Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1331
  • Last Modified:

Cisco ASA 5505 Vlan config to Proxy Server

Hello Everyone,

I'm confused on a cisco asa 5505 router setup I'm working.  Not sure at this point if the problem is my router or my proxy server.

I have configured the cisco router for Vlan1 and Vlan2 traffic going out eth0 (default route).  The eth0 interface connects to the "inside" interface of the proxy server.  Proxy then prompts for authentication and sends the outgoing packet to the "outside" interface that faces the Internet.

My problem is when I connect multiple devices on either vlan1 or vlan2 my proxy server only see's the connections as a single connection.  The proxy server shows the MAC of the cisco's eth0 interface from the Cisco router.

I'm new with Vlan's.  Does the traffic going out eth0 on the cisco box all get tagged with the MAC of the eth0 interface?  Is there a way to configure my router to display the MAC of the requesting device?  Otherwise I don't see how the proxy server can determine how many devices are requesting Internet access.

I attached my network map in PDF.

I appreciate your input and hope to understand this very soon.

Thank you,
Tim.
AlaskaGeeks-NETWORK-DIAGRAM.pdf
0
AlaskanGeeks
Asked:
AlaskanGeeks
  • 4
  • 3
1 Solution
 
avilovCommented:
Sounds like you route on that cisco. If you want your proxy to see MACs you need to switch. Trunking that eth0 may help
0
 
gavvingCommented:
The way you describe it is the correct way for it to work.  VLAN1 is the inside network and traffic routed from it to the Outside VLAN2 is going all show as coming from the Cisco eth0 MAC address like your seeing.   To have your proxy server see the inside users directly you'd have to have the traffic go through it first before it gets to the ASA.  

I'm guessing that you wanted to use the proxy server for the "public wifi" as well as the internal users.  
You could configure users to connect to the IP of the proxy server and have the Proxy server inside the network on VLAN1.  But then VLAN2 users on the public wifi would still show originating from the MAC address of the ASA.

0
 
AlaskanGeeksAuthor Commented:
Thank you for posting!   My goal here is to seperate the public from the private traffic then have the proxy server filter devices requesting Internet access.  

I thought maybe there is a router configuration that would enable us to VLAN the traffice first and then proxy it.  

I'm thinking that maybe I need to subnet the two networks, run them all through and unmanged switch, and then proxy, and finally route.  

If this is not possible is there another solution?

I'm working with:

Cisco ASA 5505 router
Dell PowerConnect 2816 16 Port Switch

Tim
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
gavvingCommented:
Sorry I've not responded.  Adding a proxy server to the ASA configuration complicates things.  
Can you add more NIC's to the proxy server and thus have it sitting on the "inside" of both VLANs before the traffic gets to the ASA?
0
 
AlaskanGeeksAuthor Commented:
I don't see a way to add a second nic to the proxy.  I'm really feeling stuck here as I need to revisit basic networking.

I was thinking I could subnet the two networks into /16 and /24 subnet masks.  Then assigning all clients with a /24 default gateway which would be proxy server's incoming nic.  Then send it out the proxy and through the ASA box.

We did a mock up with packet tracer and can not ping between the two subnets.  We can ping the gateway from both subnets.

Please tell me if my theory is flawed.  My goal again is to keep the private netwrok in accessible to the public network.

Thank you for your consideration,
Tim
0
 
gavvingCommented:
Does this proxy server have to be configured 'in-line', or can it be configured as a single-homed device?   Can you configure multiple IPs on the Proxy's inside facing interface?  Maybe you can configure the Proxy to have it's inside interface physically plugged into both VLANs but accessible on different IP ranges?  

Getting one proxy server to work with both VLANs in the manner in which you want is not going to be easy to do, and maintain security.  
0
 
AlaskanGeeksAuthor Commented:
I had to rework the network topology.  I could not NAT any packets until after they passed through the proxy server.  Therefore we separated the network traffic by sub-netting.  Then passed both sub-nets through the proxy allowing the server to apply filtering.  Finally out the ASA box.
0
 
AlaskanGeeksAuthor Commented:
I don't think points are necessary as there is no clear solution.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now