Solved: The original post asks a high

Michael McGrath · ‎05-03-2017

Hey guys I'm looking for some ASA advice

I just started working at a new company and >< they are using an ASA 5512x to route between subnets...or so they thought. As you suspected its not really setup to do that and I know ASAs aren't really meant for that.

I've never used an ASA in this manner and buying a router or layer 3 switch/es isn't an option at the moment.

Each vlan has a subinterface on the ASA. I'm pretty sure they way I got it "working" isn't correct, but traffic can now flow from 10.13.0.0/16 to 10.12.16.0/20 and vice versa. My research showed that I have to setup static NATs to each other vlan [(Vlans-1)*Vlans], but that didn't seem to do anything and I was getting blocked by the implicit deny rule, so off to the ACLs I went. Now this part doesn't make sense either...I need to allow traffic in both direction to get it to work? and thats what I did, I have inbound and outbound ACLs for each vlan/subinterface to allow traffic to flow.

Heres some of the configuration.

interface GigabitEthernet0/1.10
vlan 10
nameif inside
security-level 100
ip address 10.13.0.1 255.255.0.0

interface GigabitEthernet0/1.25
vlan 25
nameif servers
security-level 100
ip address 10.12.16.1 255.255.240.0

access-group inside_access_in in interface inside
access-group servers_access_in in interface servers
access-group servers_access_out out interface servers

access-list servers_access_in extended permit ip object SERVERS-NETWORK any

access-list servers_access_out extended permit ip any object SERVERS-NETWORK

taking out either of the ACLs or Access groups stops traffic

Julio E. Moisa · ‎05-03-2017

Hi

I think this line can be removed:

access-group servers_access_out out interface servers

The ASA works as stateful. The directly connected subnets on the firewall will be able to communicate between them so you only need to reach the external routes using static routing (easy way).

Now if you want to enable the communication between the local interfaces with security-level 100 on the firewall, you only need to create the ACL in outbound way only:

Example for the servers:

access-list SERVERS-IN extended permit ip <servers source> <destination>

You don't need:

access-list SERVERS-OUT extended permit ip <destination> <servers source>

Unless the firewall does not support stateful behavior.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎05-03-2017

Hi

I think this line can be removed:

access-group servers_access_out out interface servers

The ASA works as stateful. The directly connected subnets on the firewall will be able to communicate between them so you only need to reach the external routes using static routing (easy way).

Now if you want to enable the communication between the local interfaces with security-level 100 on the firewall, you only need to create the ACL in outbound way only:

Example for the servers:

access-list SERVERS-IN extended permit ip <servers source> <destination>

You don't need:

access-list SERVERS-OUT extended permit ip <destination> <servers source>

Unless the firewall does not support stateful behavior.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Michael McGrath · ‎05-03-2017

Right on Julio!

When I was testing I wasn't taking out 'access-group servers_access_out out interface servers ' but just the ACL in that group and thats what I was tripping on. I knew 2 lines wasn't right, so thanks on that.

Is this the correct way of routing between vlans? What should the NAT rules look like?

Georg Pauwen · ‎05-03-2017

On a side note, make sure that you have 'same-security-traffic permit inter-interface' configured to allow communication between interfaces with the same security level.

Michael McGrath · ‎05-03-2017

Thanks for the reply.

Yes, I forgot to add that in the description. every sub-interface has a security level of 100 and same-security-traffic permit inter-interface was already in there.

That alone wasn't enough. When using the packet tracer command I was getting implicitly blocked

Richard Burts · ‎05-03-2017

The original post asks a high level question about whether using an ASA to route between subnets is a BAD idea and then provides a partial config. So let us begin by trying to answer the high level question of whether using an ASA to route between subnets is a bad idea. I would suggest that most network devices have certain things for which they are optimized and other things that they can do, but perhaps are not optimal solutions. An ASA is optimized for implementing security policies. It is not optimized for routing between subnets but can do that function. If purchasing a router or layer 3 switch is not an option at this point then using the ASA to route will work but not be an optimum solution.

In terms of the few details given of the configuration I would suggest this approach:

- the original post suggests that they need to configure nat. Given the few details that we have I see no need to configure any nat.

- the original post shows attempts to use access lists to enable traffic. As long as the interfaces are at the same security level, and as long as the same security level inter interface is enabled then I see no need for access lists or access groups.

Note that so far we are only dealing with two subnets communicating with each other. There is no indication of any need to communicate with outside/Internet or with any other networks. If those are needed then the configuration will become more complex to handle that communication.

HTH

Rick

HTH

Rick

Routing using ASA...bad idea?