cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2337
Views
0
Helpful
17
Replies

Help with VLAN, Layer 3 switch, DMZ routing madness.

oneirishpollack
Level 1
Level 1

I have an ASA 5510 with 3 interfaces (inside, outside, DMZ)

Internal routing is done by a layer 3 switch

We utilize VLANs (5 = guest, 6 = staff, 29 = DMZ)

ASA Interfaces are as follows:

Inside: 10.5.8.1

Outside: 164.105.34.45

DMZ: 10.5.29.1

Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.

The layer 3 switch has a static route of 0.0.0.0 0.0.0.0 10.5.8.1 (inside ASA interface), but no sub-interface for vlan 29.

Host A (10.5.5.100) wants to ping Host B (10.5.29.100) in the DMZ.

Since the layer 3 switch has no route to 10.5.29.0, doesn't it forward it to the 10.5.8.1 interface (inside interface on ASA) based on the default routing of 0.0.0.0 0.0.0.0 10.5.8.1? At this point 10.5.8.1 (inside Interface) knows about the 10.5.29.0 network (DMZ) and should forward it based on ACEs correct?

17 Replies 17

John Blakley
VIP Alumni
VIP Alumni

As far as default route in the switch, it should be okay as long as you have a route in the asa that tells it how to get back to the 10.5.5.0 network.

route inside 10.5.5.0 255.255.255.0 10.5.8.

How do you have your nat statements on the ASA? You can either use nat exemption or identity nat

nat exemption:

access-list DMZ permit ip 10.5.5.0 255.255.255.0 10.5.29.0 255.255.255.0

nat (inside) 0 access-list DMZ

OR

Identity nat:

static (inside,dmz) 10.5.5.0 10.5.5.0 netmask 255.255.255.0

HTH,

John

HTH, John *** Please rate all useful posts ***

John,

Here are the NAT statements:

static (DMZ,outside) 164.106.71.29 10.4.29.29 netmask 255.255.255.255

static (inside,DMZ) 10.4.4.0 10.4.4.0 netmask 255.255.255.0

Here is the route inside statement:

route inside 10.5.0.0 255.255.0.0 10.5.8.3 1

I CAN ping 10.5.29.100 from the ASA's DMZ interface (10.5.29.1), but cannot from the outside (164.105.34.45) or inside interface (10.5.8.1).

I cannot ping the 10.5.29.100 from the access switch or from the layer 3 switch.

Again I do not have a subinterface for VLAN 29 on the layer 3 switch, I was assuming the ASA would do the routing to and from the inside to the outside , but I can see where the VLAN rounting may be the problem. The DMZ interface and the access switch interface are the only ports assigned to VLAN 29. So can I assumed that the layer 2 vlan assignments are killing this?

You'll need to add:

static (inside,DMZ) 10.5.0.0 10.5.0.0 netmask 255.255.0.0

Let's take things one step at a time :)

Your 10.4.4.0 static mapping is only allowing 10.4.4.0 across into the DMZ untranslated, so the 10.5.x.x subnets are still trying to translate.

What do your nat and global statements look like?

HTH, John *** Please rate all useful posts ***

I tried to substitute my ip addresses with aliases and made this too confusing. Below are my actual VLAN and private local addressing:

Staff subnet 10.4.4.0/24 (vlan 4)

Guest subnet 10.4.3.0/24 (vlan 3)

Outside subnet: 164.105.34.0/24 (vlan 34)

DMZ subnet: 10.4.29.0/24 (vlan 29)

ASA interfaces:

Inside: 10.4.2.1 (vlan 2)

Outside: 164.105.34.45 (vlan 34)

DMZ: 10.4.29.1 (vlan 29)

host A 10.4.4.100 (vlan 4) pings host B 10.4.29.29 (vlan 29)

Below are the statements from the ASA again:

static (DMZ,outside) 164.105.34.29 10.4.29.29 netmask 255.255.255.255

static (inside,DMZ) 10.4.4.0 10.4.4.0 netmask 255.255.255.0

static (inside,DMZ) 10.4.0.0 10.4.0.0 netmask 255.255.0.0

Sorry for the confusion.

You should be able to remove:

static (inside,DMZ) 10.4.4.0 10.4.4.0 netmask 255.255.255.0

It's covered in the line below it.

What's the original problem again? You can ping across the dmz from the inside, right? What's not working now?

John

HTH, John *** Please rate all useful posts ***

I am trying to setup the DMZ for the first time.

I can ping the DMZ interface and a DMZ server from the outside.

I can ping the DMZ server from the DMZ interface.

I cannot ping the DMZ interface or server from the inside.

We utilize intra-vlan routing on our layer 3 switch.

I am thinking the inside routing process goes...

Host A (10.4.4.100) pings Host B (10.4.29.29)

Host determine Host B is not on local network and it forwards it to Default Gateway (10.4.4.1)

Layer 3 switch 10.4.4.1 checks in it's routing table and determines it does not have a route for 10.4.29.0 (no subinterface setup for vlan 29) so it sends it to default gateway 10.4.2.1 (inside interface on ASA)

ASA checks it's routing table and sees a route to network 10.4.29.0 (DMZ) via 10.4.29.1 (DMZ interface). It forwards route packet to this interface to get passed to server 10.4.29.29.

Is this how the routing process in the this scenario will work?

That's the way routing would work. Once it leaves the host into the switch, if the switch can't route it, it will go to it's default gateway. The default route points to the inside ASA, and it will look at it's routing table and forward to the DMZ.

Above you said that you can't ping a server in the DMZ, but in another post you said that you could:

host A 10.4.4.100 (vlan 4) pings host B 10.4.29.29 (vlan 29)

If you try to ping 10.4.29.29 and you get timeouts, make sure that you have inspect icmp under your default inspection policy on the ASA.

It will look something like:

policy inspection_default

class default_inspection

inspect icmp

service-policy inspection_default global

Instead of just pinging, can you get to anything else on that server? Do you run a web server on it? Something else that you can test? Check the policy and see if the inspect is listed and we'll go from there.

John

HTH, John *** Please rate all useful posts ***

Sorry for the confusion, when I said:

host A 10.4.4.100 (vlan 4) pings host B 10.4.29.29 (vlan 29)

I meant that it tried to ping it, but it is not getting a reply back.

I tested several scenarios and this is what I found:

10.4.4.211 (vlan 29) pings 10.4.4.29 (vlan 29) = no reply

10.4.4.211 (vlan 4) pings 10.4.4.29 (vlan 29) = no reply

10.4.29.211 (vlan 29) pings 10.4.4.29 (vlan 29) = 1 reply....and then "request times out"

10.4.29.211 (vlan 4) pings 10.4.4.29 (vlan 29) = no reply

75.199.18.37 (outside machine) pings 164.105.34.29 (NAT'd IP of server) = replies received

******************

Here is what I see on the firewall log:

%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst

interface_name: IP_address (type dec, code dec)

The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.

oneirishpollack
Level 1
Level 1

OK, using the ping tool in ASDM. I cannot ping the DMZ interface (10.4.29.1) from the Inside interface (10.4.2.1)

I need to see a diagram.

HTH, John *** Please rate all useful posts ***

I attached the diagram.

********************

I included two comments above the layer 3 switch. One shows the subinterface for VLAN 4, and the other is the sh ip route off the layer 3 switch.

You show that you have a L3 switch. Is this set up as a L3 or L2 (is ip routing enabled)? Is it a Cisco switch?

My first thought is that if it's L3, then your pings shouldn't get to the ASA. It should go through the switch and routed.

Looking at your routing table, you don't have an svi configured for the 10.4.29.0 subnet. So, what *should* happen is the L3 switch will send it's traffic to the next switch on vlan29. I think what's happening, and others may chime in, is this:

The traffic from 10.4.29.29 is getting to the firewall, and it's sending it back, but because there's no route on the L3 switch to the 10.4.29.0 subnet, the switch is dropping the traffic.

I would try the following:

At minimum, add an svi to support your 10.4.29.0 subnet. (What gateway do you have on that host??)

Then your trunks will carry all the way to the firewall. You should be able to ping the 10.4.4.100 host from the 10.4.29.29 without going to the firewall.

John

HTH, John *** Please rate all useful posts ***

I think another thing that *might* be happening is that you have vlan29 on the ASA, but do you have vlan29 on the trunk on both ends of the link? If not, it's going to go out of your native vlan and return on the native vlan. In order to use vlan 29, you're going to have to have vlan29 trunked all the way to the destination.

HTH,

John

HTH, John *** Please rate all useful posts ***

John, You are correct in that I do have a L3 (routing enabled) Cisco 3750 that handles my internal routing,and

I do not have a SVI for the 29 VLAN.

I didn't know if creating a SVI for the 10.4.29.0 subnet would create a security issue in that the 29 subnet (DMZ) would then potentially be able to be routed internally seperate from the firewall. I was assuming if I:

1. Created the 29 Vlan on VTP server

2. Created a static route of 0.0.0.0 0.0.0.0 10.4.2.1 (Inside interface) on L3 switch

3. Addressed the DMZ interface as 10.4.29.1/24

I assumed that since 10.4.2.1 (inside interface, vlan4) and 10.4.29.1 (DMZ interface, vlan 29) were directly connected interfaces on the firewall, that the firewall (based on ACLs) would then route the traffic accordingly. I thought the flow would look like this:

10.4.4.100 (vlan 4) pings 10.4.29.29 (vlan 29)

10.4.4.100 --> 10.4.4.1 --> 10.4.2.1 --> 10.4.29.1 --> 10.4.29.29

Here again are my ping results:

10.4.29.211 (vlan 29) ping 10.4.29.29 (vlan 29) - replies!

10.4.29.211 (vlan 4) ping 10.4.29.29 (vlan 29) -

10.4.4.100 (vlan 4) ping 10.4.29.29 (vlan 29) - request timed out.

10.4.4.100 (vlan 29) ping 10.4.29.29 (vlan 29) - request timed out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco