• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1135
  • Last Modified:

Routing between Vlans

Setup:

VLAN1: 192.168.8.0 255.255.252.0
VLAN2: 192.168.100.0 255.255.252.0

On VLAN 1:
  Default Gateway is 192.168.10.2 (Cisco ASA 5510)
    or 192.168.10.1 (Cisco 2611)

On VLAN 2:
   Default Gateway is 192.168.100.1(Cisco 3560) (VLAN1 IP 192.168.11.10)


I've configure the Cisco 3560 to Route 0.0.0.0 traffic to 192.168.10.2.

I've configured the Cisco 2611 to Route 192.168.100.0 traffic to 192.168.11.10 (Cisco 3560)

I've configure the Cisco ASA 5510 to route 192.168.100.0 traffic to 192.168.11.10, however:

On VLAN 1 when using 10.1 (Cisco 2611) as my def. gateway everything works.  However when using 10.2 (Cisco ASA 5510) as the def. gateway I can not see the 192.168.100.0 network.

From the CLI of the ASA 5510 I can ping the 100.0 network without issue.  However I can not see the 100.0 network from any workstation or servers that use 10.2 as their def. gateway.

On the ASA 5510 I added the command:

route inside 192.168.100.0 255.255.252.0 192.168.11.10 1

Any suggestions?

Andrew
0
ARSCO
Asked:
ARSCO
  • 8
  • 7
2 Solutions
 
QuoriCommented:
Able to provide running configs, stripped of passwords and any sensitive info, please?
0
 
harbor235Commented:


The 3560 IP address for vlan 1 is not in the same IP block as the other VLAN 1 IP assignments for the ASA and the 2611.  The other thing is that if you route traffic to the inside interface of the firewall and that traffic is sourced from a network that is different from the inside interface IP range it is not going to like it.
Remember, the inside interface is trusted not some other IP range. Turn off reverse path forwarding if you have it on, turn up logging to see why it does not like it.

from config mode
logging on
logging buffered informational

View the logs, it will tell you why it is blocking

To turn off reverse path forwarding;

no ip verify reverse-path interface inside

harbor235 ;}
0
 
ARSCOAuthor Commented:
Ok I turned on logging and when I try to ping I get this message:

Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)

I'm guessing I need to modify the firewall some how, but I don't know how.

Thanks in advance,

Andrew
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
harbor235Commented:
To turn off reverse path forwarding;

no ip verify reverse-path interface inside

harbor235 ;}
0
 
ARSCOAuthor Commented:
Sorry forgot to mention I did that.  Still not working.

Andrew
0
 
harbor235Commented:

Do you have an access-list configured on teh inside inerface? POST it please if there is one

harbor235 ;}
0
 
harbor235Commented:


Also, do you have a route for the 192.168.100.0 network on the ASA? It also may be complaining if there is not route back.

harbor235 ;}
0
 
ARSCOAuthor Commented:
Here is the running conf of the ASA 5510.

Andrew
: Saved
:
ASA Version 7.0(7) 
!
hostname CISCO-ASA
domain-name DOMAIN.Local
 
names
dns-guard
!
interface Ethernet0/0
 description Time Warner
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.119 255.0.0.0 
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 description DOMAIN.Local
 nameif inside
 security-level 100
 ip address 192.168.10.2 255.255.252.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
 
clock timezone EST -5
clock summer-time EDT recurring
object-group service WEB_ACCESS tcp
 port-object eq www
 port-object eq https
object-group service ASMITH tcp
 port-object eq 22144
 port-object eq 7176
access-list inside_pnat_inbound extended permit ip any any 
access-list out extended permit tcp any host xxx.xxx.xxx.126 eq smtp 
access-list out extended permit tcp any host xxx.xxx.xxx.117 object-group WEB_ACCESS 
access-list out extended permit gre any host xxx.xxx.xxx.118 
access-list out extended permit tcp any host xxx.xxx.xxx.118 eq pptp 
access-list out extended permit tcp any host xxx.xxx.xxx.120 object-group WEB_ACCESS 
access-list out extended permit tcp any host xxx.xxx.xxx.121 object-group WEB_ACCESS 
access-list out extended permit tcp any host xxx.xxx.xxx.122 object-group WEB_ACCESS 
access-list out extended permit icmp any any 
access-list out extended permit gre any host xxx.xxx.xxx.124 
access-list out extended permit tcp any host xxx.xxx.xxx.124 object-group ASMITH 
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging asdm informational
logging from-address it@domain.com
logging recipient-address it@domain.com level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 200 interface
nat (inside) 10 access-list inside_pnat_inbound outside
nat (inside) 200 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.124 192.168.10.240 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.126 192.168.10.15 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.117 192.168.10.10 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.118 192.168.10.20 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.120 192.168.10.32 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.121 192.168.10.31 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.xxx.122 192.168.10.33 netmask 255.255.255.255 
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1
route inside 192.168.100.0 255.255.252.0 192.168.11.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
!
aaa authentication ssh console LOCAL 
http server enable
http 192.168.8.0 255.255.252.0 inside
http 192.168.10.56 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.8.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server 192.168.10.24
smtp-server 192.168.10.10
Cryptochecksum:7af7b76f5fe3e8daee67cfd1518d5166
: end

Open in new window

0
 
harbor235Commented:
ok,

Deny inbound icmp src inside 192.168.10.240 dst inside 192.168.100.1 (type 8, code 0)

So this says on the inside interface the ASA received a icmp packet sourced from 192.168.10.240
and that the destination was 192.168.100.1, looks like 192.168.10.240 is misconfigured, shouldn't this guy point to 192.168.11.10 for the 192.168.100.0/22 network? 192.168.10.240 has its default route or that specific rotue misconfigured. This route for the 192.168.100.0/22 network is pointing to 192.168.11.10, i assume this is correct.

harbor235 ;}
0
 
ARSCOAuthor Commented:
10.240 (My Computer) has a def. gateway of 192.168.10.2 (ASA 5510).  Obviously 10.240 does not know where the 192.168.100.0/22 network is; so it sends the request to 10.2; which in theory should forward the request to 192.168.11.10.

However as the error message states the ASA 5510 is denying the request.

The router for the 192.168.100.0/22 network is a 3560 at ip 192.168.11.10 with VLAN routing enabled.

Andrew
0
 
harbor235Commented:

Thats not how a firewall works or how a router should work, a router will send and icmp redirect however, it is still a kludge or misconfiguration. The 192.168.100.0/22 network is reachable via the 192.168.11.10 which is on the same network as 192.168.10.2. 192.168.10.240 should route to 192.168.11.10 for the network 192.168.100.0/22, why be less efficent and go up and then back down, makes no sense. Add a specific route for 192.168.100.0/22 point to 192.168.11.10 like this;

route -p add 192.168.100.0 mask 255.255.252.0 192.168.11.10

harbor235 ;}
0
 
ARSCOAuthor Commented:
Are you adding this route to an individual workstation?  I know I can do this and have done it to make sure it's not a problem with the 3560 routing.  Works fine.

However this is highly inefficient to do on a domain wide basis, unless I am missing something, like a really easy way to do this domain wide?
0
 
harbor235Commented:


I understand, however, you have to remember a firewall does not behave like a router, if a packet sourced from a network different than the interface it arrived on (exception, outside interface which is considered untrusted) the firewall will not like it, it most certainly is not go a send a redirect to the originating host telling it where to go, the firewall is a security device.

so yes add it to the workstation, or replace the firewall with a router and move the firewall up. Even though you could make it work with a router i still would never approach it like that. You want traffic flow to be efficent.

Hope all this helps;

harbor235 ;}

0
 
ARSCOAuthor Commented:
Another option that would work is to make VLAN 1 workstations def. gateway 192.168.11.10.

Thanks for the help.
0
 
harbor235Commented:

Correct, I assumed that you wanted all other traffic going to the firewall and only 192.168.100.0/22 traffic going in the other direction

harbor235 ;}
0
 
ARSCOAuthor Commented:
Well 192.168.11.10 has a default gateway of 192.168.10.2 so, it's just another "step" for the 192.168.8.0/22 network.  Just need to think about placement of the device, because if it goes down, it takes all internet traffic down.

Andrew
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now