TheBurningRom
asked on
Policy Based Routing PBR - Pro Curve 5412zl - asa 5550 - alternatives?
We are looking to split our network traffic between two ISPs. Right now we have all of our network traffic (9 VLANs) running into our core (pro curve 5412zl). From there it is routed through a standard 10/100 interface into a Packeteer 3500 Packet Shaper. From there it runs through an PIX515 in routing mode (to be upgraded to an ASA 5550 tomorrow), then through an ISP owned/managed catalyst 2950, another ISP owned/managed catalyst, and then out of the building.
What we would like to do is split off VLAN4 traffic at the core and route it around the packet shaper, into the ASA on a separate interface than the rest of the network traffic, and then OUT an interface that would be connected to the business class cable service that we would be adding to the mix, while keeping the rest of the traffic on it's usual route through our packet shaper and out the AT&T interface on the PIX/ASA.
We understand that PBR is the easiest way to do this, but we also understand that the 5412zl doesn't have this functionality. What we would like to know is, can we work around this in any way? Maybe with an extended access list that only allows access to the "cable ISP" port on the ASA? I've seen a solution involving adding an intermediary router that does PBR to the mix as the solution...is that the only one? Does the catalyst 2600 support PBR? We happen to have one of those doing nothing right now. If not, what model would work for us? And what would the cabling setup look like?
Thank you in advance for any info. Let me know if you need to see configs or need any further details. Thanks again!
What we would like to do is split off VLAN4 traffic at the core and route it around the packet shaper, into the ASA on a separate interface than the rest of the network traffic, and then OUT an interface that would be connected to the business class cable service that we would be adding to the mix, while keeping the rest of the traffic on it's usual route through our packet shaper and out the AT&T interface on the PIX/ASA.
We understand that PBR is the easiest way to do this, but we also understand that the 5412zl doesn't have this functionality. What we would like to know is, can we work around this in any way? Maybe with an extended access list that only allows access to the "cable ISP" port on the ASA? I've seen a solution involving adding an intermediary router that does PBR to the mix as the solution...is that the only one? Does the catalyst 2600 support PBR? We happen to have one of those doing nothing right now. If not, what model would work for us? And what would the cabling setup look like?
Thank you in advance for any info. Let me know if you need to see configs or need any further details. Thanks again!
Rick_O_Shay
Could putting that separate new ASA interface into VLAN 4 and making the ASA the gateway for that subnet do what you want?
Rick O SHay's suggestion would work for internet traffic, but if you want those same devices on that VLAN4 to also access resources on the other VLANs, you need to push out persistent routes to each machine telling that the other internal networks are via the next hop of your Procurve, rather than their default gateway of the ASA. The default gateway is probably given to all devices via DHCP, although you may have some devices manually configured. With DHCP, you might be able to distribute static routes using options, depending on your DHCP server. Otherwise, it means scripting or manually running a cmd on each system. For windows, that cmd is "ROUTE -p ADD destip MASK destmask nexthopip "
I was thinking that as long as the ASA has routes back to the other subnet that it could take care of routing to them for the VLAN 4 clients via the switch.
Except that the ASA will not route a packet back out the same interface normally (it wont do redirects). If you want it to route between the vlans, you could set up the inside interface of the ASA as a 802.1q trunk with all the vlans and connect it to the switch. Then in the ASA, you would have to have the same security level on on the vlans and use the config parameter " same-security-traffic" to allow routing among all the VLAN interfaces. But in this config, you will have more ACLs to setup (one for each VLAN potentially, unless you want them to have any-to-any access among the vlans).
ASKER
Sorry for the late reply. Have been busy, though thankfully not with the ASA, which went in without a hitch.
The first suggestion will not work, as we DO want VLAN 4 to access resources on other VLANs.
Our gateways are assigned via DHCP. Pushing out static routes is not something I'm looking to do either.
The inside interface on the ASA is already trunked. There's only one interface for inside and one for outside at the moment.
Would posting the config from the ASA help? Let me know and I can get it cleaned up and posted.
Also, it may be important to note that 99% of our clients are Apple, while our infrastructure server-wise is mostly Windows.
We also have a unique situation in that we have a Bradford CampusManager VLAN switching device that handles our student population. I don't think that is relevant in regards to the current question, but I just thought I would mention it.
Thanks for the replies so far.
The first suggestion will not work, as we DO want VLAN 4 to access resources on other VLANs.
Our gateways are assigned via DHCP. Pushing out static routes is not something I'm looking to do either.
The inside interface on the ASA is already trunked. There's only one interface for inside and one for outside at the moment.
Would posting the config from the ASA help? Let me know and I can get it cleaned up and posted.
Also, it may be important to note that 99% of our clients are Apple, while our infrastructure server-wise is mostly Windows.
We also have a unique situation in that we have a Bradford CampusManager VLAN switching device that handles our student population. I don't think that is relevant in regards to the current question, but I just thought I would mention it.
Thanks for the replies so far.
yes, post the ASA config. You'll have to create subinterfaces for all the VLANS and use the same-security-traffic parameter to allow the VLANs to route to each other. I can better give the proper commands after I see the ASA config.
ASKER
Thanks!
I will post a scrubbed config first thing in the morning.
I will post a scrubbed config first thing in the morning.
ASKER
Here is a scrubbed config from the ASA. It was converted over from the PIX that we had prior to it. I haven't changed much of anything on this config. I was sort of thrown into the role of managing the firewall when I started here....two months ago. So it's all a little new to me, and we're already on our 2nd firewall.
I can post the access lists from the core switch (the HP 5412zl) if need be. Just let me know.
I can post the access lists from the core switch (the HP 5412zl) if need be. Just let me know.
: Written by enable_15 at 08:08:53.288 EDT Tue Mar 16 2010
!
ASA Version 8.2(1)
!
hostname pix
domain-name *********.org
enable password *******
names
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 207.210.***.*** 255.255.***.***
ospf cost 10
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
no ip address
ospf cost 10
!
interface GigabitEthernet0/1.1
vlan 1
nameif network
security-level 99
ip address 192.168.1.2 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
description Outside Comcast Interface
shutdown
nameif OutsideComcast
security-level 0
ip address 173.162.***.*** 255.255.***.***
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name *********.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service THE-ServiceGroup tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 444
port-object range ftp-data ftp-data
object-group service Mail-ServiceGroup tcp
port-object eq 510
port-object eq www
port-object eq https
port-object eq pop3
port-object eq 593
port-object eq imap4
port-object eq smtp
port-object eq 8080
object-group service PVT-ServiceGroup tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object range ftp-data ftp-data
object-group service PowerSchool-ServiceGroup tcp-udp
port-object range 1417 1420
port-object eq 407
port-object eq 5071
port-object eq 7880
object-group service PowerSchooltcp-ServiceGroup tcp
port-object eq www
port-object eq https
object-group service UpdatesOnly tcp
description Allow updates fro SAV, MS, Windows, etc
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network Permit-All
description Permit Internet for VLANs 1,3,4,5
network-object 10.5.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
object-group network Updates
description Allow updates only for VLANs 2, 6, and 7
network-object 10.6.0.0 255.255.255.0
network-object 10.7.0.0 255.255.255.0
network-object 10.2.0.0 255.255.0.0
object-group service www-ServiceGroup tcp
port-object eq www
port-object eq https
object-group service TiVo-Both tcp-udp
description TiVo Service
port-object eq 2190
object-group service TiVo-TCP tcp
description TiVo Service
port-object eq 37
port-object eq 4430
port-object range 7287 7288
port-object eq 8000
port-object range 8080 8089
port-object eq https
object-group service TiVo-UDP udp
description TiVo Service
port-object eq ntp
object-group service X-Server_Both tcp-udp
port-object eq 3283
object-group service X-Server_TCP tcp
port-object eq 331
port-object eq 5900
port-object eq 5988
port-object eq 625
port-object eq 660
port-object eq ftp
port-object eq www
port-object eq ssh
object-group service Virtuozzo-01_TCP tcp
port-object eq 3389
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host femail eq smtp
access-list outside_access_in extended permit tcp any host mail object-group Mail-ServiceGroup
access-list outside_access_in extended permit tcp any host PowerSchool object-group PowerSchool-ServiceGroup
access-list outside_access_in extended permit udp any host PowerSchool object-group PowerSchool-ServiceGroup
access-list outside_access_in extended permit tcp any host PowerSchool object-group PowerSchooltcp-ServiceGroup
access-list outside_access_in extended permit tcp any host pvt object-group PVT-ServiceGroup
access-list outside_access_in extended permit tcp any host THE object-group THE-ServiceGroup
access-list outside_access_in extended permit tcp any host c-01 eq citrix-ica
access-list outside_access_in extended permit tcp any host 192.168.1.19 eq citrix-ica inactive
access-list outside_access_in extended permit tcp any host 192.168.1.35 object-group TiVo-TCP
access-list outside_access_in extended permit udp any host 192.168.1.35 object-group TiVo-UDP
access-list outside_access_in extended permit tcp any host 192.168.1.35 object-group TiVo-Both
access-list outside_access_in extended permit tcp any host 192.168.1.150 inactive
access-list outside_access_in extended permit tcp any eq www host 10.3.0.31 eq www inactive
access-list outside_access_in extended permit tcp any host 207.210.***.*** object-group X-Server_Both inactive
access-list outside_access_in extended permit tcp any host c-01 eq 3389
access-list outside_access_in extended permit tcp any host Virtuozzo-01 object-group Virtuozzo-01_TCP inactive
access-list outside_access_in extended permit tcp any host 10.3.0.31 object-group X-Server_TCP inactive
access-list outside_access_in extended permit ip any any
access-list network_access_in extended permit ip object-group Permit-All any
access-list network_access_in extended permit tcp object-group Updates any object-group UpdatesOnly
access-list EWS_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.3.1.224 255.255.255.224
access-list outside_cryptomap_65535.2 extended permit udp any any eq isakmp
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu network 1500
mtu management 1500
mtu OutsideComcast 1500
ip local pool AcademicLAN 10.3.1.233-10.3.1.254 mask 255.255.0.0
ip audit attack action alarm drop
no failover
monitor-interface outside
monitor-interface inside
no monitor-interface network
monitor-interface management
monitor-interface OutsideComcast
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 1 10.3.1.224 255.255.255.224
nat (outside) 1 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (network) 1 10.3.1.224 255.255.255.224
nat (network) 1 10.5.0.0 255.255.255.0
nat (network) 1 10.6.0.0 255.255.255.0
nat (network) 1 10.7.0.0 255.255.255.0
nat (network) 1 10.8.0.0 255.255.255.0
nat (network) 1 192.168.1.0 255.255.255.0
nat (network) 1 10.2.0.0 255.255.0.0
nat (network) 1 10.3.0.0 255.255.0.0
nat (network) 1 10.4.0.0 255.255.0.0
static (network,outside) femail 192.168.1.6 netmask 255.255.255.255
static (network,outside) DC-01 192.168.1.23 netmask 255.255.255.255
static (network,outside) PowerSchool 192.168.1.17 netmask 255.255.255.255
static (network,outside) THE 192.168.1.10 netmask 255.255.255.255
static (network,outside) mail 192.168.1.11 netmask 255.255.255.255
static (network,outside) pvt 192.168.1.13 netmask 255.255.255.255
static (network,outside) c-01 192.168.1.21 netmask 255.255.255.255
static (network,outside) Virtuozzo-01 192.168.1.25 netmask 255.255.255.255
static (network,outside) Virtuozzo-02 192.168.1.26 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group network_access_in in interface network
route outside 0.0.0.0 0.0.0.0 207.210.***.*** 1
route network 10.2.0.0 255.255.255.0 192.168.1.1 1
route network 10.3.0.0 255.255.0.0 192.168.1.1 1
route network 10.4.0.0 255.255.0.0 192.168.1.1 1
route network 10.5.0.0 255.255.255.0 192.168.1.1 1
route network 10.6.0.0 255.255.255.0 192.168.1.1 1
route network 10.7.0.0 255.255.255.0 192.168.1.1 1
route network 10.8.0.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map AD3
map-name msNPAllowDialin Tunneling-Protocols
map-value msNPAllowDialin FALSE 1
map-value msNPAllowDialin TRUE 20
dynamic-access-policy-record DfltAccessPolicy
aaa-server DCs protocol ldap
aaa-server DCs (network) host 192.168.1.23
timeout 15
server-port 636
ldap-base-dn DC=***, DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ***
ldap-login-dn CN=***, CN=Users, DC=***, DC=org
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map AD3
http server enable
http 192.168.1.0 255.255.255.0 network
http 10.3.0.0 255.255.0.0 network
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto dynamic-map outside_dyn_map 2 match address outside_cryptomap_65535.2
crypto dynamic-map outside_dyn_map 2 set pfs
crypto dynamic-map outside_dyn_map 2 set transform-set ESP-3DES-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto dynamic-map network2_dyn_map 20 set pfs
crypto dynamic-map network2_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map network2_map 65535 ipsec-isakmp dynamic network2_dyn_map
crypto isakmp enable outside
crypto isakmp enable OutsideComcast
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 14400
crypto isakmp nat-traversal 3600
client-update enable
telnet 192.168.1.0 255.255.255.0 network
telnet 10.3.0.0 255.255.0.0 network
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.10.2-192.168.10.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy TestTunnel internal
group-policy TestTunnel attributes
wins-server value 192.168.1.23
dns-server value 192.168.1.23 192.168.1.19
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value ***
tunnel-group TestTunnel type remote-access
tunnel-group TestTunnel general-attributes
address-pool AcademicLAN
authentication-server-group DCs
default-group-policy TestTunnel
tunnel-group TestTunnel ipsec-attributes
pre-shared-key ***
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
You have a 5550. By default it allows 2 contexts. Consider this design:
One Context will be your Business Cable Firewall and the second context is your present Firewall to the AT&T service. COntext CABLE will have interfaces gi1/1(outsideComcast) and gi1/2(InsideVlan4) and gi1/3 (InsideVlan99). Vlan99 is a new vlan just between COntext CABLE and the PRocurve. I assume your Procurve is in routing mode and you can define a /30 subnet between these. You would configure an ACL on InsideVlan4 and InsideVlan99 interfaces to allow ip any any, or as specific as you need. Both interfaces should be same security level. Connect InsideVlan4 to your switch VLAN4 and tell the DHCP to give out this IP as the default gateway.
Meanwhile context 2 contains all the rest of the physical interfaces and the subinterface "network" that you already defined. Then in the Procurve, a static route to Vlan4 via Vlan99 FW IP.
That is the only method I can visuallize. Otherwise I dont see how you can have two default routes out a single FW. Even with a PBR behind the ASA to get the right source traffic separated, when it gets into the same firewall, it will take the ospf default route out. With two contexts, you can have a separate default route to the Internet (all address space other then your sources) for different sources.
One Context will be your Business Cable Firewall and the second context is your present Firewall to the AT&T service. COntext CABLE will have interfaces gi1/1(outsideComcast) and gi1/2(InsideVlan4) and gi1/3 (InsideVlan99). Vlan99 is a new vlan just between COntext CABLE and the PRocurve. I assume your Procurve is in routing mode and you can define a /30 subnet between these. You would configure an ACL on InsideVlan4 and InsideVlan99 interfaces to allow ip any any, or as specific as you need. Both interfaces should be same security level. Connect InsideVlan4 to your switch VLAN4 and tell the DHCP to give out this IP as the default gateway.
Meanwhile context 2 contains all the rest of the physical interfaces and the subinterface "network" that you already defined. Then in the Procurve, a static route to Vlan4 via Vlan99 FW IP.
That is the only method I can visuallize. Otherwise I dont see how you can have two default routes out a single FW. Even with a PBR behind the ASA to get the right source traffic separated, when it gets into the same firewall, it will take the ospf default route out. With two contexts, you can have a separate default route to the Internet (all address space other then your sources) for different sources.
For that matter you could create a trunk interface from Context CABLE, and only use one physical interface, but you might want 2 physical Inside interfaces for throughput reasons. Or maybe, if this works, you decide you want a few other VLANs to go around the packet shaper path. If you make both Inside interfaces into Trunks, you could have VLAN4,5, 6 on one interface and VLAN 7,8, and 99 on the other. Your acl could say VLAN4,5,6,7,8 can talk IP between them, and route to vlans 9-15 via VLAN99. By controlling the default gateway you provide to these VLANs, you control which path they take - the ASA CABLE Context or the packet shaper original default gateway.
ASKER
Your idea sounds good. I'm not sure it would work for us though. From what I understand, the ASAs don't support VPN in multiple-context mode, which is something we need the ASA to provide for us currently.
We're also not using OSPF. All routes in the firewall appear to be static at the moment.
I've read through a few posts here on EE that had a solution of putting a PBR router between the core and firewall as the solution. We were also told by the cisco voice engineers that are currently working up a bid for our VOIP project that the voice router would be able to handle the traffic splitting on the inside as well, but that project is about a year out at the earliest.
I noticed in the Procurve core that there are extended access lists permitting (or denying) access to the pix (now the asa) IP on the different VLANs. Would hooking the core into the ASA on another switch port, and then only allowing access to that asa interface (with an IP of 192.168.1.4 instead of 192.168.1.1 for example) create a new route to the core for only a certain VLAN? Or would it still try sending traffic out the core's defined default gateway (the ASA) regardless?
We're also not using OSPF. All routes in the firewall appear to be static at the moment.
I've read through a few posts here on EE that had a solution of putting a PBR router between the core and firewall as the solution. We were also told by the cisco voice engineers that are currently working up a bid for our VOIP project that the voice router would be able to handle the traffic splitting on the inside as well, but that project is about a year out at the earliest.
I noticed in the Procurve core that there are extended access lists permitting (or denying) access to the pix (now the asa) IP on the different VLANs. Would hooking the core into the ASA on another switch port, and then only allowing access to that asa interface (with an IP of 192.168.1.4 instead of 192.168.1.1 for example) create a new route to the core for only a certain VLAN? Or would it still try sending traffic out the core's defined default gateway (the ASA) regardless?
Yeah, you are right, the VPN gotcha prevents contexts. Certainly putting a PBR between the Procurve and the ASA would devide the traffic into two flows. But each flow must then follow default routing at some point (to get to Internet). if your traffic eventually also ends up in the same ASA, though, you have them combined again with one default gateway. The ASA routing will have static routes toward the inside for your known internal networks, but must use a default route to pass traffic to he internet router. An ASA can have 2 default routes but only load balanced (same metric) or failure (different metrics) routes. It cannot route to "route outside 0.0.0.0 0.0.0.0 next-hop-ip metric" by any Policy. There is no mechanism to divide the traffic once you bring them both together into the same ASA. But, for under $500 and ASA 5505 could be the ASA for the VLAN4 while the 5550 can be the FW for mainstream traffic.
So A PBR doesn't help you if you combine the traffic again in the same ASA
So A PBR doesn't help you if you combine the traffic again in the same ASA
ASKER
Another firewall would be a possible solution. We do still have the PIX515E that the ASA replaced. It's only 4-5 years old. The only reason it was replaced was due to the hardware being EOL'd, and the lack of availability (and the cost) for upgrade licensing.
If we stick the PIX in between the Comcast connection and the core, how would we get the traffic out the core to a different gateway? I guess that's what I've been trying to wrap my head around the past week. Currently the core has the 192.168.1.2 interface set as it's default gateway. Would we be able to push the traffic out a different interface using an access list for VLAN 4?
If we stick the PIX in between the Comcast connection and the core, how would we get the traffic out the core to a different gateway? I guess that's what I've been trying to wrap my head around the past week. Currently the core has the 192.168.1.2 interface set as it's default gateway. Would we be able to push the traffic out a different interface using an access list for VLAN 4?
ASKER
Here's a config export from the core switch. It's pretty much how I found it on day 1, and it looks as though it's routing all traffic out to the ASA.
Running configuration:
; J8698A Configuration Editor; Created on release #K.12.57
hostname "HP5412zl"
snmp-server location "BB-GROUND-MDF"
time timezone -300
time daylight-time-rule User-defined begin-date 3/8 end-date 11/1
ip access-list extended "deadend"
100 remark "permit all traffic between vlan 9 and bb.xxxxxx.org"
101 permit ip 0.0.0.0 255.255.255.255 192.168.1.5 0.0.0.0
exit
ip access-list extended "dorms"
100 permit tcp 10.4.0.0 0.0.255.255 192.168.1.10 0.0.0.0 eq 80
105 permit tcp 10.4.0.0 0.0.255.255 192.168.1.10 0.0.0.0 eq 443
110 permit tcp 10.4.0.0 0.0.255.255 192.168.1.11 0.0.0.0 eq 510
115 permit tcp 10.4.0.0 0.0.255.255 192.168.1.13 0.0.0.0 eq 80
120 permit tcp 10.4.0.0 0.0.255.255 192.168.1.13 0.0.0.0 eq 443
125 remark "permit Printing to xxxx2100"
125 permit ip 10.4.0.0 0.0.255.255 192.168.1.48 0.0.0.0
130 remark "permit Printing to xxxx2100"
131 permit ip 10.4.0.0 0.0.255.255 192.168.1.46 0.0.0.0
135 permit tcp 10.4.0.0 0.0.255.255 192.168.1.23 0.0.0.0 eq 53
136 permit udp 10.4.0.0 0.0.255.255 192.168.1.23 0.0.0.0 eq 53
137 permit tcp 10.4.0.0 0.0.255.255 192.168.1.29 0.0.0.0 eq 53
138 permit udp 10.4.0.0 0.0.255.255 192.168.1.29 0.0.0.0 eq 53
140 remark "permit all traffic between vlan 4 and campus Manager"
140 permit ip 10.4.0.0 0.0.255.255 192.168.1.5 0.0.0.0
145 remark "permit all traffic between vlan 4 and pix"
145 permit ip 10.4.0.0 0.0.255.255 192.168.1.2 0.0.0.0
150 permit ip 10.4.0.0 0.0.255.255 10.4.0.0 0.0.255.255
155 deny ip 10.4.0.0 0.0.255.255 192.168.1.0 0.0.255.255
160 deny ip 10.4.0.0 0.0.255.255 10.0.0.0 0.255.255.255
165 permit ip 10.4.0.0 0.0.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "nointernet"
100 permit tcp 10.8.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 80
105 permit tcp 10.8.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 443
110 permit tcp 10.8.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 510
115 permit tcp 10.8.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 80
120 permit tcp 10.8.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 443
125 permit ip 0.0.0.0 255.255.255.255 192.168.1.48 0.0.0.0
130 permit ip 0.0.0.0 255.255.255.255 192.168.1.49 0.0.0.0
140 remark "permit all traffic between vlan 8 and bb.xxxxxx.org"
141 permit ip 0.0.0.0 255.255.255.255 192.168.1.5 0.0.0.0
exit
ip access-list extended "internet5"
100 remark "permit all ip traffic from vlan to Campus Manager"
101 permit ip 10.5.0.0 0.0.0.255 192.168.1.5 0.0.0.0
105 permit tcp 10.5.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53
106 permit udp 10.5.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53
107 permit tcp 10.5.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53
108 permit udp 10.5.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53
110 remark "permit http - https - ftp to PVT"
111 permit tcp 10.5.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 80
112 permit tcp 10.5.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 443
113 permit tcp 10.5.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 21
120 remark "permit http - https - ftp to THE"
121 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 80
122 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 443
123 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 20
124 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 21
125 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 5353
126 permit udp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 5353
130 remark "permit FC Client - SMTP - POP3 to MAIL"
131 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 510
132 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 25
133 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 110
134 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 8080
135 permit tcp 10.5.0.0 0.0.0.0 192.168.1.11 0.0.0.255 eq 8080
140 remark "permit access to PowerSchool - Gradebook"
141 permit tcp 10.5.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 80
142 permit tcp 10.5.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 5071
144 permit tcp 5.0.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 7880
145 permit tcp 10.5.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 7880
150 remark "permit access to Citrix"
151 permit tcp 10.5.0.0 0.0.0.255 192.168.1.21 0.0.0.0 eq 1494
152 permit tcp 10.5.0.0 0.0.0.255 192.168.1.22 0.0.0.0 eq 1494
153 permit ip 10.5.0.0 0.0.0.255 10.5.0.0 0.0.0.255
160 deny ip 10.5.0.0 0.0.0.255 192.168.1.0 0.0.255.255
170 deny ip 10.5.0.0 0.0.0.255 10.0.0.0 0.255.255.255
180 permit ip 10.5.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "internet6"
100 remark "permit all ip traffic from vlan to PIX"
101 permit ip 10.6.0.0 0.0.0.255 192.168.1.2 0.0.0.0
110 remark "permit all ip traffic from vlan to Campus Manager"
111 permit ip 10.6.0.0 0.0.0.255 192.168.1.5 0.0.0.0
120 permit tcp 10.6.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53
121 permit udp 10.6.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53
122 permit tcp 10.6.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53
123 permit udp 10.6.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53
130 permit ip 10.6.0.0 0.0.0.255 10.6.0.0 0.0.0.255
140 deny ip 10.6.0.0 0.0.0.255 192.168.1.0 0.0.255.255
150 deny ip 10.6.0.0 0.0.0.255 10.0.0.0 0.255.255.255
160 permit ip 10.6.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "internet7"
100 remark "permit all ip traffic from vlan to PIX"
101 permit ip 10.7.0.0 0.0.0.255 192.168.1.2 0.0.0.0
120 remark "permit all ip traffic from vlan to Campus Manager"
121 permit ip 10.7.0.0 0.0.0.255 192.168.1.5 0.0.0.0
130 permit tcp 10.7.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53
131 permit udp 10.7.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53
132 permit tcp 10.7.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53
133 permit udp 10.7.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53
140 permit ip 10.7.0.0 0.0.0.255 10.7.0.0 0.0.0.255
150 deny ip 10.7.0.0 0.0.0.255 192.168.1.0 0.0.255.255
160 deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255
170 permit ip 10.7.0.0 0.0.0.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "Internet5"
143 permit tcp 5.0.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 7880
exit
module 1 type J8702A
module 2 type J8705A
module 3 type J8702A
module 4 type J8705A
module 5 type J8702A
module 6 type J8705A
module 7 type J8702A
module 8 type J8705A
module 9 type J8702A
module 10 type J8705A
interface B12
speed-duplex 100-half
exit
interface B19
speed-duplex 100-full
exit
interface D1
speed-duplex 10-half
exit
interface F3
speed-duplex 100-full
exit
interface F4
speed-duplex 100-full
exit
ip default-gateway 192.168.1.2
ip routing
timesync sntp
snmp-server community "public" Unrestricted
snmp-server host 192.168.1.39 "public"
snmp-server host 192.168.1.5 "public" All
vlan 1
name "network"
untagged A1,A3-A15,A17-A24,B1-B8,B10,B12,B14-B15,B17-B18,B21-B24,C8,C11-C12,C14,D1-D24,E8,E14,E18,E22,E24-F15,F18-F20,H1-H20,I24-J24
ip address 192.168.1.1 255.255.255.0
tagged B9,B11,B16,B19-B20,F21-F24,H21-H24
no untagged A2,A16,B13,C1-C7,C9-C10,C13,C15-C24,E1-E7,E9-E13,E15-E17,E19-E21,E23,F16-F17,G1-G24,I1-I23
exit
vlan 2
name "admin"
untagged E5-E7,E9
ip helper-address 192.168.1.23
ip helper-address 192.168.1.19
ip address 10.2.0.1 255.255.255.0
tagged B1-B12,B16,B19-B24,D21-D24,F21-F24,H21-H24
exit
vlan 3
name "academic"
untagged A2,A16,B13,C1-C7,C9-C10,C13,C15-C19,C21-C24,E1-E4,E10-E11,E13,E15-E17,E19-E21,E23,F16-F17,G1-G24,I1-I2,I4-I5,I7-I13,I15-I16,I18-I19,I21,I23
ip helper-address 192.168.1.23
ip helper-address 192.168.1.19
ip address 10.3.0.1 255.255.0.0
tagged B1-B12,B19-B24,C14,D21-D24,F21-F24,H21-H24
exit
vlan 4
name "dorms"
untagged I20
ip helper-address 192.168.1.19
ip helper-address 192.168.1.23
ip address 10.4.0.1 255.255.0.0
tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24
ip access-group "dorms" in
exit
vlan 5
name "public"
untagged C20,I17
ip helper-address 192.168.1.23
ip helper-address 192.168.1.19
ip address 10.5.0.1 255.255.255.0
tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24
ip access-group "internet5" in
exit
vlan 6
name "registration"
untagged E12,I3,I6,I14,I22
ip helper-address 192.168.1.5
ip address 10.6.0.1 255.255.255.0
tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24
ip access-group "internet6" in
exit
vlan 7
name "quarantine"
ip helper-address 192.168.1.5
ip address 10.7.0.1 255.255.255.0
tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24
ip access-group "internet7" in
exit
vlan 8
name "nointernet"
ip helper-address 192.168.1.5
ip address 10.8.0.1 255.255.255.0
tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24
ip access-group "nointernet" in
exit
vlan 9
name "deadend"
ip helper-address 192.168.1.5
ip address 10.9.0.1 255.255.255.0
tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24
ip access-group "deadend" in
ip access-group "deadend" out
exit
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I like that idea.
I threw the PIX back into the infrastructure rack. Setup the outside interface for the comcast connection, and the inside interface for a VLAN 4 IP. I switched over the default gateway as well. I'm running into an issue though. The clients connected to VLAN 4 can reach the PIX firewall, but they cannot reach the internet.
I'm getting portmap translation errors when pinging or requesting a website. The src and dst are both on the network port. The src being the 10.4 address, and the dst being the domain controller (192.168.1.23).
I have the interface that the PIX is connected to on the core tagged in both VLAN 1 and VLAN 4. I'm starting to wonder if it's a vlan access list issue, but the clients are able to get IP address from the DHCP server, which resides on VLAN 1.
I feel like I'm missing something minor, but I'm not sure what. Thank you for your help so far. I've bumped this question up to 500 points, as it's taken so much time to work through.
I threw the PIX back into the infrastructure rack. Setup the outside interface for the comcast connection, and the inside interface for a VLAN 4 IP. I switched over the default gateway as well. I'm running into an issue though. The clients connected to VLAN 4 can reach the PIX firewall, but they cannot reach the internet.
I'm getting portmap translation errors when pinging or requesting a website. The src and dst are both on the network port. The src being the 10.4 address, and the dst being the domain controller (192.168.1.23).
I have the interface that the PIX is connected to on the core tagged in both VLAN 1 and VLAN 4. I'm starting to wonder if it's a vlan access list issue, but the clients are able to get IP address from the DHCP server, which resides on VLAN 1.
I feel like I'm missing something minor, but I'm not sure what. Thank you for your help so far. I've bumped this question up to 500 points, as it's taken so much time to work through.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have the same global interface statement that the ASA has, only with a different interface:
global (outsideComcast) 1 interface
If I try changing it to the comcast IP, I get a conflict error.
Vlan1 & 4 are the same security. I think I may have the routes messed up though. Actually, I'm almost positive I do. Should I be routing the other VLANS to the Procurve (192.168.1.1) or to the trunked VLAN 1 interface (which is 192.168.1.128)?
The config below doesn't show routes for vlan 1 or 4, but they do exist. They show as "connected" in the monitoring/routing area of the ASDM.
I removed a large chunk of the un-needed entries in the config, and the port map errors seem to have stopped. I still however cannot get out to the internet from VLAN4, or back to any of the other VLANs.
I know the interface names are confusing. I'm trying to hold everything together for the remainder of the school year, and this summer I will go through and make changes to the naming and remarks on both the core and ASA. I have made naming changes on the PIX before gabbing the config I have posted below. Hopefully they will be less confusing.
As for that picture, it is fairly accurate. The ASA is 192.168.1.2, not the packet shaper (which is 192.168.1.5 iirc). But the layout looks fairly accurate. Do links 0 & 1 to the PIX represent the trunked interface? Or should I be utilizing a 2nd physical interface for the VLAN1 connection? I have 3 physical interfaces available to me on the PIX.
Thank you for all your help so far!
global (outsideComcast) 1 interface
If I try changing it to the comcast IP, I get a conflict error.
Vlan1 & 4 are the same security. I think I may have the routes messed up though. Actually, I'm almost positive I do. Should I be routing the other VLANS to the Procurve (192.168.1.1) or to the trunked VLAN 1 interface (which is 192.168.1.128)?
The config below doesn't show routes for vlan 1 or 4, but they do exist. They show as "connected" in the monitoring/routing area of the ASDM.
I removed a large chunk of the un-needed entries in the config, and the port map errors seem to have stopped. I still however cannot get out to the internet from VLAN4, or back to any of the other VLANs.
I know the interface names are confusing. I'm trying to hold everything together for the remainder of the school year, and this summer I will go through and make changes to the naming and remarks on both the core and ASA. I have made naming changes on the PIX before gabbing the config I have posted below. Hopefully they will be less confusing.
As for that picture, it is fairly accurate. The ASA is 192.168.1.2, not the packet shaper (which is 192.168.1.5 iirc). But the layout looks fairly accurate. Do links 0 & 1 to the PIX represent the trunked interface? Or should I be utilizing a 2nd physical interface for the VLAN1 connection? I have 3 physical interfaces available to me on the PIX.
Thank you for all your help so far!
: Written by enable_15 at 12:06:36.909 EDT Thu Mar 18 2010
!
PIX Version 7.2(2)
!
hostname pix
domain-name xxxxxxxx.org
names
name 207.210.xxx.xxx DC-01
!
interface Ethernet0
speed 100
duplex full
nameif outsideComcast
security-level 0
ip address 173.162.xxx.xxx 255.255.xxx.xxx
ospf cost 10
!
interface Ethernet1
speed 100
duplex full
nameif TrunkHardwareInt
security-level 100
no ip address
ospf cost 10
!
interface Ethernet1.1
vlan 4
nameif PixToCoreVLAN4
security-level 99
ip address 10.4.0.5 255.255.0.0
ospf cost 10
!
interface Ethernet1.2
vlan 1
nameif PixToCoreVlan1
security-level 99
ip address 192.168.1.128 255.255.255.0
!
interface Ethernet2
shutdown
nameif management
security-level 99
no ip address
ospf cost 10
!
passwd MPlYi.GQkN.nJvGF encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxx.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PowerSchool-ServiceGroup tcp-udp
port-object range 1417 1420
port-object eq 407
port-object eq 5071
port-object eq 7880
object-group service PowerSchooltcp-ServiceGroup tcp
port-object eq www
port-object eq https
object-group service UpdatesOnly tcp
description Allow updates fro SAV, MS, Windows, etc
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network Permit-All
description Permit Internet for VLANs 1,3,4,5
network-object 10.5.0.0 255.255.255.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 192.168.1.0 255.255.255.0
object-group network Updates
description Allow updates only for VLANs 2, 6, and 7
network-object 10.2.0.0 255.255.255.0
network-object 10.6.0.0 255.255.255.0
network-object 10.7.0.0 255.255.255.0
object-group service www-ServiceGroup tcp
port-object eq www
port-object eq https
object-group service X-Server_Both tcp-udp
port-object eq 3283
object-group service X-Server_TCP tcp
port-object eq 331
port-object eq 5900
port-object eq 5988
port-object eq 625
port-object eq 660
port-object eq ftp
port-object eq www
port-object eq ssh
access-list outside_access_in extended permit tcp any eq www host 10.3.0.31 eq www
access-list outside_access_in extended permit tcp any host 10.3.0.31 object-group X-Server_TCP
access-list network_access_in extended permit udp object-group Permit-All any
access-list network_access_in extended permit ip object-group Permit-All any
access-list network_access_in extended permit tcp 10.8.0.0 255.255.255.0 host 65.61.147.123 object-group www-ServiceGroup
access-list network_access_in extended permit tcp object-group Updates any object-group UpdatesOnly
access-list EWS_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm warnings
mtu outsideComcast 1500
mtu TrunkHardwareInt 1500
mtu PixToCoreVLAN4 1500
mtu PixToCoreVlan1 1500
mtu management 1500
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outsideComcast
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outsideComcast) 1 interface
nat (PixToCoreVLAN4) 1 10.2.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.5.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.6.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.7.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.8.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 192.168.1.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.3.0.0 255.255.0.0
nat (PixToCoreVLAN4) 1 10.4.0.0 255.255.0.0
static (PixToCoreVLAN4,outsideComcast) DC-01 192.168.1.23 netmask 255.255.255.255
access-group outside_access_in in interface outsideComcast
access-group network_access_in in interface PixToCoreVLAN4
route outsideComcast 0.0.0.0 0.0.0.0 173.162.xxx.xxx 1
route PixToCoreVLAN4 10.2.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.5.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.6.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.7.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.3.0.0 255.255.0.0 192.168.1.1 1
route PixToCoreVLAN4 10.8.0.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.4.0.0 255.255.0.0 PixToCoreVLAN4
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp enable outsideComcast
telnet 10.4.0.0 255.255.0.0 PixToCoreVLAN4
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
client-update enable
prompt hostname context
ASKER
Solution was presented but help is needed implementing the solution. I have started another question for the implementation as I wasn't getting any responses on this question.