Help with VLAN, Layer 3 switch, DMZ routing madness.

Unanswered Question
May 6th, 2009
User Badges:

I have an ASA 5510 with 3 interfaces (inside, outside, DMZ)

Internal routing is done by a layer 3 switch

We utilize VLANs (5 = guest, 6 = staff, 29 = DMZ)

ASA Interfaces are as follows:

Inside: 10.5.8.1

Outside: 164.105.34.45

DMZ: 10.5.29.1

Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.

The layer 3 switch has a static route of 0.0.0.0 0.0.0.0 10.5.8.1 (inside ASA interface), but no sub-interface for vlan 29.

Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.

Since the layer 3 switch has no route to 10.5.29.0, doesn't it forward it to the 10.5.8.1 interface (inside interface on ASA) based on the default routing of 0.0.0.0 0.0.0.0 10.5.8.1? At this point 10.5.8.1 (inside Interface) knows about the 10.5.29.0 network (DMZ) and should forward it based on ACEs correct?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Wed, 05/06/2009 - 06:12
User Badges:
  • Purple, 4500 points or more

As far as default route in the switch, it should be okay as long as you have a route in the asa that tells it how to get back to the 10.5.5.0 network.


route inside 10.5.5.0 255.255.255.0 10.5.8.


How do you have your nat statements on the ASA? You can either use nat exemption or identity nat


nat exemption:


access-list DMZ permit ip 10.5.5.0 255.255.255.0 10.5.29.0 255.255.255.0


nat (inside) 0 access-list DMZ


OR


Identity nat:


static (inside,dmz) 10.5.5.0 10.5.5.0 netmask 255.255.255.0


HTH,

John

oneirishpollack Wed, 05/06/2009 - 08:01
User Badges:

John,


Here are the NAT statements:


static (DMZ,outside) 164.106.71.29 10.4.29.29 netmask 255.255.255.255


static (inside,DMZ) 10.4.4.0 10.4.4.0 netmask 255.255.255.0


Here is the route inside statement:


route inside 10.5.0.0 255.255.0.0 10.5.8.3 1


I CAN ping 10.5.29.100 from the ASA's DMZ interface (10.5.29.1), but cannot from the outside (164.105.34.45) or inside interface (10.5.8.1).


I cannot ping the 10.5.29.100 from the access switch or from the layer 3 switch.


Again I do not have a subinterface for VLAN 29 on the layer 3 switch, I was assuming the ASA would do the routing to and from the inside to the outside , but I can see where the VLAN rounting may be the problem. The DMZ interface and the access switch interface are the only ports assigned to VLAN 29. So can I assumed that the layer 2 vlan assignments are killing this?









John Blakley Wed, 05/06/2009 - 08:05
User Badges:
  • Purple, 4500 points or more

You'll need to add:


static (inside,DMZ) 10.5.0.0 10.5.0.0 netmask 255.255.0.0


Let's take things one step at a time :)


Your 10.4.4.0 static mapping is only allowing 10.4.4.0 across into the DMZ untranslated, so the 10.5.x.x subnets are still trying to translate.


What do your nat and global statements look like?

oneirishpollack Wed, 05/06/2009 - 09:51
User Badges:

I tried to substitute my ip addresses with aliases and made this too confusing. Below are my actual VLAN and private local addressing:


Staff subnet 10.4.4.0/24 (vlan 4)

Guest subnet 10.4.3.0/24 (vlan 3)

Outside subnet: 164.105.34.0/24 (vlan 34)

DMZ subnet: 10.4.29.0/24 (vlan 29)




ASA interfaces:

Inside: 10.4.2.1 (vlan 2)

Outside: 164.105.34.45 (vlan 34)

DMZ: 10.4.29.1 (vlan 29)


host A 10.4.4.100 (vlan 4) pings host B 10.4.29.29 (vlan 29)


Below are the statements from the ASA again:


static (DMZ,outside) 164.105.34.29 10.4.29.29 netmask 255.255.255.255


static (inside,DMZ) 10.4.4.0 10.4.4.0 netmask 255.255.255.0


static (inside,DMZ) 10.4.0.0 10.4.0.0 netmask 255.255.0.0


Sorry for the confusion.








John Blakley Wed, 05/06/2009 - 10:05
User Badges:
  • Purple, 4500 points or more

You should be able to remove:


static (inside,DMZ) 10.4.4.0 10.4.4.0 netmask 255.255.255.0


It's covered in the line below it.


What's the original problem again? You can ping across the dmz from the inside, right? What's not working now?


John

oneirishpollack Wed, 05/06/2009 - 10:31
User Badges:

I am trying to setup the DMZ for the first time.


I can ping the DMZ interface and a DMZ server from the outside.


I can ping the DMZ server from the DMZ interface.


I cannot ping the DMZ interface or server from the inside.


We utilize intra-vlan routing on our layer 3 switch.


I am thinking the inside routing process goes...


Host A (10.4.4.100) pings Host B (10.4.29.29)


Host determine Host B is not on local network and it forwards it to Default Gateway (10.4.4.1)


Layer 3 switch 10.4.4.1 checks in it's routing table and determines it does not have a route for 10.4.29.0 (no subinterface setup for vlan 29) so it sends it to default gateway 10.4.2.1 (inside interface on ASA)


ASA checks it's routing table and sees a route to network 10.4.29.0 (DMZ) via 10.4.29.1 (DMZ interface). It forwards route packet to this interface to get passed to server 10.4.29.29.


Is this how the routing process in the this scenario will work?


John Blakley Wed, 05/06/2009 - 10:37
User Badges:
  • Purple, 4500 points or more

That's the way routing would work. Once it leaves the host into the switch, if the switch can't route it, it will go to it's default gateway. The default route points to the inside ASA, and it will look at it's routing table and forward to the DMZ.


Above you said that you can't ping a server in the DMZ, but in another post you said that you could:


host A 10.4.4.100 (vlan 4) pings host B 10.4.29.29 (vlan 29)


If you try to ping 10.4.29.29 and you get timeouts, make sure that you have inspect icmp under your default inspection policy on the ASA.


It will look something like:


policy inspection_default

class default_inspection

inspect icmp



service-policy inspection_default global


Instead of just pinging, can you get to anything else on that server? Do you run a web server on it? Something else that you can test? Check the policy and see if the inspect is listed and we'll go from there.


John

oneirishpollack Thu, 05/07/2009 - 07:08
User Badges:

Sorry for the confusion, when I said:


host A 10.4.4.100 (vlan 4) pings host B 10.4.29.29 (vlan 29)


I meant that it tried to ping it, but it is not getting a reply back.


I tested several scenarios and this is what I found:


10.4.4.211 (vlan 29) pings 10.4.4.29 (vlan 29) = no reply


10.4.4.211 (vlan 4) pings 10.4.4.29 (vlan 29) = no reply


10.4.29.211 (vlan 29) pings 10.4.4.29 (vlan 29) = 1 reply....and then "request times out"


10.4.29.211 (vlan 4) pings 10.4.4.29 (vlan 29) = no reply


75.199.18.37 (outside machine) pings 164.105.34.29 (NAT'd IP of server) = replies received


******************


Here is what I see on the firewall log:





%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst

interface_name: IP_address (type dec, code dec)

The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.








oneirishpollack Fri, 05/08/2009 - 07:28
User Badges:

OK, using the ping tool in ASDM. I cannot ping the DMZ interface (10.4.29.1) from the Inside interface (10.4.2.1)



oneirishpollack Fri, 05/08/2009 - 11:46
User Badges:

I attached the diagram.


********************


I included two comments above the layer 3 switch. One shows the subinterface for VLAN 4, and the other is the sh ip route off the layer 3 switch.





Attachment: 
John Blakley Fri, 05/08/2009 - 12:02
User Badges:
  • Purple, 4500 points or more

You show that you have a L3 switch. Is this set up as a L3 or L2 (is ip routing enabled)? Is it a Cisco switch?


My first thought is that if it's L3, then your pings shouldn't get to the ASA. It should go through the switch and routed.


Looking at your routing table, you don't have an svi configured for the 10.4.29.0 subnet. So, what *should* happen is the L3 switch will send it's traffic to the next switch on vlan29. I think what's happening, and others may chime in, is this:


The traffic from 10.4.29.29 is getting to the firewall, and it's sending it back, but because there's no route on the L3 switch to the 10.4.29.0 subnet, the switch is dropping the traffic.


I would try the following:


At minimum, add an svi to support your 10.4.29.0 subnet. (What gateway do you have on that host??)


Then your trunks will carry all the way to the firewall. You should be able to ping the 10.4.4.100 host from the 10.4.29.29 without going to the firewall.


John

John Blakley Fri, 05/08/2009 - 12:15
User Badges:
  • Purple, 4500 points or more

I think another thing that *might* be happening is that you have vlan29 on the ASA, but do you have vlan29 on the trunk on both ends of the link? If not, it's going to go out of your native vlan and return on the native vlan. In order to use vlan 29, you're going to have to have vlan29 trunked all the way to the destination.


HTH,

John

oneirishpollack Mon, 05/11/2009 - 08:29
User Badges:

John, You are correct in that I do have a L3 (routing enabled) Cisco 3750 that handles my internal routing,and

I do not have a SVI for the 29 VLAN.


I didn't know if creating a SVI for the 10.4.29.0 subnet would create a security issue in that the 29 subnet (DMZ) would then potentially be able to be routed internally seperate from the firewall. I was assuming if I:


1. Created the 29 Vlan on VTP server

2. Created a static route of 0.0.0.0 0.0.0.0 10.4.2.1 (Inside interface) on L3 switch

3. Addressed the DMZ interface as 10.4.29.1/24


I assumed that since 10.4.2.1 (inside interface, vlan4) and 10.4.29.1 (DMZ interface, vlan 29) were directly connected interfaces on the firewall, that the firewall (based on ACLs) would then route the traffic accordingly. I thought the flow would look like this:


10.4.4.100 (vlan 4) pings 10.4.29.29 (vlan 29)


10.4.4.100 --> 10.4.4.1 --> 10.4.2.1 --> 10.4.29.1 --> 10.4.29.29


Here again are my ping results:


10.4.29.211 (vlan 29) ping 10.4.29.29 (vlan 29) - replies!


10.4.29.211 (vlan 4) ping 10.4.29.29 (vlan 29) -


10.4.4.100 (vlan 4) ping 10.4.29.29 (vlan 29) - request timed out.


10.4.4.100 (vlan 29) ping 10.4.29.29 (vlan 29) - request timed out.



John Blakley Mon, 05/11/2009 - 08:50
User Badges:
  • Purple, 4500 points or more

Did you create your svi for vlan 29 on the L3 switch like I stated in a previous post?


Do you have your vlan 29 trunked at the exit point that the ASA is connected to?


I think the problem lies in the fact that once your L3 switch forwards out the frame to the ASA, if you DON'T have vlan 29 allowed on the trunk, the switch will forward it out as it's native vlan.

oneirishpollack Mon, 05/11/2009 - 18:11
User Badges:

The 'DMZ' port on the ASA is connected to a switch port that belongs to vlan 29.


The 'Inside' port on the ASA is connected to a switch port that belongs to vlan 4.


The 'Outside' port on the ASA is connected to a port that belongs to vlan 71.


The host machine (10.4.4.4) pinging is connected to a port assigned to vlan 4.


The machine (10.4.29.29) being pinged belongs to a port assigned to vlan 29.


The firewall however does see it, as I see this on the firewall syslog:



Here is the succession:


IDS:2004 ICMP echo request from 10.4.4.4 to 10.4.29.29 on interface inside


IDS:2000 ICMP echo reply from 10.4.29.29 to 10.4.4.4 on interface DMZ


Deny inbound icmp src DMZ:10.4.29.29 dst inside:10.4.4.4 (type 0, code 0)


So it seems like it is getting dropping at the inside interface.


I can add the SVI, but won't this just skip the firewall inspection all together and route it internally through the L3 switch?



oneirishpollack Mon, 05/11/2009 - 19:54
User Badges:

I disabled the DMZ interface on the ASA (10.4.29.1) and added the svi as follows:


interface Vlan29

description DMZ

ip address 10.4.29.1 255.255.255.0

no ip redirects

ip pim sparse-dense-mode


I can now ping the 10.4.29.29 machine.



Actions

This Discussion