?
Solved

webfilter/ASA issues

Posted on 2012-09-06
5
Medium Priority
?
209 Views
Last Modified: 2013-10-28
Afternoon,

I have a perplexing issue involving a Barracuda 410 and my ASA5510.

Right now I have traffic that is successfully reaching the internet and making its way through my network to my Barracuda and out my ASA.  Why is that an issue you? Glad you asked....


I have several VLAN's that need internet access that are all some how reaching the Barracuda and getting internet access however I don't have anything telling the web traffic to hit the filter to gain internet access.

I have my firewall connected to my core switch in two VLAN's, in VLAN 200 the inside interface of the ASA is connected, the outside interface is connected into VLAN 666. From there the WAN side of the Barracuda is in VLAN 666 and the LAN side is in VLAN 200.  What is confusing me is that my traffic from my production VLANs 50,51 and 52 are all making it to the web filter but how?  I have no ACL's telling the web traffic to use the filter, the core switch/router has a gateway of last resort of the inside interface of the ASA.

Any help would be greatly appreciated!
0
Comment
Question by:hunter72
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:qbakies
ID: 38373474
A diagram would be helpful for this but let me throw this out...if the core switch has the inside interface of the ASA as the default gateway then that is where it is going to send all Internet traffic.  When it gets to the ASA inside interface it is going to send the traffic to the whatever you have set as the ASA default gateway, which I will assume is the Barracuda appliance.  Since the traffic is passing from the ASA inside interface (security-level 100) to the ASA outside interface (security-level 0) you do not need any ACL because the traffic is passing from a higher level security interface from a lower one.  The devices sound like they are working as they should for passing traffic.

Again, this is based on assumptions on your network and configs.  If you can provide feedback and maybe a diagram I could be more help.
0
 

Author Comment

by:hunter72
ID: 38373529
Here is a crude layout of how the curet setup is...

I see what you are saying that the switch will throw all the traffic at the default GW the FW, the strange this is that Barracuda was working on the filter today and rebooted the filter, and all internet access was lost.  If the core switch could not find where for example to send google traffic is should have given it to the ASA correct?


Thanks!
diag-eaxmple.jpg
0
 
LVL 10

Expert Comment

by:qbakies
ID: 38373716
I'm still a bit confused, your drawing shows the 2 links to the ASA from the core but only one to the Barracuda.  Then the Barracuda connects directly to the ASA on a VLAN?  Also you state in the OP that the core gateway is the inside interface of the ASA but in the drawing you state it is 1.1.1.1 (outside interface).  Is that right?  Where does the traffic exit to get to the Internet?  I have attached an assumed network drawing, can you tell me if it is correct?  We need to clarify the flow of traffic to troubleshoot.
Assumed-Network.jpg
0
 

Author Comment

by:hunter72
ID: 38375897
So the traffic flow is from a desktop to the core, then the traffic "some how" gets directed to the web filter then goes out the ASA.
diag-eaxmple2.jpg
0
 
LVL 10

Accepted Solution

by:
qbakies earned 2000 total points
ID: 38383053
I'm still missing something...the ASA in your diagram shows two connections to the
core and also a connection to the Barracuda.  Typically web filters are in-line devices but what I don't get is what is the interface on the ASA connected to the Barracuda?  It can't be VLAN666 because you can't have two interfaces in the same subnet.  It makes more sense that the Barracuda is in-line with the ASA and there is no connection on VLAN666 back to the core.  In fact, the more I think about it the ASA connections don't really make sense at all.  Can you post the ASA config and the core config?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question