Solved: ip connectivity through firewall segments

suthomas1 · ‎12-08-2013

Hi,

We have an ASA that attaches to 6500-Core. The rough network diagram is attached here.

IP Segment's B&C have SVI on core, wherease segment A is on the ASA(Segment A is new & needs to be created).

The leg connecting ASA to Core is on security level 100 with name as Internal , the other leg of ASA connecting upwards to routers are on security level 0 with name as External.

If we need to add Segment A on ASA, can we assign it a security level of 50 ? The requirement is:

1. Segment A needs to talk to Segment B , but it shouldn't be talking to Segment C (includes ping response also)

How can we achieve this? Appreciate all help.

Jouni Forss · ‎12-08-2013

Hi,

The use of "security-level" alone as a means to control which traffic is allowed is not advisable unless your network is very simple home/small office network. Judging by your information you have a setup that wont really work well with this kind of simple setting.

The problem with "security-level" is that it makes no distinction between the networks behind an interface. So if a source interfaces "security-level" is higher than the the destination interfaces "security-level" then all networks behind the source interface can access any network behind the destination interface. This makes it impossible to control the traffic on a per network basis.

I would suggest that you use an interface ACL to control the traffic on your interfaces. Atleast this new one that you are creating.

You would have to create an ACL that first blocks traffic from Segment A to Segment C and then allows all other traffic from Segment A (which would mean Internet access and connections to Segment B would be allowed)

At its simplest the interface ACL would look like this

access-list SEGMENT-A-IN remark Deny traffic to Segment C

access-list SEGMENT-A-IN deny ip any 10.60.10.0 255.255.255.0

access-list SEGMENT-A-IN remark Allow all other traffic

access-list SEGMENT-A-IN permit ip 10.80.10.0 255.255.255.0 any

access-group SEGMENT-A-IN in interface

This would not block the ICMP Echo reply from Segment A to Segment C. You would either have to block ICMP Echo from Segment C to Segment A or you would perhaps need to disable ICMP Inspection if you have it enabled and then the above ACL would also block ICMP Echo Reply.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎12-08-2013

Hi,

The use of "security-level" alone as a means to control which traffic is allowed is not advisable unless your network is very simple home/small office network. Judging by your information you have a setup that wont really work well with this kind of simple setting.

The problem with "security-level" is that it makes no distinction between the networks behind an interface. So if a source interfaces "security-level" is higher than the the destination interfaces "security-level" then all networks behind the source interface can access any network behind the destination interface. This makes it impossible to control the traffic on a per network basis.

I would suggest that you use an interface ACL to control the traffic on your interfaces. Atleast this new one that you are creating.

You would have to create an ACL that first blocks traffic from Segment A to Segment C and then allows all other traffic from Segment A (which would mean Internet access and connections to Segment B would be allowed)

At its simplest the interface ACL would look like this

access-list SEGMENT-A-IN remark Deny traffic to Segment C

access-list SEGMENT-A-IN deny ip any 10.60.10.0 255.255.255.0

access-list SEGMENT-A-IN remark Allow all other traffic

access-list SEGMENT-A-IN permit ip 10.80.10.0 255.255.255.0 any

access-group SEGMENT-A-IN in interface

This would not block the ICMP Echo reply from Segment A to Segment C. You would either have to block ICMP Echo from Segment C to Segment A or you would perhaps need to disable ICMP Inspection if you have it enabled and then the above ACL would also block ICMP Echo Reply.

Hope this helps

- Jouni

suthomas1 · ‎12-09-2013

Thanks Jouni.

On the same piece, if we create new segment A ( 10.10.10.1 - Vlan 10 ) on one of the ASA interfaces and connect it physically to core switch, will the users connecting on core switch ( assigned to this vlan above ) be able to reach their gateway, which is segment A interface ip.

On ASA:-

eg. Int gig0/2

security-level 50

ip addr 10.10.10.1 255.255.255.0

nameif subs-1

On Core Switch:-

int gig0/5

switchport

switch acces vla 30

( here gig0/5 from core connects to interface gig0/2 on ASA ).

If we put a user on vlan 10 on the core switch access port, will this user be able to access the gateway?

Thanks in advance.

Jouni Forss · ‎12-09-2013

Hi,

I am not quite sure how your setup is.

Your switch port mentions Vlan 30 and you talk about Vlan 10. Traffic between these Vlans has to go through some L3 hop.

Also the network here is 10.10.10.1/24 and the picture has network 10.80.10.0/24?

A lot of this setup depends on your core configurations also. I am not sure how its done at the moment. Is the core acting only as L2 for the user Vlans or is it perhaps acting as L3 gateway for some of the networks? Are you using VRFs to separate different Vlans on their own routing tables?

- Jouni

suthomas1 · ‎12-09-2013

Thanks Jouni.

Apologies for the typo, i'll re-phrase this.

172.16.30.0 /30 is used for routing purpose between ASA & Core towards the various segments.

10.50.10.0 (Vlan5) & 10.60.10.0(Vlan6) networks has to have its gateway on the core. whereas 10.80.10.0(Vlan10) should have its gateway on ASA.

The below configuration stub is for having Vlan8-10.80.10.0 configured on ASA & linked to the Core.

Vlan 30 is used for switchport connecting the Core to the ASA for the new interface/vlan (10.80.10.0).

On ASA:-

eg. Int gig0/2

security-level 50

ip addr 10.10.80.1 255.255.255.0

nameif subs-1

On Core Switch:-

int gig0/5

switchport

switch acces vla 30

( here gig0/5 from core connects to interface gig0/2 on ASA ).

The basic requirement here is:-

1. Configure a new interface Vlan8 on gig0/2 of ASA to represent 10.80.10.0 network

2. Configure users on the Core to use this network, i.e any user connected to this network on ASA should be physically connected to any of core switchports, but should have its gateway as 10.80.10.1 on ASA

3. 10.80.10.0 should communicate with 10.50.10.0 but not with 10.60.10.0

4. Users using 10.80.10.1 as their gateway should be able to ping the gateway.

Appreciate all help & sorry for any confusion.

Jouni Forss · ‎12-09-2013

Hi,

Still a bit confused. Look below.

172.16.30.0 /30 is used for routing purpose between ASA & Core towards the various segments.
10.50.10.0  (Vlan5) & 10.60.10.0(Vlan6) networks has to have its gateway on the  core. whereas 10.80.10.0(Vlan10) should have its gateway on ASA.

Above you refer to network 10.80.10.0/24 as Vlan10

The below configuration stub is for having Vlan8-10.80.10.0 configured on ASA & linked to the Core.

Vlan 30 is used for switchport connecting the Core to the ASA for the new interface/vlan (10.80.10.0).

Above you refer to network 10.80.10.0/24 as Vlan8

int gig0/5

switchport

switch acces vla 30

Above the Vlan access port belongs to Vlan 30. It will not provide Vlan8 (or 10?) hosts on network 10.80.10.0/24 connectivity to the ASA port. The switchport connected to the ASA physical port should be in the same Vlan as the users if you want the Vlan10/8 hosts connected to the core to be able to use the new ASA port as their gateway.

I think on its default settings the new ASA interface should reply to ICMP Echos without separate configuration.

The earlier interface ACL should block traffic to network 10.60.10.0/24 but allow other traffic (traffic to other LANs and the WAN)

- Jouni

suthomas1 · ‎12-09-2013

Sorry Jouni, typo error. I am re-writing this for clear reading.

10.50.10.0 - Vlan5 ( this gateway to be on Core )

10.60.10.0 - Vlan6 ( this gateway to be on Core )

10.80.10.0 - Vlan8 ( this gateway to be on ASA )

Here is the routing on both devices; ( please ignore the syntax, only for understanding )

ASA:

route External 0.0.0.0 0.0.0.0 1.1.1.1 ( towards WAN link )

route Internal 10.50.10.0 255.255.255.0 172.16.30.2

route Internal 10.60.10.0 255.255.255.0 172.16.30.2

Core:

ip route 0.0.0.0 0.0.0.0 172.16.30.1

With this brief configuration, if we were to configure 10.80.10.1/24 on ASA will the requirement work.

& as you mentioned, if i understand correctly, the interface on Core interface(gig0/5) connecting to ASA(gig0/2) should be in access vlan 8 for the users to reach its gateway?

Please do input any other things that may be incorrect here.

Thanks in advance.