?
Solved

asa 5510 allow specific port between internal interfaces

Posted on 2012-09-20
8
Medium Priority
?
596 Views
Last Modified: 2012-09-21
Im very new to cisco and so far have manged to setup a new ASA5510 and get it working so far.

I have looked thru the forums but am still stuck.

Im still using the ASDM 6.4 as not confident with CLI yet.

i have a server on one interface
10.10.20.x 255.255.255.0
secuiry level 90

and nagios on another interface
10.0.4.x 255.0.0.0
secuiry level 100

traffic flows fine between server <-> outside and nagios <-> outside  and nagios can access several external servers no problem. But the asa wont let nagios talk to the server on its private or public address.

I need to be able to allow just port 6556 between the server and the nagios to allow me to monitor it but still keep these totally seperate.

Ive tried several things including no-nat rules, ACL and static route but no go.
0
Comment
Question by:hybrid1969
  • 3
  • 3
  • 2
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38417659
Well looking at:

i have a server on one interface
10.10.20.x 255.255.255.0

and nagios on another interface
10.0.4.x 255.0.0.0


I see an overlap between the networks (look at the subnet masks). That might be the cause of the issue (?)
0
 

Author Comment

by:hybrid1969
ID: 38417680
should i use the same netmask then?. I.e 255.0.0.0

i wanted to restrict the server down to only 250+ ips as it has several VM'd workstations running in that area and again i didnt want them to see anything they shouldnt
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38417701
I would suggest the other way (255.255.255.0 if possible).

Now the nagios server has 10.0.4.x 255.0.0.0 which means its network is 10.0.0.0-10.255.255.255.255. The server has 10.10.20.x 255.255.255.0 so its network is 10.10.20.0-10.10.20.255.

So the nagios server sees the 10.10.20.x address as a part of the network it is in (directly connected) hence it will not send the packets to that server out the default gateway (the ASA).
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 12

Expert Comment

by:ryan80
ID: 38418402
You can use this site for calculating subnets. This way you will know what IP ranges you are assigning.

http://www.subnet-calculator.com/cidr.php

If a device thinks that another IP is on the same subnet, then it will not go to the router/ASA. So Nagios is most likely not going through the firewall.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38419362
@ryan80: elementary my dear watson ;)
0
 

Author Comment

by:hybrid1969
ID: 38421019
hmmm...then i may have just a tiny issue....

you see i thought i was being clever and setup my network on the 10.x.x.x range and then split things up thus -

10.x.x.x network, switches, asa, routers, back links etc
10.0.4.x core servers - nagios, dc, etc
10.0.5.x esx hosts
10.0.6.x nas,san
etc...
then i put clients on 10.10.x.x
i.e - 10.10.1.x thereby giving each client an address space of 255

all virtual clients are on interface 1
i have a colo client on interface 2
all core servers including nagios are on interface 3

Interface 1 is setup with sub-interfaces and esxi and all works fine........except

nagios cannot monitor anything withint the 10.x.x.x on any other interface but its own.

so basically ive messed this up a little .......

Suggestions on how to fix would be really helpful
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 2000 total points
ID: 38421846
the networks should not overlap. If a device looks at the IP address that it is trying to reach and sees that it is within its own network, it will only use ethernet (layer 2) and not use IP (layer 3).

So the nagios server with a network of 10.0.4.0 255.0.0.0 will think that everything from 10.0.0.1-10.255.255.254 is reachable using only ethernet and not having to go through a router\firewall ie its gateway. you need to change the subnet for the 10.0.4.0 to 255.255.255.0 so that when it trys to reach something in 10.0.5.0 or 10.0.6.0 or so on, that it will use IP and route through the ASA which will then send the packet to the appropriate network.

If you just change the 10.0.4.0 subnet it looks like everything should be fine.
0
 

Author Comment

by:hybrid1969
ID: 38422802
I obviously need to understand netmasks a lot better than i currently do when it comes to routing/firewalls.

the solution was to set the mask to 255.255.255.0 as you suggested but i then lost access to the rest of the 10.x.x.x network.

the simple answer was to add a 2nd network and set the netmask for that network to 255.0.0.0.

not elegant but works.

thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question