ASA and default gateway on the outside

Unanswered Question

Hi,

My ASA 5520 is used in transparent mode behind a router used as gateway (ex. 91.123.30.1) for all my hosts. Recently I have changed my topology from :

ASA -- ROUTER -- SW -- HOSTS

to :

ROUTER -- ASA -- SW -- HOSTS

In the new topology I have some issue with the gateway on the outside interface. Cisco in this document (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml) indicate to use the ip address of the ASA as default gateway and use another address (ex. 91.123.30.254) for the router. Some questions :

1. Is this the correct way ?

2. How to configure the ASA with multiple subnet on same/different VLAN ? Multi-context ?

Thanks

Jerome

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Mon, 09/20/2010 - 08:52

Hello,

For your first question, I not sure which line you are referring to that states that you need to configure the ASA as the default gateway. Here is an excerpt from the document:

"Do not specify the security appliance management IP address as the           default gateway for connected devices; devices need to specify the router on           the other side of the security appliance as the default gateway."

So, the router will be the default gateway and you need to specify an IP for the ASA in the same subnet as the router and the clients so you can manage it. If you want to manage it via the management interface (out-of-band option), then you do not need to worry about it.

For your second question, if you have all hosts on the same VLAN and have different IP subnets (flat network with multiple subnets within the same vlan), and you are using secondary IP on the router, then you do not need to make any changes. The firewall will just forward the traffic. But if you have multiple internal VLANs, then either you need to configure multiple context or you need to configure a routed solution between the inside switch and the router.

Hope this helps.

Regards,

NT

Hello NT,

In fact I have understand "must" instead "avoid", mistake in reading.

My router configuration :

interface GigabitEthernet0/0.1

no ip address

interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 100.100.100.1 255.255.255.0

And my ASA configuration (Gi0/1 from the ASA is connected to the Gi0/0 port of the router) :

firewall transparent

interface GigabitEthernet0/0
nameif Inside
security-level 100
!
interface GigabitEthernet0/1
nameif Outside
security-level 0

access-list Acl_Inside extended permit icmp any any echo-reply
access-list Acl_Inside extended permit ip any any

access-list Acl_Outside extended permit tcp any any eq www
access-list Acl_Outside extended permit icmp any any

access-group Acl_Inside in interface Inside
access-group Acl_Outside in interface Outside

ip address 100.100.100.2 255.255.255.0

route Inside 100.100.100.0 255.255.255.0 100.100.100.1 1
route Outside 0.0.0.0 0.0.0.0 100.100.100.1 1

With this configuration :

- Any host from the outside or from the inside can connect on the http port from any server.

- But a host on the inside can't open a port (ex. 25) on a machine in the same interface, that doesn't work. It's the correct working, because IP packet use the gateway above the outside interface to return to a host in the inside interface, the firewall block each port not autorize by an ACL.

To solve this issue, I have add an ACL to permit tcp/udp ports :

access-list Acl_Outside extended permit tcp 100.100.100.0 255.255.255.0 any

access-list Acl_Outside extended permit udp 100.100.100.0 255.255.255.0 any

- I this the only/best way to permit trafic on the inside interface ? I have 10 subnets, I dont think it's a rigorous config.

- In transparent mode, route inside/route outside are mandatory ?

Jerome

Nagaraja Thanthry Mon, 09/20/2010 - 10:32

Hello,

The reason the packets are going across the firewall could because the router is doing proxy-arp for the server IP. Can you disable proxy-arp on the router interface?

interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 100.100.100.1 255.255.255.0

no ip proxy-arp

If you have multiple such subnets, you can go for multiple context and configure each context in transparent mode. Since the router will be taking care of the routing between subnets, you need to allow traffic to your servers exclusively through the access-lists (sourced from other subnets to your internal servers on a different VLAN).

Regards,

NT

Actions

This Discussion