Unanswered Question
Jan 15th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}


I am looking to set up an IN-Band Virtual Gateway in Central Deployment where my CAS in the DMZ and my CAM is in the LAN. Here is a drawing of the setup:

http:[email protected]/4274326599/sizes/o/

Right now I only have eth0 of the CAS plugged into DMZ switch 1.  Eth0 has its default gateway set to the SVI of VLAN 710.

All I want to do at this point is add the CAS to the CAM but I am unable to do this. During the perfigo setup I assigned both interfaces the same IP and did not enable anything else like Management VLAN or VLAN tagging. My TAC guy tells me I cant add the second NIC until I have it in the CAM.

I created ACLs for CAS CAM communication as well.

But something is wrong. When I do a TCPdump on the eth0 interface while I try to add the CAS to the CAM I don’t even see packets getting there.

What am I doing wrong? Doesnt the FW need to see the CAS as a L2 device before we can get anywhere with this? Because right now the CAS is not even in the ARP table of the ASA.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Faisal Sehbai Fri, 01/15/2010 - 21:20


From the CAS console, can you ping the default gateway? If yes, can you ping the ASA? If yes, the CAM?

If no to any of these, where's the traffic blocked? If no to the first question, then you have basic connectivity issues to resolve first.



pener1963 Mon, 01/18/2010 - 09:35

Hey Faisal,

From the CAS I can ping the SVI of the L3 VLAN for the trusted interface (vlan710 in the picture), but I cannot ping the ASA. The subinterface on the ASA is on VLAN 709 which is what the documentation calls for i.e. that the untrusted interface of the CAS and the FW need to be on the same L2 vlan.

Is that correct?

Here is some routing information:

From the DMZ switch where the CAS is dual homed:

Gateway of last resort is to network is subnetted, 1 subnets
C is directly connected, Vlan1 is subnetted, 1 subnets
C is directly connected, Vlan710
S* [1/0] via

I want to mention that this switch has a trunked port to the failover FW.

From the other DMZ switch (in the picture you can see that there are two DMZ switches that are trunked together and running VTP transparent).

Gateway of last resort is to network is subnetted, 1 subnets
C is directly connected, Vlan1
S* [1/0] via

I will also mention that this switch has a trunked port to the active FW.

Now from the FW:

sh route | inclu 10.1.7

C is directly connected, NAC_homeagents_vlan702

C is directly connected, NAC_homeagents_vlan709

I dont know if this is a L3 problem or not, because it seems to me that the FW needs to see the CAS as a L2 device no?



Faisal Sehbai Sat, 02/06/2010 - 21:58

Documenting the solution for this issue for other potential designs.

If you're doing VPN with CAS in-line in a VGW setup, you have to make sure that the CAS's trusted side through which CAS/CAM communication flows doesn't go through the same ASA. If they are going through the same ASA, it will have problems identifying which VLAN to send the manamgement traffic through and cause an unnecessarily complex  and potentially impossible design. You might be able to make it work with RIP, but that again would be a pretty complex design with possible PBRs involved.




This Discussion