SearsFranchisesIT
asked on
ASA Firewall/6509 Switch, InterVlan Routing, Default Gateway
Hello,
I am working with an ASA 5525 and Cisco 6509-E Switch. I am unable to RDP to servers on different Subnets and get to the internet when the DFGW is set to the SVI.
Topology,
ASA:
Outside Interface- 172.16.100.254- Connected to FATPipe Loadbalancers/Internet
WebDMZ interface- 192.168.10.254 Set up for 1 to 1 NAT to Web Servers load balanced by FatPipe
Server Interface -192.168.40.254
6509:
VLAN SVI- 10
192.168.10.1
VLAN SVI 40
192.168.40.1
Questions:
1) I am unable to RDP to servers on the 10 VLAN from Servers on the 40 VLAN or visa versa, Ping and trace work from all devices, firewall shows RDP port open. What am I missing here?
2) I have set the DFGW to the SVI and am unable to get to the internet unless the switch's DFGW is on the same Subnet.
If I set the DFGW to the corresponding port on the firewall I am able to get out to the internet. Wouldn't routing be taking care of this?
The scenario- PC -192.168.40.40 DFGW 192.168.40.1 Switch = no default route No internet access. However can ping the firewall port of 192.168.40.254
Scenario B PC 192.168.40.40 DFGW 192.168.40.254 Switch = no default route/ Internet access but no vlan to vlan communication besides ping and trace.
Scenario C PC 192.168.40.40 DFGW 192.168.40.1 Switch route 0.0.0.0 0.0.0.0 192.168.40.254= Internet access is good.
I am missing something but I thought on the 6509 routing was on and that routing would be taking place on the SVI's.
What I want is a core switch with L3 routed VLAN's I want all of the VLAN's to get to the firewall and out to the internet.
I want the DMZ shut down to anything that is not specified (RDP, Management etc.)
Maybe I want too much. :)
Thanks-
I am working with an ASA 5525 and Cisco 6509-E Switch. I am unable to RDP to servers on different Subnets and get to the internet when the DFGW is set to the SVI.
Topology,
ASA:
Outside Interface- 172.16.100.254- Connected to FATPipe Loadbalancers/Internet
WebDMZ interface- 192.168.10.254 Set up for 1 to 1 NAT to Web Servers load balanced by FatPipe
Server Interface -192.168.40.254
6509:
VLAN SVI- 10
192.168.10.1
VLAN SVI 40
192.168.40.1
Questions:
1) I am unable to RDP to servers on the 10 VLAN from Servers on the 40 VLAN or visa versa, Ping and trace work from all devices, firewall shows RDP port open. What am I missing here?
2) I have set the DFGW to the SVI and am unable to get to the internet unless the switch's DFGW is on the same Subnet.
If I set the DFGW to the corresponding port on the firewall I am able to get out to the internet. Wouldn't routing be taking care of this?
The scenario- PC -192.168.40.40 DFGW 192.168.40.1 Switch = no default route No internet access. However can ping the firewall port of 192.168.40.254
Scenario B PC 192.168.40.40 DFGW 192.168.40.254 Switch = no default route/ Internet access but no vlan to vlan communication besides ping and trace.
Scenario C PC 192.168.40.40 DFGW 192.168.40.1 Switch route 0.0.0.0 0.0.0.0 192.168.40.254= Internet access is good.
I am missing something but I thought on the 6509 routing was on and that routing would be taking place on the SVI's.
What I want is a core switch with L3 routed VLAN's I want all of the VLAN's to get to the firewall and out to the internet.
I want the DMZ shut down to anything that is not specified (RDP, Management etc.)
Maybe I want too much. :)
Thanks-
If you use the switch as your default gateway, then you're offloading routing decisions to the switch. The switch then needs to know where to send traffic that isn't in its routing table, which means its default gateway needs to be the firewall.
ASKER
Asavener,
Thank you for your response. In your second comment having the switch making the routing decisions, I have tried this approach, the hang up I am having is with the multiple assumed gateways.
I have 3 interfaces on the ASA all potential routes for their subnet, the switch has all 3 vlans configured as SVI's, I was hoping the routing would take effect and everything on lets say the 192.168.40.x network would go to the switch @ 40.1 then the switch would sent it to the firewall 40.254 this works if I make the switch route 0 .0.0.0 0.0.0.0 192.168.40.254. I think I am missing something simple and just can not put my finger on it.
Thanks,
Thank you for your response. In your second comment having the switch making the routing decisions, I have tried this approach, the hang up I am having is with the multiple assumed gateways.
I have 3 interfaces on the ASA all potential routes for their subnet, the switch has all 3 vlans configured as SVI's, I was hoping the routing would take effect and everything on lets say the 192.168.40.x network would go to the switch @ 40.1 then the switch would sent it to the firewall 40.254 this works if I make the switch route 0 .0.0.0 0.0.0.0 192.168.40.254. I think I am missing something simple and just can not put my finger on it.
Thanks,
That's exactly the right setting.
The cisco "default gateway" setting is used in route redistribution, I think.... What you want is the route command that you just posted.
ASKER
So the $$$ Question, if the 0 route goes to the 40.0 vlan, what about the other 3 vlans I will have on the switch? I ask this because yes that will work for the 40.x vlan and all is great, but add a host to the 60.x vlan and I get nowhere.
As always thanks for your response.
As always thanks for your response.
For hosts on the 60.x VLAN, you're setting a default gateway of 192.168.60.1?
Routing is enabled by default on the 6500 platform.
Routing is enabled by default on the 6500 platform.
What do your rules look like on the ASA? Is it allowing traffic from the 192.168.60.0/24 subnet?
ASKER
Yes I am setting the Default Gateway to 60.1 Figuring the routing was going to happen as you said. I have an access list set up to allow that network. Its a standard ACL permitting all traffic.
This is what it would look like
Host -192.168.60.11 --> hits the default gateway 192.168.60.1 from there it would go to 192.168.40.254 as mentioned in previous discussions the switch is set to 0.0.0.0 0.0.0.0 192.168.40.254, Does not seem correct.
I could set another Nic on the firewall for this network as there are 7 I do believe. I was really hoping to not have to do that.
I am working with what a previous admin set up so this ASA does not have the typical Inside/Outside/DMZ interfaces. Its more like specific interfaces for each network that will transverse it.
Hope I am being clear enough.
Thanks again.
This is what it would look like
Host -192.168.60.11 --> hits the default gateway 192.168.60.1 from there it would go to 192.168.40.254 as mentioned in previous discussions the switch is set to 0.0.0.0 0.0.0.0 192.168.40.254, Does not seem correct.
I could set another Nic on the firewall for this network as there are 7 I do believe. I was really hoping to not have to do that.
I am working with what a previous admin set up so this ASA does not have the typical Inside/Outside/DMZ interfaces. Its more like specific interfaces for each network that will transverse it.
Hope I am being clear enough.
Thanks again.
Does the ASA have a route to 192.168.60.0/24?
ASKER
Yes sir it does.
What's the routing entry on the ASA?
ASKER
Interfaces are
Outside- 172.16.100.245
Web- 192.168.10.254
Corp-10.57.82.126
Server-192.168.40.254
Route for .60 network = Via Server interface 192.168.50.0 Gateway 192.168.50.1 (This is the switches VLAN)
Outside- 172.16.100.245
Web- 192.168.10.254
Corp-10.57.82.126
Server-192.168.40.254
Route for .60 network = Via Server interface 192.168.50.0 Gateway 192.168.50.1 (This is the switches VLAN)
OK, that's why traffic isn't getting through. Your paths to and from the 192.168.60.0/24 network are different, so the ASA is going to block the traffic. ASA wants to see a successful three-way handshake before allowing traffic, and while the 192.168.40.254 interface sees the inbound SYN, the 192.168.50.x interface doesn't, so it won't send an SYN/ACK.
Change your route so that 192.168.60.0/24 is routed to 192.168.40.254.
Change your route so that 192.168.60.0/24 is routed to 192.168.40.254.
ASKER
I thought the same thing, however that is a interface on the ASA so it kicks out an error stating that the next hop belongs to one of our interfaces.
The ASA sees the ICMP traffic, however each host does not. I am pinging from .40 to .60 and nothing.
The ASA sees the ICMP traffic, however each host does not. I am pinging from .40 to .60 and nothing.
Sorry, made a typo. On the ASA, the next-hop for 192.168.60.0/24 should be 192.168.40.1.
Also, can you provide the output of "show ip route" on the 6500?
ASKER
I tried that one too, I am sure its something silly.
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.40.0/24 is directly connected, Vlan40
C 192.168.60.0/24 is directly connected, Vlan50
S* 0.0.0.0/0 [1/0] via 192.168.40.254
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.40.0/24 is directly connected, Vlan40
C 192.168.60.0/24 is directly connected, Vlan50
S* 0.0.0.0/0 [1/0] via 192.168.40.254
Try entering "ip routing" at the configuration line on the 6500.
ASKER
IP routing is already enabled on the 6500 so that command will not work. :/
Can you provide a full configuration of the device?
ASKER
Sure I will give you switch and ASA *Note the Subnet we are discussing is the 60.x I mistyped it in our discussion it is actually the 50.x subnet when you see the configs.
This is also a new configuration nothing is hardened yet.
6500 Config (Sanitized removed all ports that are not being used at the moment.)
Building configuration...
Current configuration : 11732 bytes
!
upgrade fpd auto
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service counters max age 5
!
hostname Router
!
boot-start-marker
boot system flash sup-bootdisk:s72033-advent erprisek9_ wan-mz.122 -33.SXI2a. bin
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
vtp domain cisco
--More-- vtp mode transparent
mls netflow interface
mls cef error action reset
!
!
!
!
spanning-tree mode pvst
diagnostic bootup level minimal
!
redundancy
main-cpu
auto-sync running-config
mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
--More-- !
vlan 10,20,30,40,50,100
!
!
!
!
!
interface Port-channel1
switchport
!
interface Port-channel2
switchport
!
interface Port-channel3
switchport
!
interface GigabitEthernet1/1
switchport
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/2
switchport
--More-- switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/3
switchport
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/4
switchport
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/5
no ip address
!
interface GigabitEthernet1/6
no ip address
!
interface GigabitEthernet1/7
no ip address
!
interface GigabitEthernet1/8
--More-- no ip address
!
interface GigabitEthernet1/9
no ip address
!
interface GigabitEthernet1/10
no ip address
!
interface GigabitEthernet1/11
no ip address
!
interface GigabitEthernet1/12
no ip address
!
interface GigabitEthernet1/13
no ip address
!
interface GigabitEthernet1/14
no ip address
!
interface GigabitEthernet1/15
no ip address
!
--More-- interface GigabitEthernet1/16
no ip address
!
interface GigabitEthernet1/17
no ip address
!
interface GigabitEthernet1/18
no ip address
!
interface GigabitEthernet1/19
no ip address
!
interface GigabitEthernet1/20
no ip address
!
interface GigabitEthernet1/21
no ip address
!
interface GigabitEthernet1/22
no ip address
!
interface GigabitEthernet1/23
no ip address
--More-- !
interface GigabitEthernet1/24
no ip address
!
interface GigabitEthernet1/25
no ip address
!
interface GigabitEthernet1/26
no ip address
!
interface GigabitEthernet1/27
no ip address
!
interface GigabitEthernet1/28
no ip address
!
interface GigabitEthernet1/29
no ip address
!
interface GigabitEthernet1/30
no ip address
!
interface GigabitEthernet1/31
--More-- no ip address
!
interface GigabitEthernet1/32
no ip address
!
interface GigabitEthernet1/33
no ip address
!
interface GigabitEthernet1/34
no ip address
!
interface GigabitEthernet1/35
no ip address
!
interface GigabitEthernet1/36
no ip address
!
interface GigabitEthernet1/37
no ip address
!
interface GigabitEthernet1/38
no ip address
!
--More-- interface GigabitEthernet1/39
no ip address
!
interface GigabitEthernet1/40
no ip address
!
interface GigabitEthernet1/41
no ip address
!
interface GigabitEthernet1/42
no ip address
!
interface GigabitEthernet1/43
no ip address
!
interface GigabitEthernet1/44
no ip address
!
interface GigabitEthernet1/45
no ip address
!
interface GigabitEthernet1/46
no ip address
--More-- !
interface GigabitEthernet1/47
no ip address
!
interface GigabitEthernet1/48
no ip address
!
interface GigabitEthernet2/1
switchport
switchport access vlan 10
switchport mode access
channel-group 1 mode active
!
interface GigabitEthernet2/2
switchport
switchport access vlan 10
switchport mode access
channel-group 2 mode active
!
interface GigabitEthernet2/3
switchport
switchport access vlan 10
switchport mode access
--More-- channel-group 3 mode active
!
!
interface GigabitEthernet3/1
--More-- switchport
switchport access vlan 10
switchport mode access
channel-group 1 mode active
!
interface GigabitEthernet3/2
switchport
switchport access vlan 10
switchport mode access
channel-group 2 mode active
!
interface GigabitEthernet3/3
switchport
switchport access vlan 10
switchport mode access
channel-group 3 mode active
!
!
interface GigabitEthernet4/1
no ip address
!
interface GigabitEthernet4/2
no ip address
!
interface GigabitEthernet4/3
switchport
switchport access vlan 50
switchport mode access
spanning-tree portfast edge
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
--More-- !
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.40.254
ip route 192.168.10.0 255.255.255.0 192.168.10.254
ip route 192.168.50.0 255.255.255.0 192.168.40.254
!
!
no ip http server
no ip http secure-server
!
!
--More-- !
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
!
end
ASA:
:
ASA Version 9.1(2)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN 10.57.82.86-10.57.82.89
ip local pool AnyConnect 192.168.100.50-192.168.100 .60
ip local pool Anyconnect-VPN 172.16.82.1-172.16.82.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.100.254 255.255.255.0 standby 172.16.100.253
!
<--- More --->
interface GigabitEthernet0/1
nameif WEBDMZ
security-level 50
ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253
!
interface GigabitEthernet0/2
nameif CorpDMZ
security-level 60
ip address 10.57.82.126 255.255.255.128 standby 10.57.82.125
!
interface GigabitEthernet0/3
description Interface to connect new server network to new network
nameif Server
security-level 50
ip address 192.168.40.254 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
<--- More --->
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 60
ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup WEBDMZ
dns domain-lookup CorpDMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.57.82.101
domain-name XXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service HTTP
service tcp source eq www
object network SMTP-outside
host 172.16.100.31
object network SMTP-inside
host 192.168.10.31
object network SFTP-outside
host 172.16.100.31
object network SFTP-inside
host 192.168.10.31
object service SMTP
service tcp source eq smtp
object service SFTP
service tcp source eq 115
object service SSH
service tcp source eq ssh
object network obj-192.168.10.11
host 192.168.10.11
object network obj-192.168.10.12
host 192.168.10.12
object network obj-192.168.10.13
host 192.168.10.13
object network obj-192.168.10.14
host 192.168.10.14
object network obj-192.168.10.15
host 192.168.10.15
object network obj-192.168.10.21
host 192.168.10.21
object network obj-192.168.10.22
host 192.168.10.22
object network obj-192.168.10.31
host 192.168.10.31
object network obj-192.168.10.41
host 192.168.10.41
object network obj-10.57.82.0
subnet 10.57.82.0 255.255.255.0
object network 192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network 10.57.0.0_16
subnet 10.57.0.0 255.255.0.0
object network 172.16.82.0_24
subnet 172.16.82.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-172.16.82.0
subnet 172.16.82.0 255.255.255.0
object network obj-192.168.40.0
subnet 192.168.40.0 255.255.255.0
object-group network DMZ-Web
network-object host 192.168.10.11
network-object host 192.168.10.12
network-object host 192.168.10.13
network-object host 192.168.10.14
network-object host 192.168.10.15
network-object host 192.168.10.21
network-object host 192.168.10.22
object-group network outside-to-DMZ
network-object host 172.16.100.11
network-object host 172.16.100.12
network-object host 172.16.100.13
network-object host 172.16.100.14
network-object host 172.16.100.15
network-object host 172.16.100.21
network-object host 172.16.100.22
object-group service RDP tcp-udp
description RDP
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside extended permit tcp any object-group DMZ-Web eq www
access-list outside extended permit tcp any object SFTP-inside eq ssh
access-list outside extended permit tcp any object SFTP-inside eq 115
access-list outside extended permit ip any 192.168.100.0 255.255.255.0
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 192.168.10.11 eq www
access-list outside extended permit tcp any host 192.168.10.11 eq https
access-list outside extended permit tcp any host 192.168.10.12 eq www
access-list outside extended permit tcp any host 192.168.10.12 eq https
access-list outside extended permit tcp any host 192.168.10.13 eq www
access-list outside extended permit tcp any host 192.168.10.13 eq https
access-list outside extended permit tcp any host 192.168.10.14 eq www
access-list outside extended permit tcp any host 192.168.10.14 eq https
access-list outside extended permit tcp any host 192.168.10.15 eq www
access-list outside extended permit tcp any host 192.168.10.15 eq https
access-list outside extended permit tcp any host 192.168.10.21 eq www
access-list outside extended permit tcp any host 192.168.10.21 eq https
access-list outside extended permit tcp any host 192.168.10.31 eq www
access-list outside extended permit tcp any host 192.168.10.31 eq https
access-list outside extended permit tcp any host 192.168.10.41 eq www
access-list outside extended permit tcp any host 192.168.10.41 eq https
access-list outside extended permit tcp any host 192.168.10.11 eq 3389
access-list split standard permit 10.57.0.0 255.255.0.0
access-list split standard permit 192.168.10.0 255.255.255.0
access-list split standard permit 192.168.40.0 255.255.255.0
access-list split remark User network
access-list split standard permit host 192.168.50.0
access-list CorpDMZ_in extended permit icmp any4 any
access-list CorpDMZ_in extended permit ip any any
access-list Server_access_in extended permit ip any any
access-list RDP extended permit object-group TCPUDP 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0 object-group RDP
access-list 50Vlan extended permit ip any any
pager lines 24
logging enable
logging asdm informational
flow-export destination Server 192.168.30.5 2055
mtu outside 1500
mtu WEBDMZ 1500
mtu CorpDMZ 1500
mtu Server 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/7
failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (WEBDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (CorpDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-172.16.82.0 obj-172.16.82.0 no-proxy-arp route-lookup
nat (CorpDMZ,outside) source static obj-10.57.82.0 obj-10.57.82.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (WEBDMZ,outside) source static DMZ-Web outside-to-DMZ service HTTP HTTP
nat (WEBDMZ,outside) source static SMTP-inside SMTP-outside service SMTP SMTP
nat (WEBDMZ,outside) source static SFTP-inside SFTP-outside service SFTP SFTP
nat (WEBDMZ,outside) source static SFTP-inside SFTP-outside service SSH SSH
nat (CorpDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (WEBDMZ,CorpDMZ) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0
nat (Server,outside) source static obj-192.168.40.0 obj-192.168.40.0 destination static obj-192.168.40.0 obj-192.168.40.0 no-proxy-arp
!
object network obj-192.168.10.11
nat (WEBDMZ,outside) static 172.16.100.11
object network obj-192.168.10.12
nat (WEBDMZ,outside) static 172.16.100.12
object network obj-192.168.10.13
nat (WEBDMZ,outside) static 172.16.100.13
object network obj-192.168.10.14
<--- More --->
nat (WEBDMZ,outside) static 172.16.100.14
object network obj-192.168.10.15
nat (WEBDMZ,outside) static 172.16.100.15
object network obj-192.168.10.21
nat (WEBDMZ,outside) static 172.16.100.21
object network obj-192.168.10.22
nat (WEBDMZ,outside) static 172.16.100.22
object network obj-192.168.10.31
nat (WEBDMZ,outside) static 172.16.100.31
object network obj-192.168.10.41
nat (WEBDMZ,outside) static 172.16.100.41
access-group outside in interface outside
access-group CorpDMZ_in in interface CorpDMZ
access-group Server_access_in in interface Server
route outside 0.0.0.0 0.0.0.0 172.16.100.250 1
route Server 192.168.50.0 255.255.255.255 192.168.40.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_VPN
map-name memberOf Group-Policy
map-value memberOf CN=VPN,CN=Users,DC=searsca rpet,DC=co m VPN
dynamic-access-policy-reco rd DfltAccessPolicy
user-message "Only computers that are the property of Sears will be allowed to conneted to the VPN. Please see your System Administrator."
action terminate
dynamic-access-policy-reco rd AnyConnect
description "Domain check"
aaa-server LDAP protocol ldap
aaa-server LDAP (CorpDMZ) host 10.57.82.101
ldap-base-dn DC=searscarpet,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Jeff Rockwell,CN=Users,DC=sears carpet,DC= com
server-type auto-detect
ldap-attribute-map LDAP_VPN
aaa-server Dup-LDAP protocol ldap
aaa-server Dup-LDAP (outside) host api-4e603544.duosecurity.c om
timeout 60
server-port 636
ldap-base-dn dc=DIV3TDMOV3VRDS3MS5AH,dc =duosecuri ty,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=DIV3TDMOV3VRDS3MS5AH,dc =duosecuri ty,dc=com
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 CorpDMZ
snmp-server host Server 192.168.30.5 community ***** version 2c udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=96.11.19.200
keypair KEY-2048
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 CorpDMZ
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access CorpDMZ
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1 rc4-md5
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
csd hostscan image disk0:/anyconnect-win-3.1. 08009-k9.p kg
csd enable
anyconnect image disk0:/anyconnect-win-3.1. 08009-k9.p kg 1
anyconnect enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
<--- More --->
wins-server none
dns-server value 8.8.8.8
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value searscarpet.com
group-policy VPN internal
group-policy VPN attributes
dns-server value 10.57.85.101 10.57.85.102
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value searscarpet.com
address-pools value VPN
username sentinel password NLs14VNuwLsLR40a encrypted
username Cisco password 9ViKxX39JvevUOV0 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-s erver-grou p Dup-LDAP use-primary-username
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN
authentication-server-grou p LDAP
secondary-authentication-s erver-grou p Dup-LDAP use-primary-username
default-group-policy NOACCESS
tunnel-group VPN webvpn-attributes
group-alias VPN enable
group-url https://96.11.19.200/vpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
This is also a new configuration nothing is hardened yet.
6500 Config (Sanitized removed all ports that are not being used at the moment.)
Building configuration...
Current configuration : 11732 bytes
!
upgrade fpd auto
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service counters max age 5
!
hostname Router
!
boot-start-marker
boot system flash sup-bootdisk:s72033-advent
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
vtp domain cisco
--More-- vtp mode transparent
mls netflow interface
mls cef error action reset
!
!
!
!
spanning-tree mode pvst
diagnostic bootup level minimal
!
redundancy
main-cpu
auto-sync running-config
mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
--More-- !
vlan 10,20,30,40,50,100
!
!
!
!
!
interface Port-channel1
switchport
!
interface Port-channel2
switchport
!
interface Port-channel3
switchport
!
interface GigabitEthernet1/1
switchport
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/2
switchport
--More-- switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/3
switchport
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/4
switchport
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/5
no ip address
!
interface GigabitEthernet1/6
no ip address
!
interface GigabitEthernet1/7
no ip address
!
interface GigabitEthernet1/8
--More-- no ip address
!
interface GigabitEthernet1/9
no ip address
!
interface GigabitEthernet1/10
no ip address
!
interface GigabitEthernet1/11
no ip address
!
interface GigabitEthernet1/12
no ip address
!
interface GigabitEthernet1/13
no ip address
!
interface GigabitEthernet1/14
no ip address
!
interface GigabitEthernet1/15
no ip address
!
--More-- interface GigabitEthernet1/16
no ip address
!
interface GigabitEthernet1/17
no ip address
!
interface GigabitEthernet1/18
no ip address
!
interface GigabitEthernet1/19
no ip address
!
interface GigabitEthernet1/20
no ip address
!
interface GigabitEthernet1/21
no ip address
!
interface GigabitEthernet1/22
no ip address
!
interface GigabitEthernet1/23
no ip address
--More-- !
interface GigabitEthernet1/24
no ip address
!
interface GigabitEthernet1/25
no ip address
!
interface GigabitEthernet1/26
no ip address
!
interface GigabitEthernet1/27
no ip address
!
interface GigabitEthernet1/28
no ip address
!
interface GigabitEthernet1/29
no ip address
!
interface GigabitEthernet1/30
no ip address
!
interface GigabitEthernet1/31
--More-- no ip address
!
interface GigabitEthernet1/32
no ip address
!
interface GigabitEthernet1/33
no ip address
!
interface GigabitEthernet1/34
no ip address
!
interface GigabitEthernet1/35
no ip address
!
interface GigabitEthernet1/36
no ip address
!
interface GigabitEthernet1/37
no ip address
!
interface GigabitEthernet1/38
no ip address
!
--More-- interface GigabitEthernet1/39
no ip address
!
interface GigabitEthernet1/40
no ip address
!
interface GigabitEthernet1/41
no ip address
!
interface GigabitEthernet1/42
no ip address
!
interface GigabitEthernet1/43
no ip address
!
interface GigabitEthernet1/44
no ip address
!
interface GigabitEthernet1/45
no ip address
!
interface GigabitEthernet1/46
no ip address
--More-- !
interface GigabitEthernet1/47
no ip address
!
interface GigabitEthernet1/48
no ip address
!
interface GigabitEthernet2/1
switchport
switchport access vlan 10
switchport mode access
channel-group 1 mode active
!
interface GigabitEthernet2/2
switchport
switchport access vlan 10
switchport mode access
channel-group 2 mode active
!
interface GigabitEthernet2/3
switchport
switchport access vlan 10
switchport mode access
--More-- channel-group 3 mode active
!
!
interface GigabitEthernet3/1
--More-- switchport
switchport access vlan 10
switchport mode access
channel-group 1 mode active
!
interface GigabitEthernet3/2
switchport
switchport access vlan 10
switchport mode access
channel-group 2 mode active
!
interface GigabitEthernet3/3
switchport
switchport access vlan 10
switchport mode access
channel-group 3 mode active
!
!
interface GigabitEthernet4/1
no ip address
!
interface GigabitEthernet4/2
no ip address
!
interface GigabitEthernet4/3
switchport
switchport access vlan 50
switchport mode access
spanning-tree portfast edge
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
--More-- !
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.40.254
ip route 192.168.10.0 255.255.255.0 192.168.10.254
ip route 192.168.50.0 255.255.255.0 192.168.40.254
!
!
no ip http server
no ip http secure-server
!
!
--More-- !
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
!
end
ASA:
:
ASA Version 9.1(2)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN 10.57.82.86-10.57.82.89
ip local pool AnyConnect 192.168.100.50-192.168.100
ip local pool Anyconnect-VPN 172.16.82.1-172.16.82.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.100.254 255.255.255.0 standby 172.16.100.253
!
<--- More --->
interface GigabitEthernet0/1
nameif WEBDMZ
security-level 50
ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253
!
interface GigabitEthernet0/2
nameif CorpDMZ
security-level 60
ip address 10.57.82.126 255.255.255.128 standby 10.57.82.125
!
interface GigabitEthernet0/3
description Interface to connect new server network to new network
nameif Server
security-level 50
ip address 192.168.40.254 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
<--- More --->
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 60
ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup WEBDMZ
dns domain-lookup CorpDMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.57.82.101
domain-name XXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service HTTP
service tcp source eq www
object network SMTP-outside
host 172.16.100.31
object network SMTP-inside
host 192.168.10.31
object network SFTP-outside
host 172.16.100.31
object network SFTP-inside
host 192.168.10.31
object service SMTP
service tcp source eq smtp
object service SFTP
service tcp source eq 115
object service SSH
service tcp source eq ssh
object network obj-192.168.10.11
host 192.168.10.11
object network obj-192.168.10.12
host 192.168.10.12
object network obj-192.168.10.13
host 192.168.10.13
object network obj-192.168.10.14
host 192.168.10.14
object network obj-192.168.10.15
host 192.168.10.15
object network obj-192.168.10.21
host 192.168.10.21
object network obj-192.168.10.22
host 192.168.10.22
object network obj-192.168.10.31
host 192.168.10.31
object network obj-192.168.10.41
host 192.168.10.41
object network obj-10.57.82.0
subnet 10.57.82.0 255.255.255.0
object network 192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network 10.57.0.0_16
subnet 10.57.0.0 255.255.0.0
object network 172.16.82.0_24
subnet 172.16.82.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-172.16.82.0
subnet 172.16.82.0 255.255.255.0
object network obj-192.168.40.0
subnet 192.168.40.0 255.255.255.0
object-group network DMZ-Web
network-object host 192.168.10.11
network-object host 192.168.10.12
network-object host 192.168.10.13
network-object host 192.168.10.14
network-object host 192.168.10.15
network-object host 192.168.10.21
network-object host 192.168.10.22
object-group network outside-to-DMZ
network-object host 172.16.100.11
network-object host 172.16.100.12
network-object host 172.16.100.13
network-object host 172.16.100.14
network-object host 172.16.100.15
network-object host 172.16.100.21
network-object host 172.16.100.22
object-group service RDP tcp-udp
description RDP
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside extended permit tcp any object-group DMZ-Web eq www
access-list outside extended permit tcp any object SFTP-inside eq ssh
access-list outside extended permit tcp any object SFTP-inside eq 115
access-list outside extended permit ip any 192.168.100.0 255.255.255.0
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 192.168.10.11 eq www
access-list outside extended permit tcp any host 192.168.10.11 eq https
access-list outside extended permit tcp any host 192.168.10.12 eq www
access-list outside extended permit tcp any host 192.168.10.12 eq https
access-list outside extended permit tcp any host 192.168.10.13 eq www
access-list outside extended permit tcp any host 192.168.10.13 eq https
access-list outside extended permit tcp any host 192.168.10.14 eq www
access-list outside extended permit tcp any host 192.168.10.14 eq https
access-list outside extended permit tcp any host 192.168.10.15 eq www
access-list outside extended permit tcp any host 192.168.10.15 eq https
access-list outside extended permit tcp any host 192.168.10.21 eq www
access-list outside extended permit tcp any host 192.168.10.21 eq https
access-list outside extended permit tcp any host 192.168.10.31 eq www
access-list outside extended permit tcp any host 192.168.10.31 eq https
access-list outside extended permit tcp any host 192.168.10.41 eq www
access-list outside extended permit tcp any host 192.168.10.41 eq https
access-list outside extended permit tcp any host 192.168.10.11 eq 3389
access-list split standard permit 10.57.0.0 255.255.0.0
access-list split standard permit 192.168.10.0 255.255.255.0
access-list split standard permit 192.168.40.0 255.255.255.0
access-list split remark User network
access-list split standard permit host 192.168.50.0
access-list CorpDMZ_in extended permit icmp any4 any
access-list CorpDMZ_in extended permit ip any any
access-list Server_access_in extended permit ip any any
access-list RDP extended permit object-group TCPUDP 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0 object-group RDP
access-list 50Vlan extended permit ip any any
pager lines 24
logging enable
logging asdm informational
flow-export destination Server 192.168.30.5 2055
mtu outside 1500
mtu WEBDMZ 1500
mtu CorpDMZ 1500
mtu Server 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/7
failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (WEBDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (CorpDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-172.16.82.0 obj-172.16.82.0 no-proxy-arp route-lookup
nat (CorpDMZ,outside) source static obj-10.57.82.0 obj-10.57.82.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (WEBDMZ,outside) source static DMZ-Web outside-to-DMZ service HTTP HTTP
nat (WEBDMZ,outside) source static SMTP-inside SMTP-outside service SMTP SMTP
nat (WEBDMZ,outside) source static SFTP-inside SFTP-outside service SFTP SFTP
nat (WEBDMZ,outside) source static SFTP-inside SFTP-outside service SSH SSH
nat (CorpDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (WEBDMZ,CorpDMZ) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0
nat (Server,outside) source static obj-192.168.40.0 obj-192.168.40.0 destination static obj-192.168.40.0 obj-192.168.40.0 no-proxy-arp
!
object network obj-192.168.10.11
nat (WEBDMZ,outside) static 172.16.100.11
object network obj-192.168.10.12
nat (WEBDMZ,outside) static 172.16.100.12
object network obj-192.168.10.13
nat (WEBDMZ,outside) static 172.16.100.13
object network obj-192.168.10.14
<--- More --->
nat (WEBDMZ,outside) static 172.16.100.14
object network obj-192.168.10.15
nat (WEBDMZ,outside) static 172.16.100.15
object network obj-192.168.10.21
nat (WEBDMZ,outside) static 172.16.100.21
object network obj-192.168.10.22
nat (WEBDMZ,outside) static 172.16.100.22
object network obj-192.168.10.31
nat (WEBDMZ,outside) static 172.16.100.31
object network obj-192.168.10.41
nat (WEBDMZ,outside) static 172.16.100.41
access-group outside in interface outside
access-group CorpDMZ_in in interface CorpDMZ
access-group Server_access_in in interface Server
route outside 0.0.0.0 0.0.0.0 172.16.100.250 1
route Server 192.168.50.0 255.255.255.255 192.168.40.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_VPN
map-name memberOf Group-Policy
map-value memberOf CN=VPN,CN=Users,DC=searsca
dynamic-access-policy-reco
user-message "Only computers that are the property of Sears will be allowed to conneted to the VPN. Please see your System Administrator."
action terminate
dynamic-access-policy-reco
description "Domain check"
aaa-server LDAP protocol ldap
aaa-server LDAP (CorpDMZ) host 10.57.82.101
ldap-base-dn DC=searscarpet,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Jeff Rockwell,CN=Users,DC=sears
server-type auto-detect
ldap-attribute-map LDAP_VPN
aaa-server Dup-LDAP protocol ldap
aaa-server Dup-LDAP (outside) host api-4e603544.duosecurity.c
timeout 60
server-port 636
ldap-base-dn dc=DIV3TDMOV3VRDS3MS5AH,dc
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=DIV3TDMOV3VRDS3MS5AH,dc
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 CorpDMZ
snmp-server host Server 192.168.30.5 community ***** version 2c udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=96.11.19.200
keypair KEY-2048
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 CorpDMZ
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access CorpDMZ
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1 rc4-md5
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
csd hostscan image disk0:/anyconnect-win-3.1.
csd enable
anyconnect image disk0:/anyconnect-win-3.1.
anyconnect enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
<--- More --->
wins-server none
dns-server value 8.8.8.8
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value searscarpet.com
group-policy VPN internal
group-policy VPN attributes
dns-server value 10.57.85.101 10.57.85.102
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value searscarpet.com
address-pools value VPN
username sentinel password NLs14VNuwLsLR40a encrypted
username Cisco password 9ViKxX39JvevUOV0 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-s
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN
authentication-server-grou
secondary-authentication-s
default-group-policy NOACCESS
tunnel-group VPN webvpn-attributes
group-alias VPN enable
group-url https://96.11.19.200/vpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
OK, take out these two lines on the 6500, as they're unneeded:
ip route 192.168.10.0 255.255.255.0 192.168.10.254
ip route 192.168.50.0 255.255.255.0 192.168.40.254
What is the default gateway on your servers in each VLAN? I didn't understand that the .10 network is a Web DMZ zone; putting a router into the zone is going to break your security model.
ip route 192.168.10.0 255.255.255.0 192.168.10.254
ip route 192.168.50.0 255.255.255.0 192.168.40.254
What is the default gateway on your servers in each VLAN? I didn't understand that the .10 network is a Web DMZ zone; putting a router into the zone is going to break your security model.
ASKER
Ugh I missed those, thought I took all of that out. They are gone.
Each VLAN currently has the firewall interfaces as the DFGW so it looks like this.
.10=DFGW 10.254
.40-DFGW 40.254
.50 (does not have a FW interface) the DFGW is the SVI- 50.1
I am not sure I follow about the DMZ Its a port off of the firewall, ACL's controlling any access needed. The DMZ does need access to a SQL server on the internal network however that interface (10.57.82.x) has not been fully configured yet.
Each VLAN currently has the firewall interfaces as the DFGW so it looks like this.
.10=DFGW 10.254
.40-DFGW 40.254
.50 (does not have a FW interface) the DFGW is the SVI- 50.1
I am not sure I follow about the DMZ Its a port off of the firewall, ACL's controlling any access needed. The DMZ does need access to a SQL server on the internal network however that interface (10.57.82.x) has not been fully configured yet.
OK, those default gateways are why your servers can't communicate across VLANs.
Traffic flow, if 192.168.50.100 wants to talk to 192.168.40.100:
SYN packet: 192.168.50.100 -> 192.168.50.1 -> 192.168.40.100
SYN/ACK packet: 192.168.40.100 -> 192.168.40.254 [BLOCKED]
You either need to add static routes on the servers so that traffic to the internal subnets gets sent to the internal router, or you need to set the default gateway to the internal router (preferred).
A DMZ is usually isolated from the internal network, and access is usually controlled via the firewall. To allow a WEB DMZ system access to an internal database, the usual way is to configure the firewall to allow only the required traffic and block everything else.
The theory is that the DMZ systems are at a higher risk of being compromised, and if they are then you don't want the attacker to have full access to your internal network.
We could debate the relative threat levels of compromise via the web server vs. sql injection vs. malware on your workstations, but any security person will look at what you're building and wonder why you're doing it this way.
The most common configuration would be:
Web request -> Firewall -> Web Server // SQL request from web server -> firewall -> SQL server // Web server respond to web request
Traffic flow, if 192.168.50.100 wants to talk to 192.168.40.100:
SYN packet: 192.168.50.100 -> 192.168.50.1 -> 192.168.40.100
SYN/ACK packet: 192.168.40.100 -> 192.168.40.254 [BLOCKED]
You either need to add static routes on the servers so that traffic to the internal subnets gets sent to the internal router, or you need to set the default gateway to the internal router (preferred).
A DMZ is usually isolated from the internal network, and access is usually controlled via the firewall. To allow a WEB DMZ system access to an internal database, the usual way is to configure the firewall to allow only the required traffic and block everything else.
The theory is that the DMZ systems are at a higher risk of being compromised, and if they are then you don't want the attacker to have full access to your internal network.
We could debate the relative threat levels of compromise via the web server vs. sql injection vs. malware on your workstations, but any security person will look at what you're building and wonder why you're doing it this way.
The most common configuration would be:
Web request -> Firewall -> Web Server // SQL request from web server -> firewall -> SQL server // Web server respond to web request
ASKER
Hello,
Thanks for the nice explanation. I have set the default gateway for the various subnets to be the switch (internal router) However there are 2 issues.
1. The 192.168.10.x subnet the DMZ for the sake of argument. The servers in that Subnet lose internet connectivity, when I make the change from 192.168.10.254 (Firewall Interface) to 192.168.10.1 (SVI/Internal Router)
2. Any subnet that does not have an interface on the Firewall can not reach the internet. ie: 192.168.50.x DFGW 192.168.50.1 (internal router SVI) can not reach the internet.
The switch can ping the internet IP's via the 0.0.0.0 0.0.0.0 192.168.40.254 interface, but not from the 192.168.50.1 interface.
I understand the DMZ comment, while it would be nice to add that extra hop we are going to have to keep with just the one firewall and logical separation to that zone. Thanks much for that.
Thanks for the nice explanation. I have set the default gateway for the various subnets to be the switch (internal router) However there are 2 issues.
1. The 192.168.10.x subnet the DMZ for the sake of argument. The servers in that Subnet lose internet connectivity, when I make the change from 192.168.10.254 (Firewall Interface) to 192.168.10.1 (SVI/Internal Router)
2. Any subnet that does not have an interface on the Firewall can not reach the internet. ie: 192.168.50.x DFGW 192.168.50.1 (internal router SVI) can not reach the internet.
The switch can ping the internet IP's via the 0.0.0.0 0.0.0.0 192.168.40.254 interface, but not from the 192.168.50.1 interface.
I understand the DMZ comment, while it would be nice to add that extra hop we are going to have to keep with just the one firewall and logical separation to that zone. Thanks much for that.
1. Oh, yeah, now we're getting asymmetric routing again.... OK, try this. Set the default gateway back to the ASA, and then add this route:
route add 192.168.0.0 mask 255.255.0.0 192.168.10.1 -p
That will route internal traffic to the internal router, and Internet traffic through the ASA.
2. Same thing with the 192.168.40.0/24 subnet. All machines need this route, and a default route through the ASA:
route add 192.168.0.0 mask 255.255.0.0 192.168.40.1 -p
Finally, change the default route on the switch to 192.168.40.254 instead of 192.168.10.254
route add 192.168.0.0 mask 255.255.0.0 192.168.10.1 -p
That will route internal traffic to the internal router, and Internet traffic through the ASA.
2. Same thing with the 192.168.40.0/24 subnet. All machines need this route, and a default route through the ASA:
route add 192.168.0.0 mask 255.255.0.0 192.168.40.1 -p
Finally, change the default route on the switch to 192.168.40.254 instead of 192.168.10.254
ASKER
I understand and was trying to steer way away from managing routes of any kind on physical servers. There has to be a way to no have to use static routes on machines.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Completely understood. It figure I wanted something that couldn't happen the way I wanted :) I will create another interface for the other network and go from there. Thanks again for your assistance.
This sounds very much like an asymmetric routing issue, where the firewall blocks traffic because it doesn't see all of the three-way handshake.
If the servers' default gateway is set to the firewall, then you could expect to see this behavior.