Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
7
Replies

Intervlan in ASA 5510

Go to solution
Zargham Haider
Level 1
Level 1

‎07-09-2014 12:56 AM - edited ‎03-11-2019 09:26 PM

I have two ASA 5510. my all traffic is passing from one which is Primary. three LANs are configured behind it. 81.x (Inside), 83.x(winside) and 88.x(DMZ). i have one Outside directly connected to ISP. now i deploy another ASA 5510 and got an other ISP and connect with new ASA 5510. here on 2nd ASA5510 i configured Intervlan and assigned e0/1.1 to 81.x and e0/1.2 to 83.x and e0/3 to 88.x. i use ASDM to configure ASA5510 and i use NAT exemption for inter traffic communication within all network. now my inside traffic can ping winside and DMZ and visversa......the problem is that my all Printers are installed in network 81.x which is inside and my winside 83.x user can ping the printer IP but can not sent print. even i can ping from winside 83.x to any server in inside 81.x network it pings well but from winside 83.x i cant access shared resources and cant send print. i create some rules to allow all necessary ports for Printing and file sharing but still same issue. plz help me in this regard

Thankx n Regards

Zargham

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Zargham Haider

‎07-09-2014 11:50 PM

Hi,

 

Glad to hear its working now. :)

 

If you feel that some reply answered your question/solved your problem, please do remember to mark that reply as the correct answer.

 

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-09-2014 01:19 AM

Hi,

 

The whole setup sounds a bit strange.

 

Are you saying that you have both of the ASAs connected to the same switched network with Trunks that contain the same Vlan IDS on both ASAs?

 

From your description it also seems that these ASAs are NOT configured as an Failover pair?

 

Is the second ASA being used for anything at the moment? I would presume that if both of the ASAs are connected to the same LAN networks that the first ASA is acting as the gateway for all those Vlan IDs for the users? If this is true then is any traffic really forwarded to the second ASA? I am just trying to get a picture of the actual setup.

 

If some Vlans are using first ASA as the gateway and some networks are using the second ASA as the gateway then I would presume that your problem is with asymmetric routing. In that situation traffic would be flowing from one host to its gateway ASA and from there to the target host. From that host the reply would go to its gateway ASA which would drop the traffic IF the initial connection from the source host didnt use this same firewall.

 

I think we really need some additional information about the actual setup. But it sounds like you have both ASAs connected to the same LAN directly and traffic might be forwarded incorrectly which results in ASA blocking connection attempts.

 

I am also not sure what the actual purpose of the second ASA is? Is it there just for the second ISP link?

 

- Jouni

0 Helpful

Go to solution
Zargham Haider
Level 1
Level 1
In response to Jouni Forss

‎07-09-2014 02:15 AM

Thankx Jouni for Reply...let me clear.....

Primary ASA 5510 has no Intervlan.......i simply use its ports and when i got new ISP link then due to less port availability in Primary ASA 5510, i use new ASA 5510 and configure Intervlan in it....Yes both ASA has common Switch Network LAN but the default gateway for 81.x , 83.x and 88.x  is respective Primary LAN interfaces in Primary ASA 5510. but since i deploy new ASA 5510 in same LAN i configure inside 81.x , winside 83.x DMZ 88.x  and put winside 83.x LAN traffic to new ASA 5510 by just changing gateway through DHCP scope. since it was the same LAN so no need for any further routing on LAN side.

in future i will shutdown primary ASA and would make failover. but at this stage i cant take any risk as it is live network. i want to shift all traffic into new ASA 5510 step-by-step.

now in new ASA 5510 i put these commands

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

and through ASDM i configure NAT exemption from inside to winside and DMZ and from winside to inside and DMZ and from DMZ to inside and winside.

now ping is fine but cant send print and cant share network folders.......

I think i have to delete NAT exemption and manually configure STATIC nat in new ASA 5510.

 

i need help in it .......since 24 hours i cant think any more 

 

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Zargham Haider

‎07-09-2014 02:40 AM

Hi,

 

So if I understood correctly both ASAs connected to the same network. Other with actual physical ports while the other one has a trunk interface that has links for all the 3 mentioned networks.

 

It still seems to me that your problem is simply asymmetric routing which will cause atleast TCP connections to fail as the WHOLE connection doesnt pass through the same ASA.

 

As I said before the setup is not really ideal and flow of traffic is the problem

So lets say you have those "inside" and "winside" interfaces and for "inside" network the gateway ASA is the ASA1 and for "winside" network the gateway ASA is the ASA2 then a TCP connection from "winside" to "inside" would flow in the following way

  • Host in the "winside" network attempts to form a TCP connection to a server on the "inside" network by sending a TCP SYN to the target host
  • The TCP SYN arrives to the ASA2 which is the default gateway ASA for these users in network "winside"
  • ASA2 allows the connection through and passes it to the target host through the "inside" interface that it has.
  • TCP SYN message arrives at the target host in "inside" network and the host replies with TCP SYN ACK and sends it to its default gateway ASA1 (This ASA has seen nothing related to this connection attempt until it sees this TCP SYN ACK reply from the host replying to the connection attempt)
  • Since there is no existing connection between these hosts the ASA1 expects to see a TCP SYN message that is used to start the TCP connection negotiation. Since its now seeing the TCP SYN ACK reply (it has not seen the TCP SYN as it went through the other ASA2) it will drop those packets as it has no knowledge of the initial TCP SYN that was sent through the other ASA.
  • The connection timeouts on the host at "winside" network as it doesnt receive the TCP SYN ACK reply that the ASA1 keeps dropping because of asymmetric routing

 

So as you can see the current network topology is causing problems since the TCP connections are flowing (or are trying to) through 2 different ASA firewalls.

The way to avoid this behavious is to configure TCP State Bypass on the ASA firewalls but this is not really suggested as the core problem is the network setup.

 

As I don't know the whole environment and network setup I can't really say what the best solution would be. Perhaps you could consider using a totally new network ranges/Vlan IDs on the ASA2 while leaving the existing network behind ASA1. You could then configure a link network between ASA1 and ASA2 to pass traffic between the old and new networks so that the users have access to all the resources they need. As users are migrated behind the new firewall they would start using its ISP link while the users in the original networks would keep using their ISP link.

 

Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
Zargham Haider
Level 1
Level 1
In response to Jouni Forss

‎07-09-2014 02:56 AM

Thankx for reply...

 

You are right about complexity of network....that is why i am trying to eliminate one ASA and after making this network smooth, i will change status of one ASA as failover. but i will keep Intervlan. so you said i have to configure "a link network between " both ASA. 

can u explain little bit more...i would really thankful to you.

 

regards

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Zargham Haider

‎07-09-2014 04:47 AM

Hi,

 

So from what I understood you have at least 3 Vlans in your current network and both ASAs are connected to those 3 Vlans.

 

What I suggested is that if you are migrating users behind the new ASA that they would be moved to a completely new Vlan/subnet that would only be taken to the new ASA.

You would then choose a second new Vlan ID which you would configure between the old and new ASA and choose a link network for that.  On the old ASA you would configure a static route telling it that the new user Vlan/subnet can be found through the new link you have just configured between the ASAs. In the same way on the new ASA you would tell that all the old/original subnets can be found through the existing link between the ASAs.

 

I would imagine that migrating the users behind the new firewall and changing their subnet/IP address should be no problem as they could still access any servers in the old network through the link between the 2 ASAs. If you still wanted to use a separate DHCP server (that is located in the old subnets) for the hosts in the new Vlan then this could be achieved by configuring DHCP Relay on the new ASAs LAN interface. This is essentially the same as the "ip helper-address" configuration in Cisco IOS devices. It would related the DHCP messages from the hosts as unicast through the link between the ASAs all the way to the DHCP server in the old subnets.

 

When you eventually would have only servers left on the old/original Vlan IDs you could either leave them behind the old/original ASA and its ISP link or you could migrate those Vlans to the new ASA and at the same time remove the link between the ASAs (as the subnets would now be local to the new ASA)

 

Naturally this raises some new questions like what you will do with the old/original ISP? Will you move it to the new ASA also and how will you handle using both ISPs on a single ASA? All outbound connections would probably use the ISP holding the default route while the other ISP could probably only be used for incoming connections (unless we resorted to some unsual NAT configurations to manipulate the traffic flow)

 

- Jouni

 

 

0 Helpful

Go to solution
Zargham Haider
Level 1
Level 1
In response to Jouni Forss

‎07-09-2014 11:47 PM

Thanks Jouni.....

 

You were right...due to complex scenario, something goes wrong and i figured it out ...it was routing issue as you told me before......i only change the gateway for inside LAN traffic...now everything is working...

 

Thankx again for your cooperation

 

regards

 

Zargham

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Zargham Haider

‎07-09-2014 11:50 PM

Hi,

 

Glad to hear its working now. :)

 

If you feel that some reply answered your question/solved your problem, please do remember to mark that reply as the correct answer.

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card