Leonard7881
asked on
ASA5510 and Barracuda Webfilter
Hello experts.
Im in need of some advice and guidance. I have a Barracuda Networks webfilter310, an ASA5510, and a Catalyst 3550. I have attached config files for both the switch and ASA. The barracuda is a Layer two device. it will sit in-line behind the ASA and in front of my switch to filter all traffic.
My delima is that with the current configs i cant access the barracuda or get out to the internet. The switch is configured due to the nature of the systems on the network and i cant change it. I would like to be able to connect to the webfilter and allow access to my users.
The webfilter is required one ip address. The fe0 of the asa is the outside interface. The fe1 is the internal interface which will connect to the WAN link of the webfilter. The LAN link of the webfilter will connect to the fa0/1 of the switch. This is per the web filter guide.
Any advice is appreciated. I dont have my ccna yet so i will try understand as best i can.
Thanks.
asa-config.txt
switch-confg.txt
Im in need of some advice and guidance. I have a Barracuda Networks webfilter310, an ASA5510, and a Catalyst 3550. I have attached config files for both the switch and ASA. The barracuda is a Layer two device. it will sit in-line behind the ASA and in front of my switch to filter all traffic.
My delima is that with the current configs i cant access the barracuda or get out to the internet. The switch is configured due to the nature of the systems on the network and i cant change it. I would like to be able to connect to the webfilter and allow access to my users.
The webfilter is required one ip address. The fe0 of the asa is the outside interface. The fe1 is the internal interface which will connect to the WAN link of the webfilter. The LAN link of the webfilter will connect to the fa0/1 of the switch. This is per the web filter guide.
Any advice is appreciated. I dont have my ccna yet so i will try understand as best i can.
Thanks.
asa-config.txt
switch-confg.txt
ASKER
jburgaard here is the ip's i have configured so far.
Webfilter ip config:
IP: 172.16.10.13
Gateway: 172.16.10.1
Mask: 255.255.255.240
ASA:
interface Ethernet0/0
nameif outside
security-level 0
ip address ****
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.10.1 255.255.255.240
Switch:
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
no ip address
interface Vlan2
ip address 172.16.10.14 255.255.255.240
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.10.13 (ip of barracuda)
no ip http server
Webfilter ip config:
IP: 172.16.10.13
Gateway: 172.16.10.1
Mask: 255.255.255.240
ASA:
interface Ethernet0/0
nameif outside
security-level 0
ip address ****
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.10.1 255.255.255.240
Switch:
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
no ip address
interface Vlan2
ip address 172.16.10.14 255.255.255.240
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.10.13 (ip of barracuda)
no ip http server
On page 26, item 4 of the Barracuda Web Filter Administrator's Guide, (see URL below) it mentions that you need to set up any static routes so that it knows how to route traffic "in complex networks". Have you done this? What do the routes look like on this box?
http://www.barracudanetworks.com/ns/downloads/Barracuda_Web_Filter_AG.pdf
BTW, that's a very strange switch configuration...introduces
http://www.barracudanetworks.com/ns/downloads/Barracuda_Web_Filter_AG.pdf
BTW, that's a very strange switch configuration...introduces
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jburgaard:
'ip route 0.0.0.0 0.0.0.0 172.16.10.13 (ip of barracuda)'
In my eyes this looks like a switch-def.gw. pointing to barracuda instead of pointing to the router on 172.16.10.1
172.16.10.13 is the ip of the webfilter on my switch. I think this is telling all traffic to go thru the webfilter. Then i have the webfilter gateway set to 172.16.0.1 which is the ip of the inside E0/1of the firewall. Both the inside e01 and webfilter have a mask of .240.
batry_boy
i have given the webfilter static routes to all vlans.
still unable to connect to internet and gui of webfilter.
'ip route 0.0.0.0 0.0.0.0 172.16.10.13 (ip of barracuda)'
In my eyes this looks like a switch-def.gw. pointing to barracuda instead of pointing to the router on 172.16.10.1
172.16.10.13 is the ip of the webfilter on my switch. I think this is telling all traffic to go thru the webfilter. Then i have the webfilter gateway set to 172.16.0.1 which is the ip of the inside E0/1of the firewall. Both the inside e01 and webfilter have a mask of .240.
batry_boy
i have given the webfilter static routes to all vlans.
still unable to connect to internet and gui of webfilter.
From what IP address are you trying to access the webfilter GUI and the Internet?
Have you confirmed that the webfilter is supposed to be set as the default gateway for the switch? I'm assuming you are using the "Inline Passthrough" mode of the webfilter...is this correct?
I couldn't find any definitive info in the Barracuda manual that states that the Barracuda itself needs to be set as the default gateway for your internal L3 (switch) device.
Have you confirmed that the webfilter is supposed to be set as the default gateway for the switch? I'm assuming you are using the "Inline Passthrough" mode of the webfilter...is this correct?
I couldn't find any definitive info in the Barracuda manual that states that the Barracuda itself needs to be set as the default gateway for your internal L3 (switch) device.
ASKER
Here are my static routes on the webfilter
IP/Network Address,Netmask,Gateway Address
172.16.10.15,255.255.255.2
172.16.10.18,255.255.255.2
172.16.10.34,255.255.255.2
172.16.10.66,255.255.255.2
172.16.10.70,255.255.255.2
172.16.10.74,255.255.255.2
172.16.10.78,255.255.255.2
172.16.10.82,255.255.255.2
172.16.10.86,255.255.255.2
172.16.10.90,255.255.255.2
172.16.10.94,255.255.255.2
172.16.10.98,255.255.255.2
172.16.10.102,255.255.255.
172.16.10.106,255.255.255.
172.16.10.110,255.255.255.
172.16.10.114,255.255.255.
172.16.10.118,255.255.255.
172.16.10.122,255.255.255.
172.16.10.126,255.255.255.
172.16.10.130,255.255.255.
172.16.10.134,255.255.255.
IP/Network Address,Netmask,Gateway Address
172.16.10.15,255.255.255.2
172.16.10.18,255.255.255.2
172.16.10.34,255.255.255.2
172.16.10.66,255.255.255.2
172.16.10.70,255.255.255.2
172.16.10.74,255.255.255.2
172.16.10.78,255.255.255.2
172.16.10.82,255.255.255.2
172.16.10.86,255.255.255.2
172.16.10.90,255.255.255.2
172.16.10.94,255.255.255.2
172.16.10.98,255.255.255.2
172.16.10.102,255.255.255.
172.16.10.106,255.255.255.
172.16.10.110,255.255.255.
172.16.10.114,255.255.255.
172.16.10.118,255.255.255.
172.16.10.122,255.255.255.
172.16.10.126,255.255.255.
172.16.10.130,255.255.255.
172.16.10.134,255.255.255.
ASKER
batry_boy:
From what IP address are you trying to access the webfilter GUI and the Internet?
Have you confirmed that the webfilter is supposed to be set as the default gateway for the switch? I'm assuming you are using the "Inline Passthrough" mode of the webfilter...is this correct?
I couldn't find any definitive info in the Barracuda manual that states that the Barracuda itself needs to be set as the default gateway for your internal L3 (switch) device.
i will get an answer from barracuda for you on that.
From what IP address are you trying to access the webfilter GUI and the Internet?
Have you confirmed that the webfilter is supposed to be set as the default gateway for the switch? I'm assuming you are using the "Inline Passthrough" mode of the webfilter...is this correct?
I couldn't find any definitive info in the Barracuda manual that states that the Barracuda itself needs to be set as the default gateway for your internal L3 (switch) device.
i will get an answer from barracuda for you on that.
Your static routes don't look right on your web filter.
For example, take the first entry:
IP/Network Address,Netmask,Gateway Address
172.16.10.15,255.255.255.2
.15 on network 172.16.10.0/28 is the broadcast address for that subnet. It shouldn't have a route statement at all for that.
All of the other static routes pointing to the various VLAN interfaces defined on the switch are wrong because the webfilter will not be able to see those interfaces because it can only see the IP addresses on it's local subnet, which is 172.16.10.0/28, which includes IP address 172.16.10.1-14.
.17, .33, .65, .69, etc. are all on other subnets so the webfilter can't see those interfaces to send traffic to them via static routes. Make sense?
I think you should try to get by with a single static route on the webfilter that looks like this:
172.16.10.0,255.255.255.0,
If the proper netmask is applied to the LAN interface of the webfilter (255.255.255.240), then it will know how to get to address 172.16.10.1-14 via ARP traffic, and everything else it will send to 172.16.10.14.
For example, take the first entry:
IP/Network Address,Netmask,Gateway Address
172.16.10.15,255.255.255.2
.15 on network 172.16.10.0/28 is the broadcast address for that subnet. It shouldn't have a route statement at all for that.
All of the other static routes pointing to the various VLAN interfaces defined on the switch are wrong because the webfilter will not be able to see those interfaces because it can only see the IP addresses on it's local subnet, which is 172.16.10.0/28, which includes IP address 172.16.10.1-14.
.17, .33, .65, .69, etc. are all on other subnets so the webfilter can't see those interfaces to send traffic to them via static routes. Make sense?
I think you should try to get by with a single static route on the webfilter that looks like this:
172.16.10.0,255.255.255.0,
If the proper netmask is applied to the LAN interface of the webfilter (255.255.255.240), then it will know how to get to address 172.16.10.1-14 via ARP traffic, and everything else it will send to 172.16.10.14.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jburgaard:
What gateway does the barracuda have? Router?
What gateway does the barracuda have? Router?
ASKER
jburgaard:
You didtn have to provide it a static route? Remember my switch eth ports are all vlans.
You didtn have to provide it a static route? Remember my switch eth ports are all vlans.
ASKER
Im very close to a solution. When connecting to the web filter thru a xover cable on the LAN interface im able to browse the internet with my laptop. When i connect the switch i no longer have external connectivity.
I know its not the ASA because i can get out connected directly to the webfilter. Do i need to clear the MAC table of the switch? I have given the switch a default route of the ASA and webfilter and still i cant get out. At least we have narrowed it down to the switch.
Thanks.
I know its not the ASA because i can get out connected directly to the webfilter. Do i need to clear the MAC table of the switch? I have given the switch a default route of the ASA and webfilter and still i cant get out. At least we have narrowed it down to the switch.
Thanks.
The webfilter should have the router as dgw.=172.16.10.1
The webfilter should have routes back to the sw.vlan-networks via 172.16.10.14
If the 172.16.10.0,255.255.255.0,
then try as a start with the one where your PC is placed, eg. route for vlan3:
172.16.10.16 255.255.255.248 172.16.10.14
The client sould have a def. gw. as the relevant vlaninterface on switch.
172.16.10.18 255.255.255.248 172.16.10.17
when client in vlan3
HTH
The webfilter should have routes back to the sw.vlan-networks via 172.16.10.14
If the 172.16.10.0,255.255.255.0,
then try as a start with the one where your PC is placed, eg. route for vlan3:
172.16.10.16 255.255.255.248 172.16.10.14
The client sould have a def. gw. as the relevant vlaninterface on switch.
172.16.10.18 255.255.255.248 172.16.10.17
when client in vlan3
HTH
ASKER
I have placed a support call to barracuda. My pings and trace routes only go to the web filter ip and no further. I will update later.
ASKER
Experts.
It seems that the interface on the webfilter was the issue all along. At times when i would connect to the LAN of the webfilter it was slong and laggy. Then when i disconnected the webfilter from the switch it was fine. The rep tried logging in from the command line and she experienced the same sluggishness i did. I tolde her that happened to me and to let me disconnect the LAN port from the switch. As soon as i did that she was fine also.
She looked over some things and dtermined that all was well. She then had me reconnect the LAN back to the switch and the issue arose. She asked what speed the switch was and i told her it was 10/100. She said she would change manually change the speed on the webfilter to 100. As soon as she did that BAM!, everything was fine. I was able to connect to GUI and from my server and all other connected machines as well as surf.
Go figure! I want to thank you both for the help.
It seems that the interface on the webfilter was the issue all along. At times when i would connect to the LAN of the webfilter it was slong and laggy. Then when i disconnected the webfilter from the switch it was fine. The rep tried logging in from the command line and she experienced the same sluggishness i did. I tolde her that happened to me and to let me disconnect the LAN port from the switch. As soon as i did that she was fine also.
She looked over some things and dtermined that all was well. She then had me reconnect the LAN back to the switch and the issue arose. She asked what speed the switch was and i told her it was 10/100. She said she would change manually change the speed on the webfilter to 100. As soon as she did that BAM!, everything was fine. I was able to connect to GUI and from my server and all other connected machines as well as surf.
Go figure! I want to thank you both for the help.
thnx, good you got your problem solved
Great! Glad to assist...
from pointing to Barracuda
to pointing to router ?
(the Barracuda is supposed to act as a layer 2 device, not as router)
HTH