In-Band in DMZ

Unanswered Question
Aug 18th, 2009
User Badges:

Hello,


I am trying to deploy a in-band solution for VPN users. There have been a few surprises after having started this project.


1. Because users are coming in over a VPN the topology must be in-band.

2. If you want to have redundant CAS servers they cannot be separated by a NAT firewall from the CAM. Thus the reason why we have the CAM in the DMZ with the CAS.


I have a diagram here:


http:[email protected]/3833723810/sizes/o/


My problem now is the ASA does not see the CAS as a L2 device as it should. And DMZ switch does not see the ASA as a L2 device. In other words on the ASA I don't see an arp entry for 192.168.48.3 and on the switch I don't see an arp entry for 192.168.48.1.


What am I doing wrong?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Tue, 08/18/2009 - 08:32
User Badges:
  • Gold, 750 points or more

1. In your implementation, CAS should be in Layer 3 mode since it will use IP address of VPN client to identify them.

2. On your ASA, you need add a default route with "tunnel" keyword to point to CAS's IP address, so that all VPN traffic from anyconnect client will be forwarded to CAS.

3. You should be able to ping CAS's IP from ASA.

pener1963 Tue, 08/18/2009 - 10:53
User Badges:

Thanks for getting back to me. Here is the lastest setup. I changed a few things.


http:[email protected]/3833721237/sizes/o/


CAS is set for L3 support, but I am still having the same problem. The DMZ switch has no arp entries for the ASA, and the ASA has no arp entries of the untrusted CAS interface.


Here is the entry for the ASA interface:


interface GigabitEthernet0/3.48

description NAC Home Agent DMZ to DMZ Switch

vlan 48

nameif dmz_NAC_homeagents_vlan48

security-level 51


I made the managent VLAN of the untrusted interface of the CAS VLAN48 because I assume that this would make it be able talk to the L2 vlan 48 on the ASA. Do I assume correctly?


Everything else is OK. I have both interfaces of the CAS with the same IP and I can add the CAS to the CAM and manage the CAS.


Smoking head,


Pedro

Yudong Wu Tue, 08/18/2009 - 11:04
User Badges:
  • Gold, 750 points or more

Just for testing purpose.

Can you configure a vlan 48 interface with IP in 192.168.4.8.x network on your DMZ switch? Then try to ping CAS'IP and ASA inside IP.


By the way, I did not see IP address is configured under interface Gig0/3.48 on ASA. Not sure if you just did not paste them here.

pener1963 Tue, 08/18/2009 - 11:40
User Badges:

Hey,


The documentation I have says the untrusted management of the CAS VLAN must be a L2 vlan, but I can try what you say.



pener1963 Tue, 08/18/2009 - 12:25
User Badges:

I get a loop when I create the L3 vlan for 192.168.48.x network.


Now it is back to what it was and I am thinking....


Here is the arp table of the dmz switch and I will explain what is what:


dmzcab3sw1-2fl-3550#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.3.49 - 0017.9580.7700 ARPA Vlan308

Internet 10.1.3.50 126 000d.60cb.eaa4 ARPA Vlan308

Internet 192.168.48.2 - 0017.9580.7700 ARPA Vlan702

Internet 192.168.48.3 0 001f.2971.8f84 ARPA Vlan702

Internet 192.168.10.2 91 0019.e8d9.5245 ARPA Vlan1

Internet 192.168.10.1 29 001f.ca87.18f1 ARPA Vlan1



10.1.3.49 vlan interface vlan 308

10.1.3.50 CAM interface

192.168.48.2 vlan interface vlan 702

192.168.3.3 CAS trusted interface

192.168.10.2 ASA Standby

192.168.10.1 ASA Gi0/3



The subinterface gi0/3.48 has the same MAC address as the Gi0/3. Makes sense. So the question is can there be two arp entries with two different IPs?? I dont think so. No wonder there isnt a arp entry for the subinterface.


Right?? Do I need to prune something here???

Yudong Wu Tue, 08/18/2009 - 13:05
User Badges:
  • Gold, 750 points or more

DMZ switch should not have any arp entry in vlan 48 if it does not have a layer 3 interface in vlan 48. It will be a pure layer 2 for vlan 48 and will only use destination MAC address to forward the packet.


But, ASA should have arp entry for CAS' IP 192.168..48.3.

Can you try to ping 192.168.48.3 from ASA and then check its arp table "show arp"? please make sure ping is permitted on gig 0/3.48 interface before doing ping test.

Can you confirm if the ip address is configured under Gig0/3.48 interface on ASA?



pener1963 Tue, 08/18/2009 - 13:41
User Badges:

OK here is more information:


edgefw-2fl-asa5520-primary# sh int dmz_NAC_homeagents_vlan48

Interface GigabitEthernet0/3.48 "dmz_NAC_homeagents_vlan48", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

VLAN identifier 48

Description: NAC Home Agent DMZ to DMZ Switch

MAC address 001f.ca87.18f1, MTU 1500

IP address 192.168.48.1, subnet mask 255.255.255.0

Traffic Statistics for "dmz_NAC_homeagents_vlan48":

0 packets input, 0 bytes

172 packets output, 5176 bytes

0 packets dropped



I cant ping 192.168.48.3 from this interface, and there is still no arp entry for it either.

Yudong Wu Tue, 08/18/2009 - 13:54
User Badges:
  • Gold, 750 points or more

You need check the config on DMZ switch. It looks like no packet was received on gig0/3.48 interface.


0 packets input, 0 bytes <<<<<<<<<<<



pener1963 Wed, 08/19/2009 - 04:13
User Badges:

Config from dmz switch:


vtp domain DMZ

vtp mode transparent

vlan internal allocation policy ascending


vlan 40

name DMZ_DNS

!

vlan 46

name DMZ_term

!

vlan 47

name DMZ_Corporate

!

vlan 48

name management_VLAN_CAS_untrust

!

vlan 300

!

vlan 308

name CAM_vlan

!

vlan 400,500,600,700

!

vlan 702

name Trusted_CAS_VLAN

!

vlan 800

!

vlan 996

name DummyVlan_Trusted_Int_CAS

!

vlan 997

name DummyVlan_Untrusted_Int_CAS


clock timezone ES -1

clock summer-time EDT recurring

ip subnet-zero

ip routing


interface FastEthernet0/1

description ns01.megacorp.net: eth0

switchport access vlan 40

switchport mode access

!

interface FastEthernet0/2

switchport mode access

shutdown

!

interface FastEthernet0/3

description description eth0 (Trusted) on CAS

switchport trunk encapsulation dot1q

switchport trunk native vlan 996

switchport trunk allowed vlan 702

switchport mode trunk

!

interface FastEthernet0/4

description description eth1 (Untrusted) CAS NAC Appliance

switchport trunk encapsulation dot1q

switchport trunk native vlan 997

switchport trunk allowed vlan 48

switchport mode trunk

!

interface FastEthernet0/5

description eth0 on CAM NAC appliance

switchport access vlan 308

switchport mode dynamic desirable

!

!

!

!

interface FastEthernet0/24

description DMZ trunk to Edge Firewall

Failover Ge0/3

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

spanning-tree portfast

!

interface GigabitEthernet0/1

description DMZ trunk to DMZ

switchport trunk encapsulation dot1q

switchport mode trunk

!

!

!

interface Vlan1

description DMZ Network Switch

ip address 192.168.10.11 255.255.255.128

!

interface Vlan308

description CAM VLAN

ip address 10.1.3.49 255.255.255.240

!

interface Vlan702

description trusted_CAS_VLAN

ip address 192.168.48.2 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.1

ip http server

ip http secure-server

!

logging 172.16.3.55

access-list 15 permit 172.16.3.32

access-list 50 permit 172.16.3.55

access-list 50 permit 172.16.5.0 0.0.0.255

snmp-server community cacti RO 15

radius-server host 10.1.3.2 auth-port 1645 acct-port 1646

radius-server key 7 yourmomma


And thats it ......

Yudong Wu Wed, 08/19/2009 - 06:38
User Badges:
  • Gold, 750 points or more

Output of following show commands?

show interface trunk

show interface f0/24

show interface f0/4

pener1963 Wed, 08/19/2009 - 09:04
User Badges:

Hey kwu2!!


Here is the info you asked for:


dmzcab3sw1-2fl-3550#sh int trunk


Port Mode Encapsulation Status Native vlan

Fa0/3 on 802.1q trunking 996

Fa0/4 on 802.1q trunking 997

Fa0/24 on 802.1q trunking 1

Gi0/1 on 802.1q trunking 1


Port Vlans allowed on trunk

Fa0/3 702

Fa0/4 48

Fa0/24 1-4094

Gi0/1 1-4094


Port Vlans allowed and active in management domain

Fa0/3 702

Fa0/4 48

Fa0/24 1,40,46-48,300,308,400,500,600,700,702,800,996-997

Gi0/1 1,40,46-48,300,308,400,500,600,700,702,800,996-997


Port Vlans in spanning tree forwarding state and not pruned

Fa0/3 702

Fa0/4 48

Fa0/24 1,40,46-48,300,308,400,500,600,700,702,800,996-997


Port Vlans in spanning tree forwarding state and not pruned

Gi0/1 1,40,46-48,300,308,400,500,600,700,702,800,996-997


dmzcab3sw1-2fl-3550#sh int fa 0/24

FastEthernet0/24 is up, line protocol is up (connected)

Hardware is Fast Ethernet, address is 0017.9580.7718 (bia 0017.9580.7718)

Description: DMZ trunk to Edge Firewall Failover Ge0/3

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, media type is 10/100BaseTX

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 5000 bits/sec, 9 packets/sec

2745673 packets input, 347199174 bytes, 0 no buffer

Received 969 broadcasts (0 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

81752053 packets output, 1748117988 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out


dmzcab3sw1-2fl-3550#sh int fa 0/4

FastEthernet0/4 is up, line protocol is up (connected)

Hardware is Fast Ethernet, address is 0017.9580.7704 (bia 0017.9580.7704)

Description: description eth1 (Untrusted) CAS NAC Appliance

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, media type is 10/100BaseTX

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

92 packets input, 6256 bytes, 0 no buffer

Received 0 broadcasts (0 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

58100 packets output, 4567498 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

Yudong Wu Wed, 08/19/2009 - 09:34
User Badges:
  • Gold, 750 points or more

It looks like trunk/port are OK.

Can you check spanning-tree to see if the port f0/4 and f0/24 is in forwarding in vlan 48? - show spann vlan 48


If yes, I think something wrong with your CAS config. You can open a TAC case for further investigation.


If you would like to do a testing, you can remove interface vlan 702 and configure a interface vlan 48 with an IP in 192.168.48.x. Then do a ping testing from the switch to CAS and Firewall to see which one does not work. This is just for testing purpose.

pener1963 Wed, 08/19/2009 - 09:42
User Badges:

Here you go mate.....


dmzcab3sw1-2fl-3550#sh spanning-tree vlan 48


VLAN0048

Spanning tree enabled protocol ieee

Root ID Priority 32816

Address 0017.9580.7700

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec


Bridge ID Priority 32816 (priority 32768 sys-id-ext 48)

Address 0017.9580.7700

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec


Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Fa0/4 Desg FWD 19 128.4 P2p

Fa0/24 Desg FWD 19 128.24 P2p

Gi0/1 Desg FWD 4 128.25 P2p


Yudong Wu Wed, 08/19/2009 - 09:46
User Badges:
  • Gold, 750 points or more

The ports are in forwarding state. So I think your CAS might not be configured correctly. Can you open a TAC case to investigate it?

pener1963 Wed, 08/19/2009 - 13:05
User Badges:

I rebuilt the CAS from scratch and I still cant ping the ASA from the CAS and the ASA doesnt even have an arp entry for the CAS.


When I run the perfigo config my gut tells me to assign the ASA as the GW for both untrusted and trusted interfaces. In fact in my testlab I got it to work this way.


However I can only get the CAS and CAM to talk to each other when I use the VLAN interface as the GW for both interfaces. If I dont do it that way I cant add the CAS to the CAM.


I have tried assigning the ASA as the GW for laughs and still no pings no arp entries etc.


I have a question. When I aasign VLAN 48 to the subinterface if the ASA it tags its outgoing packets with vlan48 right? And my DMZ switch will to send them out any trunk with VLAN 48 allowed right?



Yudong Wu Wed, 08/19/2009 - 13:15
User Badges:
  • Gold, 750 points or more

Yes, ASA should tag the outgoing packet with vlan ID 48. You can do a SPAN on your DMZ switch to capture the packet to confirm it.


When you ping from ASA to CAS' IP, ASA should send out a ARP request in vlan 48. DMZ switch should send it out on every ports in vlan 48.


You can setup a SPAN on DMZ switch to capture the traffic to/from CAS. And then do a ping from ASA to CAS' IP. Check the packet sniffer file to see if DMZ switch forward the traffic to CAS and if CAS response to it.


Actions

This Discussion