asa 5510 allow specific port between internal interfaces

Im very new to cisco and so far have manged to setup a new ASA5510 and get it working so far.

I have looked thru the forums but am still stuck.

Im still using the ASDM 6.4 as not confident with CLI yet.

i have a server on one interface
10.10.20.x 255.255.255.0
secuiry level 90

and nagios on another interface
10.0.4.x 255.0.0.0
secuiry level 100

traffic flows fine between server <-> outside and nagios <-> outside  and nagios can access several external servers no problem. But the asa wont let nagios talk to the server on its private or public address.

I need to be able to allow just port 6556 between the server and the nagios to allow me to monitor it but still keep these totally seperate.

Ive tried several things including no-nat rules, ACL and static route but no go.
hybrid1969Asked:
Who is Participating?
 
ryan80Connect With a Mentor Commented:
the networks should not overlap. If a device looks at the IP address that it is trying to reach and sees that it is within its own network, it will only use ethernet (layer 2) and not use IP (layer 3).

So the nagios server with a network of 10.0.4.0 255.0.0.0 will think that everything from 10.0.0.1-10.255.255.254 is reachable using only ethernet and not having to go through a router\firewall ie its gateway. you need to change the subnet for the 10.0.4.0 to 255.255.255.0 so that when it trys to reach something in 10.0.5.0 or 10.0.6.0 or so on, that it will use IP and route through the ASA which will then send the packet to the appropriate network.

If you just change the 10.0.4.0 subnet it looks like everything should be fine.
0
 
Ernie BeekExpertCommented:
Well looking at:

i have a server on one interface
10.10.20.x 255.255.255.0

and nagios on another interface
10.0.4.x 255.0.0.0


I see an overlap between the networks (look at the subnet masks). That might be the cause of the issue (?)
0
 
hybrid1969Author Commented:
should i use the same netmask then?. I.e 255.0.0.0

i wanted to restrict the server down to only 250+ ips as it has several VM'd workstations running in that area and again i didnt want them to see anything they shouldnt
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Ernie BeekExpertCommented:
I would suggest the other way (255.255.255.0 if possible).

Now the nagios server has 10.0.4.x 255.0.0.0 which means its network is 10.0.0.0-10.255.255.255.255. The server has 10.10.20.x 255.255.255.0 so its network is 10.10.20.0-10.10.20.255.

So the nagios server sees the 10.10.20.x address as a part of the network it is in (directly connected) hence it will not send the packets to that server out the default gateway (the ASA).
0
 
ryan80Commented:
You can use this site for calculating subnets. This way you will know what IP ranges you are assigning.

http://www.subnet-calculator.com/cidr.php

If a device thinks that another IP is on the same subnet, then it will not go to the router/ASA. So Nagios is most likely not going through the firewall.
0
 
Ernie BeekExpertCommented:
@ryan80: elementary my dear watson ;)
0
 
hybrid1969Author Commented:
hmmm...then i may have just a tiny issue....

you see i thought i was being clever and setup my network on the 10.x.x.x range and then split things up thus -

10.x.x.x network, switches, asa, routers, back links etc
10.0.4.x core servers - nagios, dc, etc
10.0.5.x esx hosts
10.0.6.x nas,san
etc...
then i put clients on 10.10.x.x
i.e - 10.10.1.x thereby giving each client an address space of 255

all virtual clients are on interface 1
i have a colo client on interface 2
all core servers including nagios are on interface 3

Interface 1 is setup with sub-interfaces and esxi and all works fine........except

nagios cannot monitor anything withint the 10.x.x.x on any other interface but its own.

so basically ive messed this up a little .......

Suggestions on how to fix would be really helpful
0
 
hybrid1969Author Commented:
I obviously need to understand netmasks a lot better than i currently do when it comes to routing/firewalls.

the solution was to set the mask to 255.255.255.0 as you suggested but i then lost access to the rest of the 10.x.x.x network.

the simple answer was to add a 2nd network and set the netmask for that network to 255.0.0.0.

not elegant but works.

thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.