×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ip connectivity through firewall segments

Answered Question
Dec 8th, 2013
User Badges:

Hi,


We have an ASA that attaches to 6500-Core. The rough network diagram is attached here.

IP Segment's B&C have SVI on core, wherease segment A is on the ASA(Segment A is new & needs to be created).


The leg connecting ASA to Core is on security level 100 with name as Internal , the other leg of ASA connecting upwards to routers are on security level 0 with name as External.


If we need to add Segment A on ASA, can we assign it a security level of 50 ? The requirement is:


1. Segment A needs to talk to Segment B , but it shouldn't be talking to Segment C (includes ping response also)


How can we achieve this? Appreciate all help.

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


The use of "security-level" alone as a means to control which traffic is allowed is not advisable unless your network is very simple home/small office network. Judging by your information you have a setup that wont really work well with this kind of simple setting.


The problem with "security-level" is that it makes no distinction between the networks behind an interface. So if a source interfaces "security-level" is higher than the the destination interfaces "security-level" then all networks behind the source interface can access any network behind the destination interface. This makes it impossible to control the traffic on a per network basis.


I would suggest that you use an interface ACL to control the traffic on your interfaces. Atleast this new one that you are creating.


You would have to create an ACL that first blocks traffic from Segment A to Segment C and then allows all other traffic from Segment A (which would mean Internet access and connections to Segment B would be allowed)


At its simplest the interface ACL would look like this


access-list SEGMENT-A-IN remark Deny traffic to Segment C

access-list SEGMENT-A-IN deny ip any 10.60.10.0 255.255.255.0

access-list SEGMENT-A-IN remark Allow all other traffic

access-list SEGMENT-A-IN permit ip 10.80.10.0 255.255.255.0 any


access-group SEGMENT-A-IN in interface


This would not block the ICMP Echo reply from Segment A to Segment C. You would either have to block ICMP Echo from Segment C to Segment A or you would perhaps need to disable ICMP Inspection if you have it enabled and then the above ACL would also block ICMP Echo Reply.


Hope this helps


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jouni Forss Sun, 12/08/2013 - 23:35
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The use of "security-level" alone as a means to control which traffic is allowed is not advisable unless your network is very simple home/small office network. Judging by your information you have a setup that wont really work well with this kind of simple setting.


The problem with "security-level" is that it makes no distinction between the networks behind an interface. So if a source interfaces "security-level" is higher than the the destination interfaces "security-level" then all networks behind the source interface can access any network behind the destination interface. This makes it impossible to control the traffic on a per network basis.


I would suggest that you use an interface ACL to control the traffic on your interfaces. Atleast this new one that you are creating.


You would have to create an ACL that first blocks traffic from Segment A to Segment C and then allows all other traffic from Segment A (which would mean Internet access and connections to Segment B would be allowed)


At its simplest the interface ACL would look like this


access-list SEGMENT-A-IN remark Deny traffic to Segment C

access-list SEGMENT-A-IN deny ip any 10.60.10.0 255.255.255.0

access-list SEGMENT-A-IN remark Allow all other traffic

access-list SEGMENT-A-IN permit ip 10.80.10.0 255.255.255.0 any


access-group SEGMENT-A-IN in interface


This would not block the ICMP Echo reply from Segment A to Segment C. You would either have to block ICMP Echo from Segment C to Segment A or you would perhaps need to disable ICMP Inspection if you have it enabled and then the above ACL would also block ICMP Echo Reply.


Hope this helps


- Jouni

suthomas1 Mon, 12/09/2013 - 02:19
User Badges:

Thanks Jouni.

On the same piece, if we create new segment A ( 10.10.10.1 - Vlan 10 ) on one of the ASA interfaces and connect it physically to core switch, will the users connecting on core switch ( assigned to this vlan above ) be able to reach their gateway, which is segment A interface ip.


On ASA:-


eg. Int gig0/2

security-level 50

ip addr 10.10.10.1 255.255.255.0

nameif subs-1


On Core Switch:-


int gig0/5

switchport

switch acces vla 30


( here gig0/5 from core connects to interface gig0/2 on ASA ).


If we put a user on vlan 10 on the core switch access port, will this user be able to access the gateway?


Thanks in advance.

Jouni Forss Mon, 12/09/2013 - 02:50
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I am not quite sure how your setup is.


Your switch port mentions Vlan 30 and you talk about Vlan 10. Traffic between these Vlans has to go through some L3 hop.


Also the network here is 10.10.10.1/24 and the picture has network 10.80.10.0/24?


A lot of this setup depends on your core configurations also. I am not sure how its done at the moment. Is the core acting only as L2 for the user Vlans or is it perhaps acting as L3 gateway for some of the networks? Are you using VRFs to separate different Vlans on their own routing tables?


- Jouni

suthomas1 Mon, 12/09/2013 - 04:49
User Badges:

Thanks Jouni.

Apologies  for the typo, i'll re-phrase this.


172.16.30.0 /30 is used for routing purpose between ASA & Core towards the various segments.

10.50.10.0 (Vlan5) & 10.60.10.0(Vlan6) networks has to have its gateway on the core. whereas 10.80.10.0(Vlan10) should have its gateway on ASA.


The below configuration stub is for having Vlan8-10.80.10.0 configured on ASA & linked to the Core.

Vlan 30 is used for switchport connecting the Core to the ASA for the new interface/vlan (10.80.10.0).




On ASA:-


eg. Int gig0/2

security-level 50

ip addr 10.10.80.1 255.255.255.0

nameif subs-1


On Core Switch:-


int gig0/5

switchport

switch acces vla 30


( here gig0/5 from core connects to interface gig0/2 on ASA ).


The basic requirement here is:-


1. Configure a new interface Vlan8 on gig0/2 of ASA to represent 10.80.10.0 network

2. Configure users on the Core to use this network, i.e any user connected to this network on ASA should be physically connected to any of core switchports, but should have its gateway as 10.80.10.1 on ASA

3. 10.80.10.0 should communicate with 10.50.10.0 but not with 10.60.10.0

4. Users using 10.80.10.1 as their gateway should be able to ping the gateway.


Appreciate all help & sorry for any confusion.

Jouni Forss Mon, 12/09/2013 - 05:58
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Still a bit confused. Look below.

172.16.30.0 /30 is used for routing purpose between ASA & Core towards the various segments.

10.50.10.0  (Vlan5) & 10.60.10.0(Vlan6) networks has to have its gateway on the  core. whereas 10.80.10.0(Vlan10) should have its gateway on ASA.


Above you refer to network 10.80.10.0/24 as Vlan10

The below configuration stub is for having Vlan8-10.80.10.0 configured on ASA & linked to the Core.

Vlan 30 is used for switchport connecting the Core to the ASA for the new interface/vlan (10.80.10.0).


Above you refer to network 10.80.10.0/24 as Vlan8


int gig0/5

switchport

switch acces vla 30


Above the Vlan access port belongs to Vlan 30. It will not provide Vlan8 (or 10?) hosts on network 10.80.10.0/24 connectivity to the ASA port. The switchport connected to the ASA physical port should be in the same Vlan as the users if you want the Vlan10/8 hosts connected to the core to be able to use the new ASA port as their gateway.


I think on its default settings the new ASA interface should reply to ICMP Echos without separate configuration.


The earlier interface ACL should block traffic to network 10.60.10.0/24 but allow other traffic (traffic to other LANs and the WAN)


- Jouni

suthomas1 Mon, 12/09/2013 - 08:14
User Badges:

Sorry Jouni, typo error. I am re-writing this for clear reading.


10.50.10.0 - Vlan5 ( this gateway to be on Core )

10.60.10.0 - Vlan6 ( this gateway to be on Core )

10.80.10.0 - Vlan8 ( this gateway to be on ASA )


Here is the routing on both devices; ( please ignore the syntax, only for understanding )


ASA:


route External 0.0.0.0 0.0.0.0 1.1.1.1 ( towards WAN link )

route Internal 10.50.10.0 255.255.255.0 172.16.30.2

route Internal 10.60.10.0 255.255.255.0 172.16.30.2


Core:


ip route 0.0.0.0 0.0.0.0 172.16.30.1


With this brief configuration, if we were to configure 10.80.10.1/24 on ASA will the requirement work.

& as you mentioned, if i understand correctly, the interface on Core interface(gig0/5)  connecting to ASA(gig0/2) should be in access vlan 8 for the users to reach its gateway?


Please do input any other things that may be incorrect here.


Thanks in advance.

Actions

This Discussion