05-06-2009 06:06 AM - edited 03-06-2019 05:34 AM
I have an ASA 5510 with 3 interfaces (inside, outside, DMZ)
Internal routing is done by a layer 3 switch
We utilize VLANs (5 = guest, 6 = staff, 29 = DMZ)
ASA Interfaces are as follows:
Inside: 10.5.8.1
Outside: 164.105.34.45
DMZ: 10.5.29.1
Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.
The layer 3 switch has a static route of 0.0.0.0 0.0.0.0 10.5.8.1 (inside ASA interface), but no sub-interface for vlan 29.
Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.
Since the layer 3 switch has no route to 10.5.29.0, doesn't it forward it to the 10.5.8.1 interface (inside interface on ASA) based on the default routing of 0.0.0.0 0.0.0.0 10.5.8.1? At this point 10.5.8.1 (inside Interface) knows about the 10.5.29.0 network (DMZ) and should forward it based on ACEs correct?
05-11-2009 08:50 AM
Did you create your svi for vlan 29 on the L3 switch like I stated in a previous post?
Do you have your vlan 29 trunked at the exit point that the ASA is connected to?
I think the problem lies in the fact that once your L3 switch forwards out the frame to the ASA, if you DON'T have vlan 29 allowed on the trunk, the switch will forward it out as it's native vlan.
05-11-2009 06:11 PM
The 'DMZ' port on the ASA is connected to a switch port that belongs to vlan 29.
The 'Inside' port on the ASA is connected to a switch port that belongs to vlan 4.
The 'Outside' port on the ASA is connected to a port that belongs to vlan 71.
The host machine (10.4.4.4) pinging is connected to a port assigned to vlan 4.
The machine (10.4.29.29) being pinged belongs to a port assigned to vlan 29.
The firewall however does see it, as I see this on the firewall syslog:
Here is the succession:
IDS:2004 ICMP echo request from 10.4.4.4 to 10.4.29.29 on interface inside
IDS:2000 ICMP echo reply from 10.4.29.29 to 10.4.4.4 on interface DMZ
Deny inbound icmp src DMZ:10.4.29.29 dst inside:10.4.4.4 (type 0, code 0)
So it seems like it is getting dropping at the inside interface.
I can add the SVI, but won't this just skip the firewall inspection all together and route it internally through the L3 switch?
05-11-2009 07:54 PM
I disabled the DMZ interface on the ASA (10.4.29.1) and added the svi as follows:
interface Vlan29
description DMZ
ip address 10.4.29.1 255.255.255.0
no ip redirects
ip pim sparse-dense-mode
I can now ping the 10.4.29.29 machine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide