Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
16
Replies

In-Band in DMZ

Pete89
Level 2
Level 2

‎08-18-2009 05:33 AM - edited ‎03-09-2019 10:31 PM

Hello,

I am trying to deploy a in-band solution for VPN users. There have been a few surprises after having started this project.

1. Because users are coming in over a VPN the topology must be in-band.

2. If you want to have redundant CAS servers they cannot be separated by a NAT firewall from the CAM. Thus the reason why we have the CAM in the DMZ with the CAS.

I have a diagram here:

http://www.flickr.com/photos/31154535@N07/3833723810/sizes/o/

My problem now is the ASA does not see the CAS as a L2 device as it should. And DMZ switch does not see the ASA as a L2 device. In other words on the ASA I don't see an arp entry for 192.168.48.3 and on the switch I don't see an arp entry for 192.168.48.1.

What am I doing wrong?

Labels:
0 Helpful
16 Replies 16

Pete89
Level 2
Level 2
In response to Yudong Wu

‎08-19-2009 01:05 PM

I rebuilt the CAS from scratch and I still cant ping the ASA from the CAS and the ASA doesnt even have an arp entry for the CAS.

When I run the perfigo config my gut tells me to assign the ASA as the GW for both untrusted and trusted interfaces. In fact in my testlab I got it to work this way.

However I can only get the CAS and CAM to talk to each other when I use the VLAN interface as the GW for both interfaces. If I dont do it that way I cant add the CAS to the CAM.

I have tried assigning the ASA as the GW for laughs and still no pings no arp entries etc.

I have a question. When I aasign VLAN 48 to the subinterface if the ASA it tags its outgoing packets with vlan48 right? And my DMZ switch will to send them out any trunk with VLAN 48 allowed right?

0 Helpful

Yudong Wu
Level 7
Level 7
In response to Pete89

‎08-19-2009 01:15 PM

Yes, ASA should tag the outgoing packet with vlan ID 48. You can do a SPAN on your DMZ switch to capture the packet to confirm it.

When you ping from ASA to CAS' IP, ASA should send out a ARP request in vlan 48. DMZ switch should send it out on every ports in vlan 48.

You can setup a SPAN on DMZ switch to capture the traffic to/from CAS. And then do a ping from ASA to CAS' IP. Check the packet sniffer file to see if DMZ switch forward the traffic to CAS and if CAS response to it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents