Solved: Re: Managing switches behind the firewall?

m.samouka · ‎09-16-2008

Hi All,

I have an ASA 5520, it's outside interface is connected to the internet, and it's inside interface is configured to sub-interfaces, each sub-interface has a different security level.

the ASA is connected to a switch which has a management ip in vlan 2.

my case is that i need to enable network to manage the switches behind that firewall.

Are there any ideas???

maltuna · ‎09-16-2008

Example for public internet:

You have a switch with management ip of 172.16.1.2, and a host on the internet at 10.2.1.1 that is going to "manage" your switch.

The PIX/ASA will be NATing the switch so that the public host can reach it (NATing to 10.1.1.2), and it will only allow that host to reach it.

Here's the example config...

interface Ethernet0/0.2

vlan 2

description Inside Data Network

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

interface Ethernet0/0.3

vlan 3

description Management Network

nameif management

security-level 20

ip address 172.16.1.1 255.255.0.0

interface Ethernet0/1

description Outside (Public) Network

nameif outside

security-level 0

ip address 10.1.1.1 255.0.0.0

(general snmp)

access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 161

(snmp traps)

access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 162

(ssh)

access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 22

access-group inbound in interface outside

static (management,outside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255

(or if you are more paranoid about security, only forward the ports you are going to use)

static (management,outside) udp 10.1.1.2 161 172.16.1.2 161 netmask 255.255.255.255

static (management,outside) udp 10.1.1.2 162 172.16.1.2 162 netmask 255.255.255.255

static (management,outside) udp 10.1.1.2 22 172.16.1.2 22 netmask 255.255.255.255

----------------------------------------------------

Example for management from your inside network:

You have a switch with management ip of 172.16.1.2, and a host on the inside network at 192.168.90.2 that is going to "manage" your switch.

The PIX/ASA will be not be doing any NATing between the two networks in this case.

Here's the example config...

interface Ethernet0/0.2

vlan 2

description Inside Data Network

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

interface Ethernet0/0.3

vlan 3

description Management Network

nameif management

security-level 20

ip address 172.16.1.1 255.255.0.0

interface Ethernet0/1

description Outside (Public) Network

nameif outside

security-level 0

ip address 10.1.1.1 255.0.0.0

access-list nonat extended permit ip 192.168.90.0 255.255.255.0 172.16.0.0 255.255.0.0

(to allow your switch to send syslog output to your management host)

access-list management extended permit udp any host 192.168.1.2 eq 514

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.90.0 255.255.255.0

static (inside,management) 192.168.90.0 192.168.90.0 netmask 255.255.255.0

View solution in original post

maltuna · ‎09-16-2008

Example for public internet:

You have a switch with management ip of 172.16.1.2, and a host on the internet at 10.2.1.1 that is going to "manage" your switch.

The PIX/ASA will be NATing the switch so that the public host can reach it (NATing to 10.1.1.2), and it will only allow that host to reach it.

Here's the example config...

interface Ethernet0/0.2

vlan 2

description Inside Data Network

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

interface Ethernet0/0.3

vlan 3

description Management Network

nameif management

security-level 20

ip address 172.16.1.1 255.255.0.0

interface Ethernet0/1

description Outside (Public) Network

nameif outside

security-level 0

ip address 10.1.1.1 255.0.0.0

(general snmp)

access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 161

(snmp traps)

access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 162

(ssh)

access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 22

access-group inbound in interface outside

static (management,outside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255

(or if you are more paranoid about security, only forward the ports you are going to use)

static (management,outside) udp 10.1.1.2 161 172.16.1.2 161 netmask 255.255.255.255

static (management,outside) udp 10.1.1.2 162 172.16.1.2 162 netmask 255.255.255.255

static (management,outside) udp 10.1.1.2 22 172.16.1.2 22 netmask 255.255.255.255

----------------------------------------------------

Example for management from your inside network:

You have a switch with management ip of 172.16.1.2, and a host on the inside network at 192.168.90.2 that is going to "manage" your switch.

The PIX/ASA will be not be doing any NATing between the two networks in this case.

Here's the example config...

interface Ethernet0/0.2

vlan 2

description Inside Data Network

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

interface Ethernet0/0.3

vlan 3

description Management Network

nameif management

security-level 20

ip address 172.16.1.1 255.255.0.0

interface Ethernet0/1

description Outside (Public) Network

nameif outside

security-level 0

ip address 10.1.1.1 255.0.0.0

access-list nonat extended permit ip 192.168.90.0 255.255.255.0 172.16.0.0 255.255.0.0

(to allow your switch to send syslog output to your management host)

access-list management extended permit udp any host 192.168.1.2 eq 514

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.90.0 255.255.255.0

static (inside,management) 192.168.90.0 192.168.90.0 netmask 255.255.255.0