08-18-2009 05:33 AM - edited 03-09-2019 10:31 PM
Hello,
I am trying to deploy a in-band solution for VPN users. There have been a few surprises after having started this project.
1. Because users are coming in over a VPN the topology must be in-band.
2. If you want to have redundant CAS servers they cannot be separated by a NAT firewall from the CAM. Thus the reason why we have the CAM in the DMZ with the CAS.
I have a diagram here:
http://www.flickr.com/photos/31154535@N07/3833723810/sizes/o/
My problem now is the ASA does not see the CAS as a L2 device as it should. And DMZ switch does not see the ASA as a L2 device. In other words on the ASA I don't see an arp entry for 192.168.48.3 and on the switch I don't see an arp entry for 192.168.48.1.
What am I doing wrong?
08-18-2009 08:32 AM
1. In your implementation, CAS should be in Layer 3 mode since it will use IP address of VPN client to identify them.
2. On your ASA, you need add a default route with "tunnel" keyword to point to CAS's IP address, so that all VPN traffic from anyconnect client will be forwarded to CAS.
3. You should be able to ping CAS's IP from ASA.
08-18-2009 10:53 AM
Thanks for getting back to me. Here is the lastest setup. I changed a few things.
http://www.flickr.com/photos/31154535@N07/3833721237/sizes/o/
CAS is set for L3 support, but I am still having the same problem. The DMZ switch has no arp entries for the ASA, and the ASA has no arp entries of the untrusted CAS interface.
Here is the entry for the ASA interface:
interface GigabitEthernet0/3.48
description NAC Home Agent DMZ to DMZ Switch
vlan 48
nameif dmz_NAC_homeagents_vlan48
security-level 51
I made the managent VLAN of the untrusted interface of the CAS VLAN48 because I assume that this would make it be able talk to the L2 vlan 48 on the ASA. Do I assume correctly?
Everything else is OK. I have both interfaces of the CAS with the same IP and I can add the CAS to the CAM and manage the CAS.
Smoking head,
Pedro
08-18-2009 11:04 AM
Just for testing purpose.
Can you configure a vlan 48 interface with IP in 192.168.4.8.x network on your DMZ switch? Then try to ping CAS'IP and ASA inside IP.
By the way, I did not see IP address is configured under interface Gig0/3.48 on ASA. Not sure if you just did not paste them here.
08-18-2009 11:40 AM
Hey,
The documentation I have says the untrusted management of the CAS VLAN must be a L2 vlan, but I can try what you say.
08-18-2009 12:25 PM
I get a loop when I create the L3 vlan for 192.168.48.x network.
Now it is back to what it was and I am thinking....
Here is the arp table of the dmz switch and I will explain what is what:
dmzcab3sw1-2fl-3550#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.3.49 - 0017.9580.7700 ARPA Vlan308
Internet 10.1.3.50 126 000d.60cb.eaa4 ARPA Vlan308
Internet 192.168.48.2 - 0017.9580.7700 ARPA Vlan702
Internet 192.168.48.3 0 001f.2971.8f84 ARPA Vlan702
Internet 192.168.10.2 91 0019.e8d9.5245 ARPA Vlan1
Internet 192.168.10.1 29 001f.ca87.18f1 ARPA Vlan1
10.1.3.49 vlan interface vlan 308
10.1.3.50 CAM interface
192.168.48.2 vlan interface vlan 702
192.168.3.3 CAS trusted interface
192.168.10.2 ASA Standby
192.168.10.1 ASA Gi0/3
The subinterface gi0/3.48 has the same MAC address as the Gi0/3. Makes sense. So the question is can there be two arp entries with two different IPs?? I dont think so. No wonder there isnt a arp entry for the subinterface.
Right?? Do I need to prune something here???
08-18-2009 01:05 PM
DMZ switch should not have any arp entry in vlan 48 if it does not have a layer 3 interface in vlan 48. It will be a pure layer 2 for vlan 48 and will only use destination MAC address to forward the packet.
But, ASA should have arp entry for CAS' IP 192.168..48.3.
Can you try to ping 192.168.48.3 from ASA and then check its arp table "show arp"? please make sure ping is permitted on gig 0/3.48 interface before doing ping test.
Can you confirm if the ip address is configured under Gig0/3.48 interface on ASA?
08-18-2009 01:41 PM
OK here is more information:
edgefw-2fl-asa5520-primary# sh int dmz_NAC_homeagents_vlan48
Interface GigabitEthernet0/3.48 "dmz_NAC_homeagents_vlan48", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 48
Description: NAC Home Agent DMZ to DMZ Switch
MAC address 001f.ca87.18f1, MTU 1500
IP address 192.168.48.1, subnet mask 255.255.255.0
Traffic Statistics for "dmz_NAC_homeagents_vlan48":
0 packets input, 0 bytes
172 packets output, 5176 bytes
0 packets dropped
I cant ping 192.168.48.3 from this interface, and there is still no arp entry for it either.
08-18-2009 01:54 PM
You need check the config on DMZ switch. It looks like no packet was received on gig0/3.48 interface.
0 packets input, 0 bytes <<<<<<<<<<<
08-19-2009 04:13 AM
Config from dmz switch:
vtp domain DMZ
vtp mode transparent
vlan internal allocation policy ascending
vlan 40
name DMZ_DNS
!
vlan 46
name DMZ_term
!
vlan 47
name DMZ_Corporate
!
vlan 48
name management_VLAN_CAS_untrust
!
vlan 300
!
vlan 308
name CAM_vlan
!
vlan 400,500,600,700
!
vlan 702
name Trusted_CAS_VLAN
!
vlan 800
!
vlan 996
name DummyVlan_Trusted_Int_CAS
!
vlan 997
name DummyVlan_Untrusted_Int_CAS
clock timezone ES -1
clock summer-time EDT recurring
ip subnet-zero
ip routing
interface FastEthernet0/1
description ns01.megacorp.net: eth0
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/2
switchport mode access
shutdown
!
interface FastEthernet0/3
description description eth0 (Trusted) on CAS
switchport trunk encapsulation dot1q
switchport trunk native vlan 996
switchport trunk allowed vlan 702
switchport mode trunk
!
interface FastEthernet0/4
description description eth1 (Untrusted) CAS NAC Appliance
switchport trunk encapsulation dot1q
switchport trunk native vlan 997
switchport trunk allowed vlan 48
switchport mode trunk
!
interface FastEthernet0/5
description eth0 on CAM NAC appliance
switchport access vlan 308
switchport mode dynamic desirable
!
!
!
!
interface FastEthernet0/24
description DMZ trunk to Edge Firewall
Failover Ge0/3
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet0/1
description DMZ trunk to DMZ
switchport trunk encapsulation dot1q
switchport mode trunk
!
!
!
interface Vlan1
description DMZ Network Switch
ip address 192.168.10.11 255.255.255.128
!
interface Vlan308
description CAM VLAN
ip address 10.1.3.49 255.255.255.240
!
interface Vlan702
description trusted_CAS_VLAN
ip address 192.168.48.2 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip http server
ip http secure-server
!
logging 172.16.3.55
access-list 15 permit 172.16.3.32
access-list 50 permit 172.16.3.55
access-list 50 permit 172.16.5.0 0.0.0.255
snmp-server community cacti RO 15
radius-server host 10.1.3.2 auth-port 1645 acct-port 1646
radius-server key 7 yourmomma
And thats it ......
08-19-2009 06:38 AM
Output of following show commands?
show interface trunk
show interface f0/24
show interface f0/4
08-19-2009 09:04 AM
Hey kwu2!!
Here is the info you asked for:
dmzcab3sw1-2fl-3550#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/3 on 802.1q trunking 996
Fa0/4 on 802.1q trunking 997
Fa0/24 on 802.1q trunking 1
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/3 702
Fa0/4 48
Fa0/24 1-4094
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Fa0/3 702
Fa0/4 48
Fa0/24 1,40,46-48,300,308,400,500,600,700,702,800,996-997
Gi0/1 1,40,46-48,300,308,400,500,600,700,702,800,996-997
Port Vlans in spanning tree forwarding state and not pruned
Fa0/3 702
Fa0/4 48
Fa0/24 1,40,46-48,300,308,400,500,600,700,702,800,996-997
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,40,46-48,300,308,400,500,600,700,702,800,996-997
dmzcab3sw1-2fl-3550#sh int fa 0/24
FastEthernet0/24 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0017.9580.7718 (bia 0017.9580.7718)
Description: DMZ trunk to Edge Firewall Failover Ge0/3
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 5000 bits/sec, 9 packets/sec
2745673 packets input, 347199174 bytes, 0 no buffer
Received 969 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
81752053 packets output, 1748117988 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
dmzcab3sw1-2fl-3550#sh int fa 0/4
FastEthernet0/4 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0017.9580.7704 (bia 0017.9580.7704)
Description: description eth1 (Untrusted) CAS NAC Appliance
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
92 packets input, 6256 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
58100 packets output, 4567498 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
08-19-2009 09:34 AM
It looks like trunk/port are OK.
Can you check spanning-tree to see if the port f0/4 and f0/24 is in forwarding in vlan 48? - show spann vlan 48
If yes, I think something wrong with your CAS config. You can open a TAC case for further investigation.
If you would like to do a testing, you can remove interface vlan 702 and configure a interface vlan 48 with an IP in 192.168.48.x. Then do a ping testing from the switch to CAS and Firewall to see which one does not work. This is just for testing purpose.
08-19-2009 09:42 AM
Here you go mate.....
dmzcab3sw1-2fl-3550#sh spanning-tree vlan 48
VLAN0048
Spanning tree enabled protocol ieee
Root ID Priority 32816
Address 0017.9580.7700
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32816 (priority 32768 sys-id-ext 48)
Address 0017.9580.7700
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/24 Desg FWD 19 128.24 P2p
Gi0/1 Desg FWD 4 128.25 P2p
08-19-2009 09:46 AM
The ports are in forwarding state. So I think your CAS might not be configured correctly. Can you open a TAC case to investigate it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide