Avatar of daryldavies
daryldavies
 asked on

VRF, OSPF Routing and Firewall Help Request

I have a Cisco network with Cisco 4948 switch, 3800 router, and ASA5520 firewall.

I would like to build all my SVI's on the Cisco 4948 switch and do internal routing on the 4948 switch. Would like to build several VRF's per network and utilize ospf to route traffic to the firewall in order for traffic to be filtered.

Would like to use the router only for external routing and would still want these traffic to traverse the firewall.

I have the following two network for testing:

Network 1 - 10.10.10.0/28 - WEB NETWORK  (TEST SERVER 10.10.10.8)
Network 2 - 10.10.11.0/28-APP_DB NETWORK    (TEST SERVER 10.10.11.8)

I tried a telnet from 10.10.10.8 to 10.10.11.8 on port TCP139 and no answer.

SEE CONFIG BELOW:

!
****** CIS4948 **********
!
vlan 255
name WEB
!
!
vlan 256
name APP_DB
!
ip vrf WEB
 description WEB VRF
 rd 1:255
!
!
!
!
ip vrf APP_DB
 description APP_DB VRF
 rd 1:256
!
!
interface Vlan255
 description WEB Subnet
 ip vrf forwarding WEB
 ip address 10.10.10.2 255.255.255.240
 no ip redirects
 no ip proxy-arp
 standby 1 ip 10.10.10.1
 standby 1 priority 110
 standby 1 preempt
!
!
!
interface Vlan256
 description APP_DB Subnet
 ip vrf forwarding APP_DB
 ip address 10.10.11.2 255.255.255.240
 no ip redirects
 no ip proxy-arp
 standby 1 ip 10.10.11.1
 standby 1 priority 110
 standby 1 preempt
!
!
router ospf 11 vrf WEB
 router-id 10.10.12.5
 log-adjacency-changes
 auto-cost reference-bandwidth 100000
 capability vrf-lite
 area 16 nssa
 passive-interface Vlan255
 network 10.10.10.0 0.0.0.15 area 16
!
!
!
router ospf 12 vrf APP_DB
 router-id 10.10.12.5
 log-adjacency-changes
 auto-cost reference-bandwidth 100000
 capability vrf-lite
 area 16 nssa
 passive-interface Vlan256
 network 10.10.11.0 0.0.0.15 area 16
!
!
!
!
****** CIS5520 **********


interface vlan

!
interface GI0/1.255
 description WEB
 vlan 255
 nameif WEB#255
 security-level 61
 ip address 10.10.10.4 255.255.255.240
 ospf cost 1
 ospf priority 2
!
!
!
interface GI0/1.256
 description APP_DB
 vlan 256
 nameif APP_DB#256
 security-level 61
 ip address 10.10.11.4
 ospf cost 1
 ospf priority 2
!
!
object-group service WEB_PORT
description WEBPORT
service-object tcp 80
service-object tcp 8080
!
!
object-group service WEB_PORT
description WEBPORT
service-object tcp 8442
service-object tcp 443
service-object tcp 22
!
!
object-group network WEB
description WEB
network-object 10.10.10.0 255.255.255.240
!
object-group network APP_DB
description APP_DB
network-object 10.10.11.0 255.255.255.240
!
!
!
object-group service DB_PORT
 description DB_PORT
 service-object icmp6 echo
 service-object icmp6 echo-reply
 service-object tcp eq 445
 service-object tcp eq 8080
 service-object tcp eq https
 service-object tcp eq netbios-ssn
!
!
!
object-group service WEB_PORT
 description WEBPORT
 service-object tcp eq www
 service-object tcp eq 8442
 service-object tcp eq ssh
 service-object tcp eq 8080
 service-object tcp eq https
!
access-list WEB#255_access_in extended permit object-group DB_PORT object-group WEB object-group APP_DB
access-list APP_DB#256_access_in extended permit object-group WEB_PORT 10.0.0.0 255.0.0.0 10.10.10.0 255.255.255.240
!
!
router ospf 11
network 10.10.10.0 255.255.255.255 area 16
area 16 nssa
router-id 10.10.10.5
log-adj-changes
!
!
router ospf 12
network 10.10.11.0 255.255.255.255 area 16
area 16 nssa
router-id 10.10.11.5
log-adj-changes
!
RoutersCiscoSwitches / Hubs

Avatar of undefined
Last Comment
daryldavies

8/22/2022 - Mon
keakathleen

Hello,

If you want to do SVI's then your physical ports (Gi0/1) should most likely be setup in a trunk format without IPs. You will be able to trunk VLAN 255 and 256 on the same physical port. You will need to switch them to a switch mode instead of a routing mode to do this.

In the end, you want to trunk VLAN 255 and 256 and then after being trunked in on the VLAN they will be routed through your virtual VLAN interfaces with IPs. I also noticed that your Gi0/1 port is subinterfaced so you will need to use another physical port to try converting over to SVIs.
rauenpc

I'm confused. You say you want to use the 4948 to do internal routing, but by setting up vrf you are splitting the routing function of the 4948 into pieces which would then require you to use the firewall for any routing between the vrf's.

Am I misunderstanding your intentions?
daryldavies

ASKER
Internal routes are going through the 4948 and I am doing external routes on a cisco 3800 router. That's the split.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
daryldavies

ASKER
keakathleen, it is not possible for me to build a trunk on a Cisco 5520 firewall. Same with vlans, I cannot  build a vlan on a Cisco 5520. This is why I used sub interfaces.
keakathleen

I see. I missed the segmentation between your configs.

Do you have connectivity established on your interface vlans? From your VLAN/subnet 255 or 256, can you ping your gateway? Can you ping your interface VLANs within the 4948? Are they up/up?

I do not understand the masking on the 5520 for OSPF. Why is the mask set to 255.255.255.255? I would think a mask might create some odd routing factors.

Finally, there is not a mask listed for subinterface Gi0/1.256 but perhaps that was just truncated when copied.
daryldavies

ASKER
Thanks for your response.

I am able to ping the gateway from a server on VLAN 255 and a server on 256. I cannot ping out of these subnets meaning I can ping a gateway from a server on VLAN 255 but on that server I cannot ping the gateway for VLAN 256.

The interfaces are up/up.

I have changed mask on ospf and still cannot telnet across the firewall.


!
router ospf 11
network 10.10.10.0 255.255.255.240 area 16
area 16 nssa
router-id 10.10.10.5
log-adj-changes
!
!
router ospf 12
network 10.10.11.0 255.255.255.240 area 16
area 16 nssa
router-id 10.10.11.5
log-adj-changes
!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
daryldavies

ASKER
I still do not have a solution for this. Can someone help please?
keakathleen

I think your masks should be wild cards 0.0.0.15
ASKER CERTIFIED SOLUTION
keakathleen

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
daryldavies

ASKER
I've requested that this question be deleted for the following reason:

delete
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23