04-04-2007 05:38 AM - edited 03-11-2019 02:55 AM
I have a 24-port Cisco 2950 on my ASA 5520 DMZ interface. It is segregated into 23 vlans:
interface FastEthernet0/1
switchport access vlan 101
ip address 192.168.101.1 255.255.255.0
!
interface FastEthernet0/2
switchport access vlan 102
ip address 192.168.102.1 255.255.255.0
!
...
interface FastEthernet0/24
switchport mode trunk
switchport trunk allowed vlan 101-123
Then there's 23 subinterfaces on my ASA dmz interface:
interface GigabitEthernet0/2
no nameif
!
interface GigabitEthernet0/2.101
nameif dmz-101
vlan 101
security-level 50
ip address 192.168.101.2 255.255.255.0
!
interface GigagitEthernet0/2.102
nameif dmz-102
vlan 102
security-level 50
ip address 192.168.102.2 255.255.255.0
...
route outside 0 0
global (outside) 1 <PUBLIC_IP>
nat (dmz-101) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz-102) 1 0.0.0.0 0.0.0.0 0 0
...
The asdm Packet Tracer reports that a client on vlan 109 (192.168.109.101) hitting interface dmz-109 will pass to an outside ip:80 (www). However, when I try to hit ip:80, no joy.
When I scrape off all the subinterfaces and put the switch to a default configuration (every port on vlan 1), it works fine.
What should the switch config look like to actually communicate correctly with the ASA?
Solved! Go to Solution.
04-04-2007 05:26 PM
If the client (I assume located off the switch somewhere) can ping the ASA's IP (which should obviously be on the same VLAN as the client), then you correctly configured trunking on the switch and ASA, and that is not your problem.
Did you set the client's default gateway to be that of the ASA? If so, then the next step is to check the syslogs on the ASA to see if the connection is getting built.
The config you pasted in looks fine. Trying pinging from the client to the ASA's default router, and enable "debug icmp trace" on the ASA and see if you see the ICMP Echo and ICMP Echo-reply packets. That will also help narrow down where the issue is.
Sincerely,
David.
04-04-2007 07:04 AM
Perhaps a more specific question is in order:
Everything I read says the default gateway set up on the switch must correspond to the interface of the ASA. But the switch can have only one default-gateway while the interface on the ASA has 23 different addresses.
What is the default gateway for the switch?
04-04-2007 09:47 AM
The 'default-gateway' on the switch you are referring to is for the switches' management traffic. (ie: telnet, snmp, etc..) It does not affect through traffic (ie: routed traffic).
The default-gateway should be the interface on the ASA which corresponds to the interface VLAN you are using for management of the switch. By default, that is VLAN 1, but can be changed.
Sincerely,
David.
04-04-2007 10:31 AM
Thank you David. That explains the configurations I see on some of our other devices. I have a management VLAN which is the native vlan on our trunks and all point to the same gateway on our core router. Now I understand how to make the DMZ switch report to the NOC as well.
So the default-gateway is not the problem here. What is preventing the communications? Let me recap:
I can ping the client on the DMZ switch from the ASA. I can ping the ASA from the DMZ client. I can ping outside from the ASA. Asdm Packet Tracker reports that packets will route from the dmz client to a web site outside. But the dmz client cannot hit the web site outside (by IP without DNS).
Does anyone have a vlan/subinterface configuration between a switch and the ASA that is working?
04-04-2007 05:26 PM
If the client (I assume located off the switch somewhere) can ping the ASA's IP (which should obviously be on the same VLAN as the client), then you correctly configured trunking on the switch and ASA, and that is not your problem.
Did you set the client's default gateway to be that of the ASA? If so, then the next step is to check the syslogs on the ASA to see if the connection is getting built.
The config you pasted in looks fine. Trying pinging from the client to the ASA's default router, and enable "debug icmp trace" on the ASA and see if you see the ICMP Echo and ICMP Echo-reply packets. That will also help narrow down where the issue is.
Sincerely,
David.
04-05-2007 03:55 AM
When I ping the ASA from the client, I can see the connection being built and torn down on the ASA as expected. I can ping the client from the ASA without a problem.
The client gateway is set to the ip address of the vlan on the switch (.1), not the ASA interface (.2). As I think about it though, that can't be right since packets can't have the switch as a destination since as an L2, it can't route them (and a default-gateway on the switch can't work because of the multiple interface problem). I will change this and try again.
04-05-2007 04:22 AM
David is now my favorite person.
Much joy. Each port on the switch is a separate VLAN with no inter-VLAN routing. If a DMZ server is compromised, it cannot attack other DMZ servers (at least it'll be harder). Each vlan on the switch has an ip on a subnet, which is on the same subnet as the subinterface on the ASA. Then the client gets a (static) ip on that subnet, but the default gateway for that client must be the ASA subinterface.
Works like a charm! Thanks again, David.
04-05-2007 05:53 AM
Glad to hear it professorguy. Thanks for letting us know!
Sincerely,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide