outside interface is actually facing your internal network.

Which means you are not forcing traffic through the ASA or at least the return traffic. The 887 cannot be on the same subnet as the 1921 as the return traffic will simply go direct and bypass your ASA because as you say the routing on the 887 points to the 1921.

So, assuming you have all your internal vlans as subinterfaces on the LAN interface of the 1921 the WAN interface ie. the one connecting to the ASA can stay in the 10.10.1.x subnet

The ASA inside would then also be in the same subnet.

Note I'm assuming this subnet is not one of your internal user vlans. If it is then it would probably be a good idea to have a new vlan/IP subnet just for connectivity between the 1921 and the ASA.

Then you need to create a new vlan/IP subnet on your switch and use this for the ASA outside interface and the 887 inside interface. So the 887 inside interface would need readdressing ie.

internal vlans -> (LAN ) 1921 (WAN 10.10.1.x) -> (inside 10.10.1.x) ASA (outside) -> (inside) 887

then all traffic has to go through the ASA both ways.

You can still use OSPF if you want although many people do not like using OSPF on the outside. It depends on your addressing ie. can you summarise all the internal subnets used for your vlans ?

If you can summarise then on the 887 you could have a single static route for all the internal subnets pointing to the ASA outside interface.

On the ASA you could either run OSPF with the 1921 or use the same static route.

So -

a) is the 10.10.1.x subnet purely for the 1921 to ASA connectivity ie. it is not a user vlan

b) what are the user vlan subnets as we may be able to summarise them.

c) the default route you originate on the 887. Do you receive a default route from the ISP or do you just inject your own on the 887 ?

Hope all the above makes sense.

Please feel free to ask more questions if you need more clarification.

Jon

View solution in original post

Jon Marshall · ‎12-22-2014

Jay

access port (vlan 101) to > ASA 5505 (10.10.1.3 (vlan 101) outside/10.10.2.2 (vlan 102) inside) (for packet inspection)

Is the above a typo ie. the inside should be 10.10.1.3 and not the outside ?

I am assuming you want traffic from the 1921 to go through the ASA to the 887 ?

If so you cannot have the outside interface in the same subnet as the 1921 WAN interface ie. something will need readdressing. Probably the link between the ASA and the 887 although it's up to you.

If you are running OSPF and the 887 is in the same subnet as the 1921 then it will simply bypass the ASA for return traffic.

I am also unclear why you are running OSPF and then using default routes ?

Perhaps I have misunderstood what you are trying to achieve.

If so then please clarify.

Jon

Jinesh Patel · ‎12-22-2014

Hi Jon,

Thanks for your prompt response, it is very much appreciated

it's not a typo i'm afraid although i think i see your point. My thinking here is/was that i wanted separation between the 'internal' and 'external' elements of my network and creating an inside and outside zone would do this. 10.10.1 would be the 'outside' and all other vlans would be the inside. (I was halfway though zoning off my 887 before the introduction of the ASA and thought i could apply the same principles here.)

You are correct re "I am assuming you want traffic from the 1921 to go through the ASA to the 887 ?" and therefore, could you explain why to your comment - "if so you cannot have the outside interface in the same subnet as the 1921 WAN interface" What is the outside interface on the ASA for then?

Also, could you confirm why to this one too please? -

"If you are running OSPF and the 887 is in the same subnet as the 1921 then it will simply bypass the ASA for return traffic." i'm assuming because the of the routing table pointing to the 1921 and not the ASA? (just clarifying)

Finally, i'm using a default route for internet access. i used the default-info originate command on the 887 coinnected to my ISP previously to redistribute the default route to the 1921 but removed that when testing the ASA as i wanted to manually manipulate traffic flow

Excuse the questions

Many thanks again

Jay

Jon Marshall · ‎12-22-2014

Jay

Ask as many questions as you like :-)

The outside interface of the ASA should be facing the external network you are protecting yourself from (usually the internet) and the inside faces your internal network but because of the way you have addressed it your outside interface is actually facing your internal network.

Which means you are not forcing traffic through the ASA or at least the return traffic. The 887 cannot be on the same subnet as the 1921 as the return traffic will simply go direct and bypass your ASA because as you say the routing on the 887 points to the 1921.

So, assuming you have all your internal vlans as subinterfaces on the LAN interface of the 1921 the WAN interface ie. the one connecting to the ASA can stay in the 10.10.1.x subnet

The ASA inside would then also be in the same subnet.

Note I'm assuming this subnet is not one of your internal user vlans. If it is then it would probably be a good idea to have a new vlan/IP subnet just for connectivity between the 1921 and the ASA.

Then you need to create a new vlan/IP subnet on your switch and use this for the ASA outside interface and the 887 inside interface. So the 887 inside interface would need readdressing ie.

internal vlans -> (LAN ) 1921 (WAN 10.10.1.x) -> (inside 10.10.1.x) ASA (outside) -> (inside) 887

then all traffic has to go through the ASA both ways.

You can still use OSPF if you want although many people do not like using OSPF on the outside. It depends on your addressing ie. can you summarise all the internal subnets used for your vlans ?

If you can summarise then on the 887 you could have a single static route for all the internal subnets pointing to the ASA outside interface.

On the ASA you could either run OSPF with the 1921 or use the same static route.

So -

a) is the 10.10.1.x subnet purely for the 1921 to ASA connectivity ie. it is not a user vlan

b) what are the user vlan subnets as we may be able to summarise them.

c) the default route you originate on the 887. Do you receive a default route from the ISP or do you just inject your own on the 887 ?

Hope all the above makes sense.

Please feel free to ask more questions if you need more clarification.

Jon

Jinesh Patel · ‎12-22-2014

Jon, once again, much appreciated.

To answer your questions -

a) - it's not...your 'note' was actually correct. I had an inkling this might be the case but wasnt actually sure why...you have helped confirm that

b) - 10.10.1 - 10.10.11 are the vlans that i use - the user/server vlans starting from 10.10.5-11. 10.10.1 is purely what i call 'routing' and management as i havent yet split them up. This will be the perfect opportunity

c) - the default route is injected by us rather than from the ISP

So to action, i'm going to keep the ASA, 1921 and the 887 directly connected to the 2960 switch but will create another vlan (254 - 10.10.254.0) between the ASA outside (.2) and the 887 inside (.1). I'll remove the 101 int vlan on the 887 and create a 254 int vlan.

That would leave the 1921 WAN/outside and the ASA inside on the 10.10.1 range as per your suggestion -"internal vlans -> (LAN ) 1921 (WAN 10.10.1.x) -> (inside 10.10.1.x) ASA (outside) -> (inside) 887"

It's in use currently but will try this tomorrow and will report back. For now, i think i have the answers and confirmations i was looking for. I'll take you up on your kind offer if i run into any complications

If i have misconstrued anything you've said, if you wouldn't mind pointing it out but for now....very much obliged

Jay