10-22-2014 12:37 PM - edited 03-11-2019 09:58 PM
Hi
I'm splitting up the network on a small school, separating the teachers from the pupils. Until now, both teachers and pupils have been domainusers on the same AD server. We want to keep it that way. I have created a new VLAN for the teachers. The AD servers are in the pupils VLAN.
I have set the ASA as DHCP server in the teachers VLAN, but I still want to use the AD DNS server and AD login. The new DHCP settings for teachers VLAN, looks like this:
dhcpd address 172.16.1.100-172.16.1.200 Teacher
dhcpd dns 10.10.1.30 10.10.1.31 interface Teacher
dhcpd domain [mydomain] interface Teacher
dhcpd auto_config Pupil interface Teacher
dhcpd enable Teacher
Teacher VLAN has a higher security level than pupils. I can ping 10.10.1.30 and 10.10.1.31 in VLAN pupil from VLAN teacher, so I guess NAT and ACL's should be fine ?
Anyway, DNS lookup does not work.
I don't know if this is an ASA or a Windows server problem. We have added 172.16.1.0/24 as a new subnet in AD "Sites and services", but still no success.
Any suggestions ?
regards
Kjetil
Solved! Go to Solution.
10-24-2014 03:25 AM
Could you run a packet tracer
packet-tracer input Teacher udp 172.16.1.x 12345 10.10.1.30 53 detail
if that is successful / allowed, please do a packet capture on the ASA between the two IPs
access-list cap extended permit ip host 172.16.1.x host 10.10.1.30
access-list cap extended permit ip host 172.16.1.x host 10.10.1.31
access-list cap extended permit ip host 10.10.1.30 host 172.16.1.x
access-list cap extended permit ip host 10.10.1.30 host 172.16.1.x
capture capTeach interface Teacher access-list cap
capture capPup interface Pupils access-list cap
show capture capTeach
show capture capPup
remember to send som DNS traffic before you do the show commands.
Idealy you should see traffic entering and leaving both interfaces. If you see traffic entering the Teacher interface and leaving the Pupils interface, but you do not see the return traffic entering the Puplis interface, then I would suggest taking a closer look at the DNS servers and/or the network between the ASA and the DNS servers.
If you see return traffic entering the Pupils interface but never leaving the Teachers interface then there is something going on with the rule base on the ASA.
Would help to see the running configuration of the ASA for further troubleshooting. Remember to remove any public IP addresses and passwords.
--
Please remember to select a correct answer and rate helpful posts
10-22-2014 03:59 PM
Do you have a drawing of the topology? Do you not have a L3 switch in place for segmentation? I would highly recommend leaving that to a L3 switch and the firewall for securing the edge.
As it is now, it looks like you are leveraging the ASA for DHCP and also using the ASA to do your inter-vlan routing eh?
Is there a reason why you have different security levels on the Pupil and Teacher interfaces? I would keep this as simple as possible is why I ask, this can get extremely convoluted quickly otherwise and hard to troubleshoot.
So at the least you should have say a L2 switch with ports configured on their respective access vlans.
Does your end client receive an IP from the ASA? If so, can it ping it's default gateway (ASA Interface)?
10-23-2014 01:33 AM
I have attached a drawing of the topology. I have no L3 switch.
I'm leveraging the ASA for DHCP in the new teachers network. Pupils DHCP server is the AD server. The ASA does the inter-vlan routning, yes.
The only reason why I have different security levels, is because I thaught that was an easy way to create ACL's. Traffic is allowed from higher security levels to lower (teacher to pupils), but not vice versa. I have created a rule that allows IP from AD servers to teacher VLAN though. If that's not the simplest way, I'll be happy to change it.
L2 switches are in place in separate VLAN's, see drawing.
Clients in Teacher VLAN receives IP from the ASA. They can ping the GW, which is the ASA interface at 172.16.1.1. They can also go on the Internet, as long as they use another DNS than 10.10.1.30 or 10.10.1.31
10-23-2014 10:13 PM
Well I can see now why you are leveraging the ASA in the manner you are. You only have two unmanaged switches
If you have a L3 switch we could clean this up rather simply. Just in case you have one I would recommend something like this
hostname Core-SW1
int vlan 4
description Pupils
ip address 10.0.0.254 255.255.255.0
int vlan 5
description Teachers
ip address 172.16.1.254 255.255.255.0
int vlan 10
description Management
ip address 10.0.1.254 255.255.255.0
*** Of course create your L2 vlans as well to match the above L3 SVI's:
vlan 4
name Pupils
vlan 5
name Teachers
vlan 10
Management
exit
***
interface G0/1
description To ASA Eth0/1
switchport mode access
switchport access vlan 10
spanning-tree portfast
interface G0/2
description Pupil PC1
switchport mode access
switchport access vlan 4
spanning-tree portfast
interface G0/3
description To Pupil PC2
switchport mode access
switchport access vlan 4
spanning-tree portfast
interface G0/4
description To Teacher PC1
switchport mode access
switchport access vlan 5
spanning-tree portfast
interface G0/5
description To Teacher PC2
switchport mode access
switchport access vlan 5
spanning-tree portfast
ip route 0.0.0.0 0.0.0.0 10.0.1.253 (ASA Inside Interface IP)
So as you see above we let the L3 switch handle our inter-vlan routing and forward traffic to the ASA for inspection etc. This is a typical configuration and way easier to troubleshoot and grow the network as time goes on. If you need the switch to handle DHCP we can do that as well
ip dhcp pool Pupils
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
domain-name abc.com
dns-server 4.2.2.2 8.8.8.8
Now any pupil patched into an access port on vlan 4 will receive an IP from our pool above. Also, any reason why you have selected an entire /16 for the Teachers segment?
Again, this is just an example, if you don't have the luxury of this option lets look more at what you have now. You can use AD for DHCP for the Teachers if you like, and if you want to do that you need to remove the dhcpd statements from the ASA.
As it is now, can you ping the AD servers and machines on that from the Teachers/Pupils vlans and vice versa? We need to verify basic routing between these segments first.
10-24-2014 03:25 AM
Could you run a packet tracer
packet-tracer input Teacher udp 172.16.1.x 12345 10.10.1.30 53 detail
if that is successful / allowed, please do a packet capture on the ASA between the two IPs
access-list cap extended permit ip host 172.16.1.x host 10.10.1.30
access-list cap extended permit ip host 172.16.1.x host 10.10.1.31
access-list cap extended permit ip host 10.10.1.30 host 172.16.1.x
access-list cap extended permit ip host 10.10.1.30 host 172.16.1.x
capture capTeach interface Teacher access-list cap
capture capPup interface Pupils access-list cap
show capture capTeach
show capture capPup
remember to send som DNS traffic before you do the show commands.
Idealy you should see traffic entering and leaving both interfaces. If you see traffic entering the Teacher interface and leaving the Pupils interface, but you do not see the return traffic entering the Puplis interface, then I would suggest taking a closer look at the DNS servers and/or the network between the ASA and the DNS servers.
If you see return traffic entering the Pupils interface but never leaving the Teachers interface then there is something going on with the rule base on the ASA.
Would help to see the running configuration of the ASA for further troubleshooting. Remember to remove any public IP addresses and passwords.
--
Please remember to select a correct answer and rate helpful posts
10-25-2014 03:05 PM
Thanks Marius. The packet tracer showed that I missed one outgoing rule on the pupils network. Now the packet tracer is successfull, and I guess the DNS will work as well. I'll let you know in a few days when we have tested...
11-05-2014 01:34 AM
Test ok :-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: