ASA Firewall/6509 Switch, InterVlan Routing, Default Gateway

Hello,

I am working with an ASA 5525 and Cisco 6509-E Switch. I am unable to RDP to servers on different Subnets and get to the internet when the DFGW is set to the SVI.

Topology,

ASA:
Outside Interface-  172.16.100.254- Connected to FATPipe Loadbalancers/Internet
WebDMZ interface- 192.168.10.254 Set up for 1 to 1 NAT to Web Servers load balanced by FatPipe
Server Interface -192.168.40.254

6509:
VLAN SVI- 10
192.168.10.1

VLAN SVI 40
192.168.40.1

Questions:
1) I am unable to RDP to servers on the 10 VLAN from Servers on the 40 VLAN or visa versa, Ping and trace work from all devices, firewall shows RDP port open. What am I missing here?

2) I have set the DFGW to the SVI and am unable to get to the internet unless the switch's DFGW is on the same Subnet.
If I set the DFGW to  the corresponding port on the firewall I am able to get out to the internet.  Wouldn't routing be taking care of this?

The scenario- PC -192.168.40.40 DFGW 192.168.40.1 Switch = no default route  No internet access. However can ping the firewall port of 192.168.40.254

Scenario B PC 192.168.40.40 DFGW 192.168.40.254 Switch = no default route/ Internet access but no vlan to vlan communication besides ping and trace.

Scenario C PC 192.168.40.40 DFGW 192.168.40.1 Switch route 0.0.0.0 0.0.0.0 192.168.40.254= Internet access is good.

I am missing something but I thought on the 6509 routing was on and that routing would be taking place on the SVI's.


What I want is a core switch with L3 routed VLAN's I want all of the VLAN's to get to the firewall and out to the internet.

I want the DMZ shut down to anything that is not specified (RDP, Management etc.)

Maybe I want too much. :)

Thanks-
SearsFranchisesITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
Both the server and the client has the default gateway set to the SVI interface?  

This sounds very much like an asymmetric routing issue, where the firewall blocks traffic because it doesn't see all of the three-way handshake.

If the servers' default gateway is set to the firewall, then you could expect to see this behavior.
asavenerCommented:
If you use the switch as your default gateway, then you're offloading routing decisions to the switch.  The switch then needs to know where to send traffic that isn't in its routing table, which means its default gateway needs to be the firewall.
SearsFranchisesITAuthor Commented:
Asavener,

Thank you for your response. In your second comment having the switch making the routing decisions, I have tried this approach, the hang up I am having is with the multiple assumed gateways.

I have 3 interfaces on the ASA all potential routes for their subnet, the switch has all 3 vlans configured as SVI's, I was hoping the routing would take effect and everything on  lets say the 192.168.40.x network would go to the switch @ 40.1 then the switch would sent it to the firewall 40.254 this works if I make the switch route 0 .0.0.0 0.0.0.0 192.168.40.254. I think I am missing something simple and just can not put my finger on it.

Thanks,
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

asavenerCommented:
That's exactly the right setting.
asavenerCommented:
The cisco "default gateway" setting is used in route redistribution, I think....  What you want is the route command that you just posted.
SearsFranchisesITAuthor Commented:
So the $$$ Question, if the 0 route goes to the 40.0 vlan, what about the other 3 vlans I will have on the switch? I ask this because yes that will work for the 40.x vlan and all is great, but add a host to the 60.x vlan and I get nowhere.

As always thanks for your response.
asavenerCommented:
For hosts on the 60.x VLAN, you're setting a default gateway of 192.168.60.1?

Routing is enabled by default on the 6500 platform.
asavenerCommented:
What do your rules look like on the ASA?  Is it allowing traffic from the 192.168.60.0/24 subnet?
SearsFranchisesITAuthor Commented:
Yes I am setting the Default Gateway to 60.1 Figuring the routing was going to happen as you said. I have an access list set up to allow that network. Its a standard ACL permitting all traffic.

This is what it would look like

Host -192.168.60.11 --> hits the default gateway 192.168.60.1 from there it would go to 192.168.40.254 as mentioned in previous discussions the switch is set to 0.0.0.0 0.0.0.0 192.168.40.254, Does not seem correct.

I could set another Nic on the firewall for this network as there are 7 I do believe. I was really hoping to not have to do that.

I am working with what a previous admin set up so this ASA does not have the typical Inside/Outside/DMZ interfaces. Its more like specific interfaces for each network that will transverse it.

Hope I am being clear enough.

Thanks again.
asavenerCommented:
Does the ASA have a route to 192.168.60.0/24?
SearsFranchisesITAuthor Commented:
Yes sir it does.
asavenerCommented:
What's the routing entry on the ASA?
SearsFranchisesITAuthor Commented:
Interfaces are

Outside- 172.16.100.245
Web- 192.168.10.254
Corp-10.57.82.126
Server-192.168.40.254

Route for .60 network = Via Server interface 192.168.50.0 Gateway 192.168.50.1 (This is the switches VLAN)
asavenerCommented:
OK, that's why traffic isn't getting through.   Your paths to and from the 192.168.60.0/24 network are different, so the ASA is going to block the traffic.  ASA wants to see a successful three-way handshake before allowing traffic, and while the 192.168.40.254 interface sees the inbound SYN, the 192.168.50.x interface doesn't, so it won't send an SYN/ACK.

Change your route so that 192.168.60.0/24 is routed to 192.168.40.254.
SearsFranchisesITAuthor Commented:
I thought the same thing, however that is a interface on the ASA so it kicks out an error stating that the next hop belongs to one of our interfaces.  

The ASA sees the ICMP traffic, however each host does not. I am pinging from .40 to .60 and nothing.
asavenerCommented:
Sorry, made a typo.  On the ASA, the next-hop for 192.168.60.0/24 should be 192.168.40.1.
asavenerCommented:
Also, can you provide the output of "show ip route" on the 6500?
SearsFranchisesITAuthor Commented:
I tried that one too, I am sure its something silly.


C    192.168.10.0/24 is directly connected, Vlan10
C    192.168.40.0/24 is directly connected, Vlan40
C    192.168.60.0/24 is directly connected, Vlan50
S*   0.0.0.0/0 [1/0] via 192.168.40.254
asavenerCommented:
Try entering "ip routing" at the configuration line on the 6500.
SearsFranchisesITAuthor Commented:
IP routing is already enabled on the 6500 so that command will not work. :/
asavenerCommented:
Can you provide a full configuration of the device?
SearsFranchisesITAuthor Commented:
Sure I will give you switch and ASA *Note the Subnet we are discussing is the 60.x I mistyped it in our discussion it is actually the 50.x subnet when you see the configs.

This is also a new configuration nothing is hardened yet.


6500 Config (Sanitized removed all ports that are not being used at the moment.)

Building configuration...

Current configuration : 11732 bytes
!
upgrade fpd auto
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service counters max age 5
!
hostname Router
!
boot-start-marker
boot system flash sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXI2a.bin
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
vtp domain cisco
 --More--         vtp mode transparent
mls netflow interface
mls cef error action reset
!
!
!
!
spanning-tree mode pvst
diagnostic bootup level minimal
!
redundancy
 main-cpu
  auto-sync running-config
 mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
 --More--         !
vlan 10,20,30,40,50,100
!
!
!
!
!
interface Port-channel1
 switchport
!
interface Port-channel2
 switchport
!
interface Port-channel3
 switchport
!
interface GigabitEthernet1/1
 switchport
 switchport access vlan 40
 switchport mode access
!
interface GigabitEthernet1/2
 switchport
 --More--          switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/3
 switchport
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/4
 switchport
 switchport access vlan 40
 switchport mode access
!
interface GigabitEthernet1/5
 no ip address
!
interface GigabitEthernet1/6
 no ip address
!
interface GigabitEthernet1/7
 no ip address
!
interface GigabitEthernet1/8
 --More--          no ip address
!
interface GigabitEthernet1/9
 no ip address
!
interface GigabitEthernet1/10
 no ip address
!
interface GigabitEthernet1/11
 no ip address
!
interface GigabitEthernet1/12
 no ip address
!
interface GigabitEthernet1/13
 no ip address
!
interface GigabitEthernet1/14
 no ip address
!
interface GigabitEthernet1/15
 no ip address
!
 --More--         interface GigabitEthernet1/16
 no ip address
!
interface GigabitEthernet1/17
 no ip address
!
interface GigabitEthernet1/18
 no ip address
!
interface GigabitEthernet1/19
 no ip address
!
interface GigabitEthernet1/20
 no ip address
!
interface GigabitEthernet1/21
 no ip address
!
interface GigabitEthernet1/22
 no ip address
!
interface GigabitEthernet1/23
 no ip address
 --More--         !
interface GigabitEthernet1/24
 no ip address
!
interface GigabitEthernet1/25
 no ip address
!
interface GigabitEthernet1/26
 no ip address
!
interface GigabitEthernet1/27
 no ip address
!
interface GigabitEthernet1/28
 no ip address
!
interface GigabitEthernet1/29
 no ip address
!
interface GigabitEthernet1/30
 no ip address
!
interface GigabitEthernet1/31
 --More--          no ip address
!
interface GigabitEthernet1/32
 no ip address
!
interface GigabitEthernet1/33
 no ip address
!
interface GigabitEthernet1/34
 no ip address
!
interface GigabitEthernet1/35
 no ip address
!
interface GigabitEthernet1/36
 no ip address
!
interface GigabitEthernet1/37
 no ip address
!
interface GigabitEthernet1/38
 no ip address
!
 --More--         interface GigabitEthernet1/39
 no ip address
!
interface GigabitEthernet1/40
 no ip address
!
interface GigabitEthernet1/41
 no ip address
!
interface GigabitEthernet1/42
 no ip address
!
interface GigabitEthernet1/43
 no ip address
!
interface GigabitEthernet1/44
 no ip address
!
interface GigabitEthernet1/45
 no ip address
!
interface GigabitEthernet1/46
 no ip address
 --More--         !
interface GigabitEthernet1/47
 no ip address
!
interface GigabitEthernet1/48
 no ip address
!
interface GigabitEthernet2/1
 switchport
 switchport access vlan 10
 switchport mode access
 channel-group 1 mode active
!
interface GigabitEthernet2/2
 switchport
 switchport access vlan 10
 switchport mode access
 channel-group 2 mode active
!
interface GigabitEthernet2/3
 switchport
 switchport access vlan 10
 switchport mode access
 --More--          channel-group 3 mode active
!

!
interface GigabitEthernet3/1
 --More--          switchport
 switchport access vlan 10
 switchport mode access
 channel-group 1 mode active
!
interface GigabitEthernet3/2
 switchport
 switchport access vlan 10
 switchport mode access
 channel-group 2 mode active
!
interface GigabitEthernet3/3
 switchport
 switchport access vlan 10
 switchport mode access
 channel-group 3 mode active
!

!
interface GigabitEthernet4/1
 no ip address
!
interface GigabitEthernet4/2
 no ip address
!
interface GigabitEthernet4/3
 switchport
 switchport access vlan 50
switchport mode access
 spanning-tree portfast edge
!

!

!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 --More--         !
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
!
interface Vlan40
 ip address 192.168.40.1 255.255.255.0
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.40.254
ip route 192.168.10.0 255.255.255.0 192.168.10.254
ip route 192.168.50.0 255.255.255.0 192.168.40.254
!
!
no ip http server
no ip http secure-server
!
!
 --More--         !
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end

ASA:

:
ASA Version 9.1(2)
!



xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN 10.57.82.86-10.57.82.89
ip local pool AnyConnect 192.168.100.50-192.168.100.60
ip local pool Anyconnect-VPN 172.16.82.1-172.16.82.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.100.254 255.255.255.0 standby 172.16.100.253
!
<--- More --->
             
interface GigabitEthernet0/1
 nameif WEBDMZ
 security-level 50
 ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253
!
interface GigabitEthernet0/2
 nameif CorpDMZ
 security-level 60
 ip address 10.57.82.126 255.255.255.128 standby 10.57.82.125
!
interface GigabitEthernet0/3
 description Interface to connect new server network to new network
 nameif Server
 security-level 50
 ip address 192.168.40.254 255.255.255.0
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
<--- More --->
             
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 description LAN Failover Interface
!
interface Management0/0
 management-only
 nameif management
 security-level 60
 ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup WEBDMZ
dns domain-lookup CorpDMZ
dns domain-lookup management

dns server-group DefaultDNS
 name-server 10.57.82.101
 domain-name XXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service HTTP
 service tcp source eq www
object network SMTP-outside
 host 172.16.100.31
object network SMTP-inside
 host 192.168.10.31
object network SFTP-outside
 host 172.16.100.31
object network SFTP-inside
 host 192.168.10.31
object service SMTP
 service tcp source eq smtp
object service SFTP
 service tcp source eq 115
object service SSH
 service tcp source eq ssh
object network obj-192.168.10.11
 host 192.168.10.11
object network obj-192.168.10.12
host 192.168.10.12
object network obj-192.168.10.13
 host 192.168.10.13
object network obj-192.168.10.14
 host 192.168.10.14
object network obj-192.168.10.15
 host 192.168.10.15
object network obj-192.168.10.21
 host 192.168.10.21
object network obj-192.168.10.22
 host 192.168.10.22
object network obj-192.168.10.31
 host 192.168.10.31
object network obj-192.168.10.41
 host 192.168.10.41
object network obj-10.57.82.0
 subnet 10.57.82.0 255.255.255.0
object network 192.168.100.0_24
 subnet 192.168.100.0 255.255.255.0
object network 10.57.0.0_16
 subnet 10.57.0.0 255.255.0.0
object network 172.16.82.0_24
 subnet 172.16.82.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-172.16.82.0
 subnet 172.16.82.0 255.255.255.0
object network obj-192.168.40.0
 subnet 192.168.40.0 255.255.255.0
object-group network DMZ-Web
 network-object host 192.168.10.11
 network-object host 192.168.10.12
 network-object host 192.168.10.13
 network-object host 192.168.10.14
 network-object host 192.168.10.15
 network-object host 192.168.10.21
 network-object host 192.168.10.22
object-group network outside-to-DMZ
 network-object host 172.16.100.11
 network-object host 172.16.100.12
 network-object host 172.16.100.13
 network-object host 172.16.100.14
 network-object host 172.16.100.15
 network-object host 172.16.100.21
 network-object host 172.16.100.22
object-group service RDP tcp-udp
 description RDP
 port-object eq 3389

object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside extended permit tcp any object-group DMZ-Web eq www
access-list outside extended permit tcp any object SFTP-inside eq ssh
access-list outside extended permit tcp any object SFTP-inside eq 115
access-list outside extended permit ip any 192.168.100.0 255.255.255.0
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 192.168.10.11 eq www
access-list outside extended permit tcp any host 192.168.10.11 eq https
access-list outside extended permit tcp any host 192.168.10.12 eq www
access-list outside extended permit tcp any host 192.168.10.12 eq https
access-list outside extended permit tcp any host 192.168.10.13 eq www
access-list outside extended permit tcp any host 192.168.10.13 eq https
access-list outside extended permit tcp any host 192.168.10.14 eq www
access-list outside extended permit tcp any host 192.168.10.14 eq https
access-list outside extended permit tcp any host 192.168.10.15 eq www
access-list outside extended permit tcp any host 192.168.10.15 eq https
access-list outside extended permit tcp any host 192.168.10.21 eq www
access-list outside extended permit tcp any host 192.168.10.21 eq https
access-list outside extended permit tcp any host 192.168.10.31 eq www
access-list outside extended permit tcp any host 192.168.10.31 eq https
access-list outside extended permit tcp any host 192.168.10.41 eq www
access-list outside extended permit tcp any host 192.168.10.41 eq https

access-list outside extended permit tcp any host 192.168.10.11 eq 3389
access-list split standard permit 10.57.0.0 255.255.0.0
access-list split standard permit 192.168.10.0 255.255.255.0
access-list split standard permit 192.168.40.0 255.255.255.0
access-list split remark User network
access-list split standard permit host 192.168.50.0
access-list CorpDMZ_in extended permit icmp any4 any
access-list CorpDMZ_in extended permit ip any any
access-list Server_access_in extended permit ip any any
access-list RDP extended permit object-group TCPUDP 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0 object-group RDP
access-list 50Vlan extended permit ip any any
pager lines 24
logging enable
logging asdm informational
flow-export destination Server 192.168.30.5 2055
mtu outside 1500
mtu WEBDMZ 1500
mtu CorpDMZ 1500
mtu Server 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/7
failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (WEBDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (CorpDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-172.16.82.0 obj-172.16.82.0 no-proxy-arp route-lookup
nat (CorpDMZ,outside) source static obj-10.57.82.0 obj-10.57.82.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (WEBDMZ,outside) source static DMZ-Web outside-to-DMZ service HTTP HTTP
nat (WEBDMZ,outside) source static SMTP-inside SMTP-outside service SMTP SMTP
nat (WEBDMZ,outside) source static SFTP-inside SFTP-outside service SFTP SFTP
nat (WEBDMZ,outside) source static SFTP-inside SFTP-outside service SSH SSH
nat (CorpDMZ,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0 no-proxy-arp route-lookup
nat (WEBDMZ,CorpDMZ) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-10.57.82.0 obj-10.57.82.0
nat (Server,outside) source static obj-192.168.40.0 obj-192.168.40.0 destination static obj-192.168.40.0 obj-192.168.40.0 no-proxy-arp
!
object network obj-192.168.10.11
 nat (WEBDMZ,outside) static 172.16.100.11
object network obj-192.168.10.12
 nat (WEBDMZ,outside) static 172.16.100.12
object network obj-192.168.10.13
 nat (WEBDMZ,outside) static 172.16.100.13
object network obj-192.168.10.14
<--- More --->
             
 nat (WEBDMZ,outside) static 172.16.100.14
object network obj-192.168.10.15
 nat (WEBDMZ,outside) static 172.16.100.15
object network obj-192.168.10.21
 nat (WEBDMZ,outside) static 172.16.100.21
object network obj-192.168.10.22
 nat (WEBDMZ,outside) static 172.16.100.22
object network obj-192.168.10.31
 nat (WEBDMZ,outside) static 172.16.100.31
object network obj-192.168.10.41
 nat (WEBDMZ,outside) static 172.16.100.41
access-group outside in interface outside
access-group CorpDMZ_in in interface CorpDMZ
access-group Server_access_in in interface Server
route outside 0.0.0.0 0.0.0.0 172.16.100.250 1
route Server 192.168.50.0 255.255.255.255 192.168.40.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
 
ldap attribute-map LDAP_VPN
  map-name  memberOf Group-Policy
  map-value memberOf CN=VPN,CN=Users,DC=searscarpet,DC=com VPN
dynamic-access-policy-record DfltAccessPolicy
 user-message "Only computers that are the property of Sears will be allowed to conneted to the VPN.  Please see      your System Administrator."
 action terminate
dynamic-access-policy-record AnyConnect
 description "Domain check"
aaa-server LDAP protocol ldap
aaa-server LDAP (CorpDMZ) host 10.57.82.101
 ldap-base-dn DC=searscarpet,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Jeff Rockwell,CN=Users,DC=searscarpet,DC=com
 server-type auto-detect
 ldap-attribute-map LDAP_VPN
aaa-server Dup-LDAP protocol ldap
aaa-server Dup-LDAP (outside) host api-4e603544.duosecurity.com
 timeout 60
 server-port 636
 ldap-base-dn dc=DIV3TDMOV3VRDS3MS5AH,dc=duosecurity,dc=com
 ldap-naming-attribute cn
 ldap-login-password *****
ldap-login-dn dc=DIV3TDMOV3VRDS3MS5AH,dc=duosecurity,dc=com
 ldap-over-ssl enable
 server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 CorpDMZ
snmp-server host Server 192.168.30.5 community ***** version 2c udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=96.11.19.200
 keypair KEY-2048
 crl configure
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 CorpDMZ
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access CorpDMZ
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1 rc4-md5
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 csd image disk0:/csd_3.5.2008-k9.pkg
 csd hostscan image disk0:/anyconnect-win-3.1.08009-k9.pkg
 csd enable
 anyconnect image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
<--- More --->
             
 wins-server none
 dns-server value 8.8.8.8
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value searscarpet.com
group-policy VPN internal
group-policy VPN attributes
 dns-server value 10.57.85.101 10.57.85.102
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value searscarpet.com
 address-pools value VPN
username sentinel password NLs14VNuwLsLR40a encrypted
username Cisco password 9ViKxX39JvevUOV0 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
 secondary-authentication-server-group Dup-LDAP use-primary-username
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN
 authentication-server-group LDAP
 secondary-authentication-server-group Dup-LDAP use-primary-username
 default-group-policy NOACCESS

tunnel-group VPN webvpn-attributes
 group-alias VPN enable
 group-url https://96.11.19.200/vpn enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global_policy global
asavenerCommented:
OK, take out these two lines on the 6500, as they're unneeded:
ip route 192.168.10.0 255.255.255.0 192.168.10.254
ip route 192.168.50.0 255.255.255.0 192.168.40.254

What is the default gateway on your servers in each VLAN?  I didn't understand that the .10 network is a Web DMZ zone; putting a router into the zone is going to break your security model.
SearsFranchisesITAuthor Commented:
Ugh I missed those, thought I took all of that out. They are gone.

Each VLAN currently has the firewall interfaces as the DFGW so it looks like this.

.10=DFGW 10.254
.40-DFGW  40.254
.50 (does not have a FW interface) the DFGW is the SVI- 50.1

I am not sure I follow about the DMZ Its a port off of the firewall, ACL's controlling any access needed. The DMZ does need access to a SQL server on the internal network however that interface (10.57.82.x) has not been fully configured yet.
asavenerCommented:
OK, those default gateways are why your servers can't communicate across VLANs.

Traffic flow, if 192.168.50.100 wants to talk to 192.168.40.100:

SYN packet:  192.168.50.100 -> 192.168.50.1 -> 192.168.40.100
SYN/ACK packet:  192.168.40.100 -> 192.168.40.254 [BLOCKED]

You either need to add static routes on the servers so that traffic to the internal subnets gets sent to the internal router, or you need to set the default gateway to the internal router (preferred).




A DMZ is usually isolated from the internal network, and access is usually controlled via the firewall.  To allow a WEB DMZ system access to an internal database, the usual way is to configure the firewall to allow only the required traffic and block everything else.

The theory is that the DMZ systems are at a higher risk of being compromised, and if they are then you don't want the attacker to have full access to your internal network.

We could debate the relative threat levels of compromise via the web server vs. sql injection vs. malware on your workstations, but any security person will look at what you're building and wonder why you're doing it this way.

The most common configuration would be:

Web request -> Firewall -> Web Server // SQL request from web server -> firewall -> SQL server // Web server respond to web request
SearsFranchisesITAuthor Commented:
Hello,

Thanks for the nice explanation. I have set the default gateway for the various subnets to be the switch (internal router) However there are 2 issues.

1. The 192.168.10.x subnet the DMZ for the sake of argument. The servers in that Subnet lose internet connectivity, when I make the change from 192.168.10.254 (Firewall Interface) to 192.168.10.1 (SVI/Internal Router)

2. Any subnet that does not have an interface on the Firewall can not reach the internet. ie: 192.168.50.x DFGW 192.168.50.1 (internal router SVI) can not reach the internet.

The switch can ping the internet IP's via the 0.0.0.0 0.0.0.0 192.168.40.254 interface, but not from the 192.168.50.1 interface.

I understand the DMZ comment, while it would be nice to add that extra hop we are going to have to keep with just the one firewall and logical separation to that zone. Thanks much for that.
asavenerCommented:
1.  Oh, yeah, now we're getting asymmetric routing again....  OK, try this.  Set the default gateway back to the ASA, and then add this route:
route add 192.168.0.0 mask 255.255.0.0 192.168.10.1 -p

That will route internal traffic to the internal router, and Internet traffic through the ASA.

2.  Same thing with the 192.168.40.0/24 subnet.  All machines need this route, and a default route through the ASA:
route add 192.168.0.0 mask 255.255.0.0 192.168.40.1 -p

Finally, change the default route on the switch to 192.168.40.254 instead of 192.168.10.254
SearsFranchisesITAuthor Commented:
I understand and was trying to steer way away from managing routes of any kind on physical servers. There has to be a way to no have to use static routes on machines.
asavenerCommented:
To do that, you have to route everything through the ASA, the way I described above.

As soon as you have some traffic going through a router, and some traffic going through the firewall, you have to manage the routes on the hosts.

There are ways to accomplish what you're describing, but it requires all traffic to go through either the ASA, or through the router.  And if you want to maintain your security zones, then it needs to be through the ASA.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SearsFranchisesITAuthor Commented:
Completely understood. It figure I wanted something that couldn't happen the way I wanted :) I will create another interface for the other network and go from there. Thanks again for your assistance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.