LSDIT
asked on
Help me understand this network configuration.
While I have knowledge and experience, I'm no networking expert. I'm having trouble wrapping my head around this configuration, as it seems to be looping.
Two pieces of hardware, a Cisco 3750, and an ASA5520. I'd rather not post the full configs. The 3750 is handling all of the internal VLAN routing. Here are what I believe to be the relevant commands:
3750:
interface GigabitEthernet1/0/12
no switchport
ip address 10.1.101.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.101.1
====================
ASA:
interface GigabitEthernet0/0
nameif outside
ip address 72.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
ip address 10.1.101.1 255.255.255.0
!
global (outside) 72.x.x.x netmask 0.0.0.0
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 72.x.x.x 1
route inside 10.1.1.0 255.255.255.0 10.1.101.2 1
route inside 10.1.20.0 255.255.255.0 10.1.101.2 1
route inside 10.1.21.0 255.255.255.0 10.1.101.2 1
etc.
=====================
There is a cable connecting Gi0/1/12 to Gi0/1, passing through a passive web filter. It seems like the 3750 is sending everything to the ASA, which is sending everything back to port 12 on the 3750?
No, no, I'm wrong. I thought the 3750 was doing the routing, but really it's the ASA. Right? Either way, this seems very inefficient. If that's the case, it seems like all our internal traffic is passing through the web filter twice! Surely that's exponentially increasing the load on the filter!
Anyhow, any insight anyone can offer is appreciated. If I need to provide further info, just let me know.
Thanks.
Two pieces of hardware, a Cisco 3750, and an ASA5520. I'd rather not post the full configs. The 3750 is handling all of the internal VLAN routing. Here are what I believe to be the relevant commands:
3750:
interface GigabitEthernet1/0/12
no switchport
ip address 10.1.101.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.101.1
====================
ASA:
interface GigabitEthernet0/0
nameif outside
ip address 72.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
ip address 10.1.101.1 255.255.255.0
!
global (outside) 72.x.x.x netmask 0.0.0.0
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 72.x.x.x 1
route inside 10.1.1.0 255.255.255.0 10.1.101.2 1
route inside 10.1.20.0 255.255.255.0 10.1.101.2 1
route inside 10.1.21.0 255.255.255.0 10.1.101.2 1
etc.
=====================
There is a cable connecting Gi0/1/12 to Gi0/1, passing through a passive web filter. It seems like the 3750 is sending everything to the ASA, which is sending everything back to port 12 on the 3750?
No, no, I'm wrong. I thought the 3750 was doing the routing, but really it's the ASA. Right? Either way, this seems very inefficient. If that's the case, it seems like all our internal traffic is passing through the web filter twice! Surely that's exponentially increasing the load on the filter!
Anyhow, any insight anyone can offer is appreciated. If I need to provide further info, just let me know.
Thanks.
vmagan
what are you asking here?
I'm not sure what you mean by the webfilter. To me it looks like the ASA is the default gateway for the 3750.
So what exactly do you mean when saying it seems like all our internal traffic is passing through the web filter twice ?
So what exactly do you mean when saying it seems like all our internal traffic is passing through the web filter twice ?
what it say in your 3750 config for gi0/12 which is what I am assuming your speaking of when you say it is sending it back.
my other question would be...
1) can you ping 10.1.101.2 from your different networks.
2) Can you ping 10.1.101.1 from the various networks as well as from the 3750
3) Can you ping from your asa to various addresses in your network?
my other question would be...
1) can you ping 10.1.101.2 from your different networks.
2) Can you ping 10.1.101.1 from the various networks as well as from the 3750
3) Can you ping from your asa to various addresses in your network?
ASKER
There's a passive web filter inline between the devices. The IP is actually 10.1.101.3. The cable goes from Gi0/1/12 on the 3750 to the LAN port on the filter, and from the WAN port on the filter to Gi0/1 on the ASA. I'm calling it a passive filter because it's not specifically addressed in the routing, it works by being plugged inline.
As for what I'm asking, I suppose whether the config makes sense and if it's as inefficient as it seems to me.
As for what I'm asking, I suppose whether the config makes sense and if it's as inefficient as it seems to me.
ASKER
I'm sorry.
I should have been clear from the start that EVERYTHING WORKS FINE. There are no problems, I was just looking into replacing the web filter, so I was looking through the configs to see what would be involved.
I should have been clear from the start that EVERYTHING WORKS FINE. There are no problems, I was just looking into replacing the web filter, so I was looking through the configs to see what would be involved.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well I don't see anything inefficient (yet ;).
The ASA is the default gateway for the 3750. There is a (seemingly transparent) web filter in between. All traffic that is not destined for your network goes out the default gateway (ASA) on to the internet and gets back through the ASA (and the webfilter) to your network: the 3750.
Makes perfect sense to me. But of course that could be because I (we) have limited information.
The ASA is the default gateway for the 3750. There is a (seemingly transparent) web filter in between. All traffic that is not destined for your network goes out the default gateway (ASA) on to the internet and gets back through the ASA (and the webfilter) to your network: the 3750.
Makes perfect sense to me. But of course that could be because I (we) have limited information.
lol, yes we do Erniebeek. very limited info.
But if you want to add a webfilter nothing here would be replaced. You would just add this web filter as a proxy server depending on what you get. The toplogy that you have now will not change except for the addition of adding the web filter.
But if you want to add a webfilter nothing here would be replaced. You would just add this web filter as a proxy server depending on what you get. The toplogy that you have now will not change except for the addition of adding the web filter.
@vmagan: can't be too carefull :)
But seriously. As I understand, LSDIT wants to replace the webfilter. As it is transparent (or as far as we can see it is), there would be no impact on the configs of the switch or the ASA as long as it is replaced with another transparent webfilter.
But seriously. As I understand, LSDIT wants to replace the webfilter. As it is transparent (or as far as we can see it is), there would be no impact on the configs of the switch or the ASA as long as it is replaced with another transparent webfilter.
yup, everything should remain the same.
Glad we agree ;)
ASKER
Ok, when I started the question, it seemed like traffic was looping. Then I realized that only traffic bound for another internal ip would be routed to 10.1.101.2. But I figured I'd still ask, since it still seems like having all our internal inter-vlan traffic pass through the web filter, to the firewall, back through the filter, back to the 3750 just seems very inefficient.
Also, the filter I want to move to is already in place in another network, and I will have to route the traffic over to it, and configure it to route the traffic back. But that's a whole different issue that I'm not looking for help with (yet).
Also, the filter I want to move to is already in place in another network, and I will have to route the traffic over to it, and configure it to route the traffic back. But that's a whole different issue that I'm not looking for help with (yet).
We can get started with the new question whenever you're ready. Is this question completed?
FYI... The Cisco 3750 is still doing your VLAN routing. The route on the 3750 is your gateway of last resort for all Internet bound traffic. The internal routes on your ASA tells the firewall where to where to go for different subnets/VLANs to your internal network.
ASKER
THANK YOU. Exactly the clarification I was looking for.