ASA 5505 Vlan configuration issue

jgharrison · ‎10-07-2010

Hi all

I have an asa 5505 configured with 2 wan interfaces and 2 Vlans, up until now we have only used vlan1, with no trouble at all. We have recently purchased a new company and have had to install their Server in our offices, so trhe installation now has 2 servers bothe Small Business Servers one sbs2003 and one sbs2003. initially when we bring up the second sbs2003 server on Vlan2 all seems ok and everything is routing and working fine, then for some reason the next morning nothing will work, the problem is that the SBS2008 server finds that there is the other sbs2003 machine and stops it's dhcp server causing the network to fail. I therefore need to make sure there is no crosstalk between the 2 vlans is this possible and if so any assistance would be greatly appreciated!!

Thanks

John Harrison

Jennifer Halim · ‎10-07-2010

How are the 2 VLANs connected? Directly to the ASA or via a switch?

If it's connected via a switch, how is your switch configured? Do you have VLAN interfaces on your switch that possibly do inter vlan routing?

If it's connected to the ASA, can you share the config pls?

jgharrison · ‎10-07-2010

Hi Jennifer thanks for the quick response,

The 2 Vlans have seperate switches connected to the ASA Ports son in effect they are directly connected and the switches are dumb not managed.

the Running Config is below :

: Saved
:
ASA Version 8.2(3) 
!
hostname BrightASA
domain-name brightstaraccounting.co.uk
enable password rb8qtrJ81Mlzd5pX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.50.1 SBS01 description SBS Server
name 81.143.54.51 Citrix-MIP
name 81.143.54.50 SBS-MIP
name 192.168.50.2 Citrix-Server
name 192.168.0.1 TAXSERVER description Easytax SBS Server
name 81.143.54.53 EASYTAX-MIP
!
interface Ethernet0/0
 switchport access vlan 101
!
interface Ethernet0/1
 switchport access vlan 102
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 2
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 description Brightstar Internal LAN
 nameif BRIGHTSTAR
 security-level 100
 ip address 192.168.50.254 255.255.255.0 
!
interface Vlan2
 description A4B Legacy LAN
 nameif EasyTax
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
!
interface Vlan3
 description QFS LAN
 nameif QFS
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan101
 description Internet Traffic
 nameif WAN1
 security-level 0
 ip address 81.143.54.49 255.255.255.248 
!
interface Vlan102
 description Phones ADSL
 nameif WAN2
 security-level 0
 ip address 81.142.40.201 255.255.255.248 
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup WAN1
dns domain-lookup WAN2
dns server-group DefaultDNS
 name-server 65.39.139.63
 name-server 8.8.8.8
 domain-name brightstaraccounting.co.uk
object-group service MS-RWW tcp
 port-object eq 987
object-group service DM_INLINE_TCP_1 tcp
 group-object MS-RWW
 port-object eq www
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object icmp traceroute
object-group service Netsupport tcp
 description Netsupport Manager
 port-object eq 3085
object-group service DM_INLINE_TCP_0 tcp
 port-object eq 987
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq pptp
 port-object eq smtp
 group-object Netsupport
access-list BRIGHTSTAR_access_in extended deny ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list BRIGHTSTAR_access_in extended deny ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list BRIGHTSTAR_access_in extended permit ip 192.168.50.0 255.255.255.0 any 
access-list WAN1_access_in extended permit tcp any host EASYTAX-MIP object-group DM_INLINE_TCP_0 
access-list WAN1_access_in extended permit tcp any host SBS-MIP object-group DM_INLINE_TCP_1 
access-list WAN1_access_in extended permit tcp any host Citrix-MIP object-group DM_INLINE_TCP_2 
access-list WAN1_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list QFS_access_in extended deny ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list QFS_access_in extended deny ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list QFS_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
access-list EasyTax_access_in extended deny ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list EasyTax_access_in extended deny ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list EasyTax_access_in extended permit ip 192.168.0.0 255.255.255.0 any 
pager lines 24
logging enable
logging asdm notifications
mtu BRIGHTSTAR 1500
mtu EasyTax 1500
mtu QFS 1500
mtu WAN1 1500
mtu WAN2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
global (WAN1) 1 interface
global (WAN2) 1 interface
nat (BRIGHTSTAR) 1 192.168.50.0 255.255.255.0
nat (EasyTax) 1 192.168.0.0 255.255.255.0
nat (QFS) 1 192.168.1.0 255.255.255.0
static (BRIGHTSTAR,WAN1) SBS-MIP SBS01 netmask 255.255.255.255 
static (BRIGHTSTAR,WAN1) Citrix-MIP Citrix-Server netmask 255.255.255.255 
static (EasyTax,WAN1) EASYTAX-MIP TAXSERVER netmask 255.255.255.255 
access-group BRIGHTSTAR_access_in in interface BRIGHTSTAR
access-group EasyTax_access_in in interface EasyTax
access-group QFS_access_in in interface QFS
access-group WAN1_access_in in interface WAN1
route WAN1 0.0.0.0 0.0.0.0 81.143.54.54 2
route WAN2 85.119.0.0 255.255.0.0 81.142.40.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.50.0 255.255.255.0 BRIGHTSTAR
http 0.0.0.0 0.0.0.0 WAN1
snmp-server host BRIGHTSTAR SBS01 community ***** version 2c
snmp-server location Comms Cabinet
snmp-server contact Duncan Strike
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.20-192.168.1.100 QFS
dhcpd dns 208.67.222.222 208.67.220.220 interface QFS
dhcpd lease 604800 interface QFS
dhcpd enable QFS
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username bluechip password CbyOYdFUr8kIBYY/ encrypted privilege 15
!
!
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3cc4a2a31281430bec5ceece1835971c
: end
asdm image disk0:/asdm-633.bin
asdm location TAXSERVER 255.255.255.255 BRIGHTSTAR
asdm location EASYTAX-MIP 255.255.255.255 BRIGHTSTAR
no asdm history enable

I have at present got the second Vlan unplugged so at least the main server and business can continue working as normal.

Thanks Again

John

Jennifer Halim · ‎10-07-2010

Base on the configuration, VLAN 1 (BRIGHTSTAR) and VLAN 2 (EasyTax) will not be able to communicate to each other because you have configured access-list to prevent communication between the 2 subnets (192.168.50.0/24 and 192.168.0.0/24).

At this stage, I don't believe the ASA is causing the issue nor allowing communication between the 2 subnets.

jgharrison · ‎10-07-2010

I could not find any configuration issue myself on the ASA 5505 however I am not that experienced with it. The strange thing is if I plug the second switch to the ASA the second sbs box does not see the sbs2008 box and all seems fine through till close of business then the nest morning it is the sbs2008 box that sees the 2003 box not the other way round, the only physical link between them is the asa box hence my feeling that it is allowing some traffic between them or at least it is publishing the fact there is a dhcp server on vlan1. I am completely stumped by this one.

Is there any way that because we are using the 2 wan ports as failover, that maybe the dhcp traffic is mving between them and coming back in?

A long shot I know but just trying to come up with some ideas on this!

Regards

John

Jennifer Halim · ‎10-07-2010

How do you identify that the sbs2008 box sees the 2003 box?

You might what to run packet capture on both boxes to see what has happened overnight that might trigger the sbs2008 box to see the 2003 box.

As DHCP request is broadcast and they are in 2 different VLANs, I don't see how it will see that, and as I said earlier, ASA rules would have prevented access between the 2 subnets as you already have "deny" statements and broadcast traffic is contained within its own broadcast domain.

How many NIC does sbs2008 and 2003 box have? single NIC or dual or multiple NIC?

jgharrison · ‎10-07-2010

The reason I can tell is that once the DHCP Server fails on the SBS2008 box, I check the logs and it reads that another DHCP Server exists on 192.168.0.1, if I then try and run the Internet connection wizard on the SBS2008 box it also tells me that there is another DHCP server present on 192.168.0.1 and then all I can do is unplug the second Vlan restart the firewall and switches and server and then everything comes back to normal.

Something is publishing the dhcp server, and also to note it only seems to go one way in that the sbs2003 box never seems to get affected and can never see the sbs2008 box.

Thanks for your help