Can you correct my understanding here. I recently setup an ASA 5520 with Outside interface on vlan 300 and directly connected it to an L3 switch. I configured the L3 switch on same vlan and subnet also. However they couldn’t ping each other until I changed the L3 switch to a trunk port. Why is this? In switches if 2 access ports are connected on same vlan they can communicate with each other so why in this case it didn’t on same subnet and vlan?
By default the ASA treats its interfaces as access ports and supports a single VLAN (with no tagging of frames). So if you haven’t made any changes to the ASA port, it should be in access mode. So if both the switch and the ASA are configured correctly, and you have access ports configured on both ends, the connection should work. Look over your configuration on both interfaces (the ASA and the switch) to confirm you’ve got it correctly configured. If you still have problems, copy and paste the relevant portions of the config so we can take a look. Only the relevant portions please, not the whole configuration.
I am facing with some issue in intervlan routing at ASA 5585.Is there any command to add in intervlan Routing.
Already configured with “same-security-traffic permit inter-interface” and “same-security-traffic permit intra-interface”.
no ip address
ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2
access-list inside_in extended permit ip 192.168.69.0 255.255.255.0 any
object network obj-192.168.69.0-24
nat (inside,outside) dynamic interface
route inside 192.168.69.0 255.255.255.0 192.168.69.2 1
My DC provider claims that everything is setup on their end for internet access, however I am unable to connect to the outside from a server behind the 4500x.
From the 4500x, I can ping 10.10.10.1 and .2.
I can’t ping any public address.
No internet access from the server.
What’s missing or needs to change on either ends? Is trunking on the ASA really necessary?
How does it know how to get to 192.168.69.2? It’s telling that to reach 192.168.69.0/24, you have to get to 192.168.69.2 (chicken and egg problem). The next hop should be 10.10.10.3, the IP address you use on your switch for the VLAN 500 interface.
TL;DR the BVI interface is the virtual L3 interface you can use for your VLAN.
There are two interface types:
Switchport interfaces (L2)
Routed interfaces (L3)
A switchport interface only works on L2 and forwards Ethernet frames by switching. You can’t configure an IP address on a L2 switchport interfaces. This is what a L2 switch does. You can add multiple switchport interfaces to a single VLAN.
A routed interface has an IP address and does not forward frames by switching. Since it’s a L3 interface, it doesn’t belong to any VLANs.
You probably want to use a default gateway for the hosts in your VLAN so where do you configure the IP address for the gateway? You can’t configure it on a switchport interface. That’s why we use BVI interfaces.
The BVI interface is a virtual L3 interface that belongs to your VLAN. You can configure your IP address there, and all hosts within the VLAN can communicate with the BVI interface.
In the case of your ASA 5506, originally it didn’t support L2 switchport interfaces. The only thing you could do is configure each interface as a routed interface. This was pretty silly, people were used to the 5505 that did support switchport interfaces and now they had a 8 port 5506 that didn’t support it.
Nowadays, it supports switchport interfaces so you can configure all 8 ports as switchport interfaces, add them to a single VLAN, and use a BVI interface for the default gateway.
I’m learning ASA and the configurations of how to set things up. I’m trying to set my ASA 5510 to have a DMZ for the purpose of web servers. The problem I’m having is I’m routing or trying to route multiple vlans that aren’t on the ASA but on my switch and being routed to the dmz interface. Here is an idea of my layout I’m not to sure if I have it setup correctly
3560 Switch - vlans 10,20,30
10 Inside, 20 - Private, 30 DMZ
3 x servers 2 are web servers which will need access to the internet and access from outside to the inside
The router has a default route pointing to the dmz interface on the ASA.
The ASA has a static route from outside interface to the GW to get out to the internet.
ASA - NAT setup for inside to Outside and DMZ to Outside, dynamic PAT
The outside interface should it be plugged from the modem directly into the ASA or into the switch. I’ve read 2 different ways and not sure what is correct.
I’ve attached a rough network layout diagram representing some of my configurations as well as the questions I’ve asked.
Security level 100
ip add 10.10.1.2 /27
security level 50
ip add 10.30.1.2/27
security level 0
ip add 220.127.116.11/29
ip route outside 0.0.0.0 0.0.0.0 18.104.22.168
nat (inside,outside) dynamic pat
nat(dmz,outside) dynamic pat
ip add 10.10.1.1 255.255.255.224
ip add 10.20.1.1 255.255.255.224
ip add 10.30.1.1 255.255.255.224
ip route 10.10.1.0 255.255.255.224 10.30.1.2
ip route 10.20.1.0 255.255.255.224 10.30.1.2
ip route 10.30.1.0 255.255.255.224 10.30.1.2
switchport mode access
switchport access vlan 10
switchport mode access
switchport access vlan 20
switchport mode access
switchport access vlan 30
switchport mode access
switchport access vlan 30
description SW-ASA-ISP (Modem)
These are rough configurations that should give the basic idea of whats going on. Only the inside vlan is routing out the dmz traffic isn’t working to go to the outside.
Inside and Dmz
allow any any http
allow any any https
allow any any domain
Progress update as of tonight I’m able to use multiple vlans however something is very wrong lots of collisions on the port for the outside interface on the SW. I’m routing the traffic on the router any network to the DMZ interface on the ASA this is the only way it seems to work
I’m trying to determine why I can route web server traffic to the DMZ and all the other vlans to the inside interface on the ASA is this not an option or incorrect way of trying to do it?
I also want to limit another vlan I’ve added which is for the wireless network I want to route it out to the internet but have no access to the other vlans on the inside network
Wireless VLAN is 12
So I’m trying to route things like this on the router
ip route 10.10.1.0 255.255.255.224 10.10.1.2 this is the inside interface on the ASA
ip route 10.20.1.0 255.255.255.224 10.10.1.2
ip route 10.10.100.0 255.255.255.0 10.30.1.2 this is the DMZ interface on the asa and this is the subnet for the web servers
instead this is the route that works
ip route 0.0.0.0 0.0.0.0 10.30.1.2
??? got me deeply confused
Also I have the outside interface plugged into the switch and the modem plugged into the switch to push traffic to the outside not sure if this is correct as stated above ??
So what is the best practice here in a small network with hosts, web servers, router, switch, asa 5510? Is it best to put sub-int on asa or for the switches to handle the vlans and establish a static route if I’m understanding all of this correctly? I have 3 servers with potential to add a few more and about 25-40 hosts between private, wifi, and VPN users
There should be three interfaces on the ASA, as you have done in your topology, where one is inside, one is outside, and one is DMZ. R1 and R3 simply represent a host on each of the inside and DMZ networks. You can replace those with a switch with multiple hosts to make it clearer. R2 in most cases would be the ISP router, or would be the network from which we want to “protect” our internal networks.
For your scenario, I understand that VLAN 30 is the DMZ, and VLANs 10 and 20 are the internal VLANs that you would like to provide Internet access to. Now in order to achieve this, VLAN 30 must use the DMZ interface of the ASA as the default gateway. Similarly, if you want VLANs 10 and 20 (two separate subnets) to reach the Internet as well, you will need to provide routing for those before they reach the inside interface of the ASA. That’s where the router comes in. So the logical network would look something like this.
In your scenario you are trying to route the VLAN 10 20 and 30 subnets via the router, and then trying to send them all to the Inside interface via router on a stick scenario. Remember, the ASA itself is a router too and should be the default route or default gateway of the routers or hosts on the respective Inside and DMZ networks.
You must also add another VLAN to represent the inside network, since VLANs 10 and 20 are found in other subnets. Let’s call that VLAN 15. The inside interface of the ASA will be on VLAN 15.
So to achieve what you want, you must:
Create a router on a stick scenario for the router, but only for VLANs 10 15 and 20. Make the router the default gateway of hosts on VLANs 10 and 20, and make the default route point to the IP address of the inside interface of the ASA. (If you use a Layer 3 switch, no router is necessary as the switch can internally route between VLANs/subnets)
Connect the Inside interface of the ASA to an access port on the switch that is on VLAN 15.
Connect the DMZ interface of the ASA to an access port on the switch that is on VLAN 30.
Create two routes in the ASA to be able to reach the subnets of VLAN 10 and VLAN 20 via the router’s subinterface on VLAN 15.
Now as for the connection to the Internet, you can either connect directly from the ASA to the ISP (which is recommended) or you can create one more VLAN in the switch which can be used only for this purpose.
Best practice dictates that you should alleviate the ASA from doing any more routing than is necessary. Having the inside, outside, and DMZ interfaces function as routed interfaces should be the only function they should perform. Although subinterfaces can be configured, it is best to avoid it unless absolutely necessary.
If additional routing beyond that of the default gateway for their particular networks is necessary, then you can use a router as in your scenario, or use an L3 switch.
Thank you so much for the great detailed explanation with a picture. This clears things up. My next objective is NAT with the layout you describe here it sounds like everything should be hitting the DMZ and then routed to the outside with NAT so one IP should suffice. However, what method would I use if I wanted to segment my traffic onto 2 sep ips going out or would it truly be beneficial. I would think I would add an additional int creating a 2nd DMZ and give it another ip the catch is the 2 DMz are on the same asa pointing to the same outside interface as well as use the same gateway to get out so would this make a difference what if I had another public IP I could use to help push the traffic over with NAT I’m trying to think of ways for segmenting some of the traffic for performance.
If I understood correctly, you want to segment your internal networks, whether they are DMZ or inside networks, so that you can more appropriately manage traffic. Well, you can always create a second DMZ as you mention, by simply creating another subnet and configuring it on another port of the ASA.
But in general, you should do the segmentation of your internal networks using internal network devices such as switches and routers. Keep switching, routing, and segmentation separate from the firewall functionalities provided by the ASA. Keep the ASA configuration as simple as possible, keeping only one inside, one DMZ, and one outside interface whenever possible.
Please clarify here for Vlan 15 and the routing from ASA to the router and outside. I don’t see Vlan 15 in the diagram so I wanted to make sure I understood this correctly.
Router has 4 sub-interfaces
Inside Vlan 15
Outside to isp
DMZ Vlan 30
The default routes from router to ASA should look like this
Ip route 192.168.3.0 255.255.255.0 192.168.15.2
Ip route 192.168.2.0 255.255.255.0 192.168.15.2
Ip route 192.168.1.0 255.255.255.0 192.168.15.2
The asa would have a static route from outside to GW
Route outside 22.214.171.124 126.96.36.199 these are place holder IPS for public
Then route DMZ 0.0.0.0 0.0.0.0 192.168.15.1
Does this look right because I have put this into my devices and something is missing because it’s not working I have no connection to the outside from neither Vlan 10 or 20
Now if you’re using your topology, where everything goes through the switch, then the router should have 3 subinterfaces. The outside to ISP should not be included as that is the responsibility of the ASA. Otherwise you are bypassing the ASA to get to the Internet, something that defeats the purpose of the firewall.
Now in the router, all you need is a default route that points to the inside interface of the ASA. That way all traffic to the internet and to the DMZ will go via the ASA.
The ASA should have a route to each of the subnets of VLAN 10 and VLAN 20 pointing to the IP address of the VLAN 15 subinterface on the Router. This way, traffic can be routed back to the devices that made the initial communication to the DMZ or the Internet. I believe this is what you are missing in your configuration.
Finally, the ASA should have a default route to the Internet.