Splitting Network Traffic Based On VLAN - 2 ISPs, 2 Firewalls, 1 Core Switch

We are trying to split off our internet traffic off. We have two ISPs. One cable and one fiber. We are trying to send our high priority vlans (1,2,3,5,7) out our fiber ISP (through a packetshaper), and our low priority student traffic (vlan 4) through our cable ISP. Our core switch/router is an HP 5412zl. We have two firewalls in place. A Cisco ASA 5550 that we are using for our primary gateway, and a Cisco PIX 515E that we want to use as our gateway for VLAN 4. It was suggest that we split off traffic and use the PIX as the gateway for VLAN 4, and assign the gateway via the DHCP scope, which I have done. However, I can only get to the firewall on VLAN 4. I cannot get out to the internet. I believe there is a NATing issue or an access rule issue, but I am not near skilled enough with Cisco firewalls to be able to find it. That's just my hunch. I may be way off on it. Anyway, I've posted my scrubbed core config and y scrubbed PIX config. Any help is greatly appreciated.
Running configuration:

; J8698A Configuration Editor; Created on release #K.12.57

hostname "HP5412zl" 
snmp-server location "BB-GROUND-MDF" 
time timezone -300 
time daylight-time-rule User-defined begin-date 3/8 end-date 11/1 
ip access-list extended "deadend" 
   100 remark "permit all traffic between vlan 9 and bb.xxxxxx.org" 
   101 permit ip 0.0.0.0 255.255.255.255 192.168.1.5 0.0.0.0 
   exit 
ip access-list extended "dorms" 
   100 permit tcp 10.4.0.0 0.0.255.255 192.168.1.10 0.0.0.0 eq 80 
   105 permit tcp 10.4.0.0 0.0.255.255 192.168.1.10 0.0.0.0 eq 443 
   110 permit tcp 10.4.0.0 0.0.255.255 192.168.1.11 0.0.0.0 eq 510 
   115 permit tcp 10.4.0.0 0.0.255.255 192.168.1.13 0.0.0.0 eq 80 
   120 permit tcp 10.4.0.0 0.0.255.255 192.168.1.13 0.0.0.0 eq 443 
   125 remark "permit Printing to xxxx2100" 
   125 permit ip 10.4.0.0 0.0.255.255 192.168.1.48 0.0.0.0 
   130 remark "permit Printing to xxxx2100" 
   131 permit ip 10.4.0.0 0.0.255.255 192.168.1.46 0.0.0.0 
   135 permit tcp 10.4.0.0 0.0.255.255 192.168.1.23 0.0.0.0 eq 53 
   136 permit udp 10.4.0.0 0.0.255.255 192.168.1.23 0.0.0.0 eq 53 
   137 permit tcp 10.4.0.0 0.0.255.255 192.168.1.29 0.0.0.0 eq 53 
   138 permit udp 10.4.0.0 0.0.255.255 192.168.1.29 0.0.0.0 eq 53 
   140 remark "permit all traffic between vlan 4 and campus Manager" 
   140 permit ip 10.4.0.0 0.0.255.255 192.168.1.5 0.0.0.0 
   145 remark "permit all traffic between vlan 4 and pix" 
   145 permit ip 10.4.0.0 0.0.255.255 192.168.1.2 0.0.0.0 
   150 permit ip 10.4.0.0 0.0.255.255 10.4.0.0 0.0.255.255 
   155 deny ip 10.4.0.0 0.0.255.255 192.168.1.0 0.0.255.255 
   160 deny ip 10.4.0.0 0.0.255.255 10.0.0.0 0.255.255.255 
   165 permit ip 10.4.0.0 0.0.255.255 0.0.0.0 255.255.255.255 
   exit 
ip access-list extended "nointernet" 
   100 permit tcp 10.8.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 80 
   105 permit tcp 10.8.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 443 
   110 permit tcp 10.8.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 510 
   115 permit tcp 10.8.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 80 
   120 permit tcp 10.8.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 443 
   125 permit ip 0.0.0.0 255.255.255.255 192.168.1.48 0.0.0.0 
   130 permit ip 0.0.0.0 255.255.255.255 192.168.1.49 0.0.0.0 
   140 remark "permit all traffic between vlan 8 and bb.xxxxxx.org" 
   141 permit ip 0.0.0.0 255.255.255.255 192.168.1.5 0.0.0.0 
   exit 
ip access-list extended "internet5" 
   100 remark "permit all ip traffic from vlan to Campus Manager" 
   101 permit ip 10.5.0.0 0.0.0.255 192.168.1.5 0.0.0.0 
   105 permit tcp 10.5.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53 
   106 permit udp 10.5.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53 
   107 permit tcp 10.5.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53 
   108 permit udp 10.5.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53 
   110 remark "permit http - https - ftp to PVT" 
   111 permit tcp 10.5.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 80 
   112 permit tcp 10.5.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 443 
   113 permit tcp 10.5.0.0 0.0.0.255 192.168.1.13 0.0.0.0 eq 21 
   120 remark "permit http - https - ftp to THE" 
   121 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 80 
   122 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 443 
   123 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 20 
   124 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 21 
   125 permit tcp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 5353 
   126 permit udp 10.5.0.0 0.0.0.255 192.168.1.10 0.0.0.0 eq 5353 
   130 remark "permit FC Client - SMTP - POP3 to MAIL" 
   131 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 510 
   132 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 25 
   133 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 110 
   134 permit tcp 10.5.0.0 0.0.0.255 192.168.1.11 0.0.0.0 eq 8080 
   135 permit tcp 10.5.0.0 0.0.0.0 192.168.1.11 0.0.0.255 eq 8080 
   140 remark "permit access to PowerSchool - Gradebook" 
   141 permit tcp 10.5.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 80 
   142 permit tcp 10.5.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 5071 
   144 permit tcp 5.0.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 7880 
   145 permit tcp 10.5.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 7880 
   150 remark "permit access to Citrix" 
   151 permit tcp 10.5.0.0 0.0.0.255 192.168.1.21 0.0.0.0 eq 1494 
   152 permit tcp 10.5.0.0 0.0.0.255 192.168.1.22 0.0.0.0 eq 1494 
   153 permit ip 10.5.0.0 0.0.0.255 10.5.0.0 0.0.0.255 
   160 deny ip 10.5.0.0 0.0.0.255 192.168.1.0 0.0.255.255 
   170 deny ip 10.5.0.0 0.0.0.255 10.0.0.0 0.255.255.255 
   180 permit ip 10.5.0.0 0.0.0.255 0.0.0.0 255.255.255.255 
   exit 
ip access-list extended "internet6" 
   100 remark "permit all ip traffic from vlan to PIX" 
   101 permit ip 10.6.0.0 0.0.0.255 192.168.1.2 0.0.0.0 
   110 remark "permit all ip traffic from vlan to Campus Manager" 
   111 permit ip 10.6.0.0 0.0.0.255 192.168.1.5 0.0.0.0 
   120 permit tcp 10.6.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53 
   121 permit udp 10.6.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53 
   122 permit tcp 10.6.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53 
   123 permit udp 10.6.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53 
   130 permit ip 10.6.0.0 0.0.0.255 10.6.0.0 0.0.0.255 
   140 deny ip 10.6.0.0 0.0.0.255 192.168.1.0 0.0.255.255 
   150 deny ip 10.6.0.0 0.0.0.255 10.0.0.0 0.255.255.255 
   160 permit ip 10.6.0.0 0.0.0.255 0.0.0.0 255.255.255.255 
   exit 
ip access-list extended "internet7" 
   100 remark "permit all ip traffic from vlan to PIX" 
   101 permit ip 10.7.0.0 0.0.0.255 192.168.1.2 0.0.0.0 
   120 remark "permit all ip traffic from vlan to Campus Manager" 
   121 permit ip 10.7.0.0 0.0.0.255 192.168.1.5 0.0.0.0 
   130 permit tcp 10.7.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53 
   131 permit udp 10.7.0.0 0.0.0.255 192.168.1.23 0.0.0.0 eq 53 
   132 permit tcp 10.7.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53 
   133 permit udp 10.7.0.0 0.0.0.255 192.168.1.29 0.0.0.0 eq 53 
   140 permit ip 10.7.0.0 0.0.0.255 10.7.0.0 0.0.0.255 
   150 deny ip 10.7.0.0 0.0.0.255 192.168.1.0 0.0.255.255 
   160 deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.255.255.255 
   170 permit ip 10.7.0.0 0.0.0.255 0.0.0.0 255.255.255.255 
   exit 
ip access-list extended "Internet5" 
   143 permit tcp 5.0.0.0 0.0.0.255 192.168.1.17 0.0.0.0 eq 7880 
   exit 
module 1 type J8702A 
module 2 type J8705A 
module 3 type J8702A 
module 4 type J8705A 
module 5 type J8702A 
module 6 type J8705A 
module 7 type J8702A 
module 8 type J8705A 
module 9 type J8702A 
module 10 type J8705A 
interface B12 
   speed-duplex 100-half 
exit
interface B19 
   speed-duplex 100-full 
exit
interface D1 
   speed-duplex 10-half 
exit
interface F3 
   speed-duplex 100-full 
exit
interface F4 
   speed-duplex 100-full 
exit
ip default-gateway 192.168.1.2 
ip routing 
timesync sntp 
snmp-server community "public" Unrestricted 
snmp-server host 192.168.1.39 "public" 
snmp-server host 192.168.1.5 "public" All 
vlan 1 
   name "network" 
   untagged A1,A3-A15,A17-A24,B1-B8,B10,B12,B14-B15,B17-B18,B21-B24,C8,C11-C12,C14,D1-D24,E8,E14,E18,E22,E24-F15,F18-F20,H1-H20,I24-J24 
   ip address 192.168.1.1 255.255.255.0 
   tagged B9,B11,B16,B19-B20,F21-F24,H21-H24 
   no untagged A2,A16,B13,C1-C7,C9-C10,C13,C15-C24,E1-E7,E9-E13,E15-E17,E19-E21,E23,F16-F17,G1-G24,I1-I23 
   exit 
vlan 2 
   name "admin" 
   untagged E5-E7,E9 
   ip helper-address 192.168.1.23 
   ip helper-address 192.168.1.19 
   ip address 10.2.0.1 255.255.255.0 
   tagged B1-B12,B16,B19-B24,D21-D24,F21-F24,H21-H24 
   exit 
vlan 3 
   name "academic" 
   untagged A2,A16,B13,C1-C7,C9-C10,C13,C15-C19,C21-C24,E1-E4,E10-E11,E13,E15-E17,E19-E21,E23,F16-F17,G1-G24,I1-I2,I4-I5,I7-I13,I15-I16,I18-I19,I21,I23 
   ip helper-address 192.168.1.23 
   ip helper-address 192.168.1.19 
   ip address 10.3.0.1 255.255.0.0 
   tagged B1-B12,B19-B24,C14,D21-D24,F21-F24,H21-H24 
   exit 
vlan 4 
   name "dorms" 
   untagged I20 
   ip helper-address 192.168.1.19 
   ip helper-address 192.168.1.23 
   ip address 10.4.0.1 255.255.0.0 
   tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24 
   ip access-group "dorms" in
   exit 
vlan 5 
   name "public" 
   untagged C20,I17 
   ip helper-address 192.168.1.23 
   ip helper-address 192.168.1.19 
   ip address 10.5.0.1 255.255.255.0 
   tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24 
   ip access-group "internet5" in
   exit 
vlan 6 
   name "registration" 
   untagged E12,I3,I6,I14,I22 
   ip helper-address 192.168.1.5 
   ip address 10.6.0.1 255.255.255.0 
   tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24 
   ip access-group "internet6" in
   exit 
vlan 7 
   name "quarantine" 
   ip helper-address 192.168.1.5 
   ip address 10.7.0.1 255.255.255.0 
   tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24 
   ip access-group "internet7" in
   exit 
vlan 8 
   name "nointernet" 
   ip helper-address 192.168.1.5 
   ip address 10.8.0.1 255.255.255.0 
   tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24 
   ip access-group "nointernet" in
   exit 
vlan 9 
   name "deadend" 
   ip helper-address 192.168.1.5 
   ip address 10.9.0.1 255.255.255.0 
   tagged B1-B12,B19-B24,D21-D24,F21-F24,H21-H24 
   ip access-group "deadend" in
   ip access-group "deadend" out
   exit 
ip route 0.0.0.0 0.0.0.0 192.168.1.2

Open in new window

TheBurningRomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheBurningRomAuthor Commented:
PIX Config
: Written by enable_15 at 12:06:36.909 EDT Thu Mar 18 2010
!
PIX Version 7.2(2) 
!
hostname pix
domain-name xxxxxxxx.org
names
name 207.210.xxx.xxx DC-01
!
interface Ethernet0
 speed 100
 duplex full
 nameif outsideComcast
 security-level 0
 ip address 173.162.xxx.xxx 255.255.xxx.xxx 
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif TrunkHardwareInt
 security-level 100
 no ip address
 ospf cost 10
!
interface Ethernet1.1
 vlan 4
 nameif PixToCoreVLAN4
 security-level 99
 ip address 10.4.0.5 255.255.0.0 
 ospf cost 10
!
interface Ethernet1.2
 vlan 1
 nameif PixToCoreVlan1
 security-level 99
 ip address 192.168.1.128 255.255.255.0 
!
interface Ethernet2
 shutdown
 nameif management
 security-level 99
 no ip address
 ospf cost 10
!
passwd MPlYi.GQkN.nJvGF encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxxx.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PowerSchool-ServiceGroup tcp-udp
 port-object range 1417 1420
 port-object eq 407
 port-object eq 5071
 port-object eq 7880
object-group service PowerSchooltcp-ServiceGroup tcp
 port-object eq www
 port-object eq https
object-group service UpdatesOnly tcp
 description Allow updates fro SAV, MS, Windows, etc
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group network Permit-All
 description Permit Internet for VLANs 1,3,4,5
 network-object 10.5.0.0 255.255.255.0
 network-object 10.3.0.0 255.255.0.0
 network-object 10.4.0.0 255.255.0.0
 network-object 192.168.1.0 255.255.255.0
object-group network Updates
 description Allow updates only for VLANs 2, 6, and 7
 network-object 10.2.0.0 255.255.255.0
 network-object 10.6.0.0 255.255.255.0
 network-object 10.7.0.0 255.255.255.0
object-group service www-ServiceGroup tcp
 port-object eq www
 port-object eq https
object-group service X-Server_Both tcp-udp
 port-object eq 3283
object-group service X-Server_TCP tcp
 port-object eq 331
 port-object eq 5900
 port-object eq 5988
 port-object eq 625
 port-object eq 660
 port-object eq ftp
 port-object eq www
 port-object eq ssh
access-list outside_access_in extended permit tcp any eq www host 10.3.0.31 eq www 
access-list outside_access_in extended permit tcp any host 10.3.0.31 object-group X-Server_TCP 
access-list network_access_in extended permit udp object-group Permit-All any 
access-list network_access_in extended permit ip object-group Permit-All any 
access-list network_access_in extended permit tcp 10.8.0.0 255.255.255.0 host 65.61.147.123 object-group www-ServiceGroup 
access-list network_access_in extended permit tcp object-group Updates any object-group UpdatesOnly 
access-list EWS_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging asdm warnings
mtu outsideComcast 1500
mtu TrunkHardwareInt 1500
mtu PixToCoreVLAN4 1500
mtu PixToCoreVlan1 1500
mtu management 1500
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outsideComcast
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outsideComcast) 1 interface
nat (PixToCoreVLAN4) 1 10.2.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.5.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.6.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.7.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.8.0.0 255.255.255.0
nat (PixToCoreVLAN4) 1 192.168.1.0 255.255.255.0
nat (PixToCoreVLAN4) 1 10.3.0.0 255.255.0.0
nat (PixToCoreVLAN4) 1 10.4.0.0 255.255.0.0
static (PixToCoreVLAN4,outsideComcast) DC-01 192.168.1.23 netmask 255.255.255.255 
access-group outside_access_in in interface outsideComcast
access-group network_access_in in interface PixToCoreVLAN4
route outsideComcast 0.0.0.0 0.0.0.0 173.162.xxx.xxx 1
route PixToCoreVLAN4 10.2.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.5.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.6.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.7.0.0 255.255.255.0 192.168.1.1 1
route PixToCoreVLAN4 10.3.0.0 255.255.0.0 192.168.1.1 1
route PixToCoreVLAN4 10.8.0.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.4.0.0 255.255.0.0 PixToCoreVLAN4
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto isakmp enable outsideComcast
telnet 10.4.0.0 255.255.0.0 PixToCoreVLAN4
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
client-update enable
prompt hostname context

Open in new window

0
zwart072Commented:
the configuration and access-list  and nat statements seems alright on the pix. you also wrote that you can reach the firewall itself from vlan 4. But what about your routing in vlan4. Do your clients have the right default gateway on their ip stack (it should be 10.4.0.5). You can also check if you see any hits on the access-list when you try to access the internet from vlan4. on the pix do "show access-list network_access_in". If you're routing is ok you should see some hits on this access-list.
Also check the routing table on the pix with "show route"
0
gavvingCommented:
The base config of the firewall looks ok to me as well.  A couple of comments though:

Make sure you're not testing just using PING.  You don't have ICMP configured to go through your firewall, so PING likely will not work, even if the routing and NATing are setup.  You could temporarily enable this with:
access-list outside_access_in permit icmp any any

Also, is DNS working?  Are the DNS servers in the DHCP scope on the 10.4.0.0/16 network?   If not then your users are going to have a problem getting to them.  With this setup your users on the 10.4.0.0 will likely not be able to access devices on any other VLAN correctly.  
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

TheBurningRomAuthor Commented:
Sorry for the delay in getting back to everyone. I lost access to VLAN 4 due to the students returning and have had to move over to VLAN 2 to continue testing.

I changed around the IP address on the PIX to reflect the new address of 10.2.0.5, but I have yet to regain the ability to reach the PIX from VLAN2. The only way into the device is via the serial port.

As for the questions asked, I did indeed change the gateway in the DHCP scope. The local DNS servers  (192.168.1.23 & 19) are also in the DHCP scope. Access to other VLANs from VLAN 4 isn't necessary at this time. It's meant to be somewhat of a public network. Work will be done later to open up some access to other resources.

So right now, I haven't changed anything on the core. I changed the VLAN4 ips to VLAN2 ips on the PIX, but am now unable to get to the PIX. I'm going to keep working at that to see if I can restore that connection. As soon as I can, I'll get an updated config. In the meantime, any suggestions are much appreciated.
0
TheBurningRomAuthor Commented:
Quick note, I have restored access to the PIX from VLAN 2. I had a port tagging issue on the core that I needed to resolve. So now I'm back to the deadend that I was at with VLAN4...basically getting to the firewall, but not out to the web.

I don't appear to have any hits on my outside_access_in access list.

It looks like my requests to the DNS servers are being blocked.

I see continuous "Deny udp src PixToCoreVLAN4 10.2.0.12/137 dst PixToCoreVlan1:192.158.1.19/53 by access-grou "network_access_in".

192.168.1.19 is our secondary DNS server. There are entries for our primary as well.

So it looks to me as though the client cannot reach the DNS server....or am I missing something?

0
gavvingCommented:
The problem with not being able to access the DNS server (or for that matter anything not on the 10.4.0.0/16 network is probably related to asymetric traffic flows.  You have traffic for the client on the 10.4.0.0 default gateway'ed directly to the ASA Interface.  But when the client attempts to access the 192.168.1.x DNS server, the firewall then has to re-route the traffic back into the VLAN1.  At this point in looking at the ASA config I don't think that's setup correctly.  But lets assume that it was configured correctly.  The Traffic would hit the DNS server, then the DNS server attempts to send back to the source IP.  It sends it to it's default gateway which is likely 192.168.1.1 (I'm guessing), which is the vlan interface of the HP switch.  The HP switch then routes directly back into the 10.4.0.0 VLAN 4 interface.  The traffic wasn't send/received through the ASA for the entire conversation so it's not going to work correctly.  ASA's (or most firewalls) don't like asymetric traffic flows.

To get this to work the way you're trying it, the easiest solution would be to have the DNS servers directly on VLAN 4 and on the 10.4.0.0 network.  But you'll still have the problem of the VLAN4 being unable to talk to any other VLAN.

In the past I've accomplished what your trying to do (split internet traffic) a couple of different ways, both of them required a Cisco router/switch that was capable of policy based routing. The router can be placed inside of the network or outside of the network, but you have to have a device that can set the default gateway of a packet based upon an access list.  The ASA cannot do this.  
0
gavvingCommented:
Another thing that you could do which might fix the immediate problem but may or maynot be a long term solution:

global (PixToCoreVlan1) 10 interface
nat (PixToCoreVlan4) 10 10.4.0.0 255.255.0.0
access-list network_access_in permit ip any any

That causes the ASA to NAT the traffic that comes in on Vlan4 and exits out Vlan1 to be NATed to the Interface IP of the firewall on Vlan1.  Thus the traffic should come back correctly.

But if you wanted to initiate traffic from Vlan1 into devices in Vlan4 that would likely not work due to the reasons I mentioned above.
That would NAT the
0
TheBurningRomAuthor Commented:
Gavving, Thanks for the responses. It looks like your last one there got cut off. Also, I assume that when you say ASA, you mean the PIX firewall.

I have actually had to move on to using VLAN2, due to VLAN4 being populated with students again. VLAN2 has no restrictions as far as access on the core, and had no issue accessing any other VLANs when it was gateway'd to the VLAN interface (10.2.0.1). Now the Gateway is 10.2.0.5, and it is behaving just as VLAN4 did when I was working with it, so I'm assuming the issue lies in the firewall configuration and not the core configuration, correct?

Now it's very possible that the routing is not setup correctly in the PIX. We only have one trunked interface in use on our ASA that handles all the traffic. It is a VLAN1 interface, and we have no issues with it. I added a VLAN4 (now a VLAN2) interface on the PIX in the process of trying to get things to work. If you think it would be better going back to a single trunked interface, then I'm all for it.

Right now I don't want to initiate traffic from VLAN1 into VLAN4 (now 2). I'm just looking to relieve the load that is running through our packetshaper and ASA right now. We're limited to 10mb down there, which is often pegged by the student dorm traffic (youtube, hulu, etc). That leaves no bandwidth for the VPN holes I want to open in our ASA. But if I split that dorm traffic off to a cable connection, I have more to work with through the packetshaper for VPN. So inter-VLAN is not a need at the moment, and we have a cisco voice router that is going in either this summer or next that can bring the rest of the capabilities we need for traffic splitting to us (or so the engineers have told us), so I'd like to avoid spending money on any additional hardware if possible.

I'll enter the config statements you gave me and see if they help.

As for the DNS servers, would it help us if we forwarded the DNS requests to opendns? That's something we were looking at doing anyway for filtering purposes on our dorm vlans.  


0
gavvingCommented:
You could try using OpenDNS IPs in the DHCP scope of the dorm VLANs and then see if your configuration works.  The issue will continue to be an inability of the Dorm vlan to talk to VLAN 1 or vice versa.   The long term solution in my opinion is a policy-routing capable router or switch that can route the traffic to either firewall based upon the source VLAN or IP range.
0
TheBurningRomAuthor Commented:
We ended up bringing in a consultant to look at the issue. We used the PIX firewall and hairpining, along with DHCP forwarding, to create a solution that works.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.