Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2383
Views
0
Helpful
17
Replies

Help with VLAN, Layer 3 switch, DMZ routing madness.

oneirishpollack
Level 1
Level 1

‎05-06-2009 06:06 AM - edited ‎03-06-2019 05:34 AM

I have an ASA 5510 with 3 interfaces (inside, outside, DMZ)

Internal routing is done by a layer 3 switch

We utilize VLANs (5 = guest, 6 = staff, 29 = DMZ)

ASA Interfaces are as follows:

Inside: 10.5.8.1

Outside: 164.105.34.45

DMZ: 10.5.29.1

Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.

The layer 3 switch has a static route of 0.0.0.0 0.0.0.0 10.5.8.1 (inside ASA interface), but no sub-interface for vlan 29.

Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.

Since the layer 3 switch has no route to 10.5.29.0, doesn't it forward it to the 10.5.8.1 interface (inside interface on ASA) based on the default routing of 0.0.0.0 0.0.0.0 10.5.8.1? At this point 10.5.8.1 (inside Interface) knows about the 10.5.29.0 network (DMZ) and should forward it based on ACEs correct?

Labels:
0 Helpful
17 Replies 17

John Blakley
VIP Alumni
VIP Alumni
In response to oneirishpollack

‎05-11-2009 08:50 AM

Did you create your svi for vlan 29 on the L3 switch like I stated in a previous post?

Do you have your vlan 29 trunked at the exit point that the ASA is connected to?

I think the problem lies in the fact that once your L3 switch forwards out the frame to the ASA, if you DON'T have vlan 29 allowed on the trunk, the switch will forward it out as it's native vlan.

HTH, John *** Please rate all useful posts ***
0 Helpful

oneirishpollack
Level 1
Level 1
In response to John Blakley

‎05-11-2009 06:11 PM

The 'DMZ' port on the ASA is connected to a switch port that belongs to vlan 29.

The 'Inside' port on the ASA is connected to a switch port that belongs to vlan 4.

The 'Outside' port on the ASA is connected to a port that belongs to vlan 71.

The host machine (10.4.4.4) pinging is connected to a port assigned to vlan 4.

The machine (10.4.29.29) being pinged belongs to a port assigned to vlan 29.

The firewall however does see it, as I see this on the firewall syslog:

Here is the succession:

IDS:2004 ICMP echo request from 10.4.4.4 to 10.4.29.29 on interface inside

IDS:2000 ICMP echo reply from 10.4.29.29 to 10.4.4.4 on interface DMZ

Deny inbound icmp src DMZ:10.4.29.29 dst inside:10.4.4.4 (type 0, code 0)

So it seems like it is getting dropping at the inside interface.

I can add the SVI, but won't this just skip the firewall inspection all together and route it internally through the L3 switch?

0 Helpful

oneirishpollack
Level 1
Level 1
In response to John Blakley

‎05-11-2009 07:54 PM

I disabled the DMZ interface on the ASA (10.4.29.1) and added the svi as follows:

interface Vlan29

description DMZ

ip address 10.4.29.1 255.255.255.0

no ip redirects

ip pim sparse-dense-mode

I can now ping the 10.4.29.29 machine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card