Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
 
  • Post
  • Reply
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!
I'm having a hell of time figuring out this problem with ASA. This is my first time configuring a firewall and I'm a bit in over my head.

I have a 4507 switch and an ASA5510 firewall. The outside interface goes to the internet. The inside interface is a point to point link to the switch. The asa-side IP is 192.168.99.1 and the switch side non-switch-port is 192.168.99.2.

The DMZ is a trunk that goes to the switch carrying the DMZ vlan 120. That vlan is configured with an ip of 192.168.100.1. The switch has a non routed vlan 120 which is assigned to a port. On that port I have a server (192.168.100.9) who's default gateway is the ASA's 192.168.100.1.

I have a routed vlan 20 on the switch that goes out to another server (192.168.0.20). How do I make the DMZ communicate with the server's VLAN. (ping from the 100.9 to the 0.20 and vice versa) I have included a sketch of what I mean.

0.0.0.0 traffic goes to 192.168.99.1.



I'm currently on site and have been hacking away at this for hours. Maybe someone can let me know what I'm missing.

* # ¿ Jul 6, 2007 00:24
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 27, 2024 20:55
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!

Tremblay posted:

Captain, post a show ip route from that switch plz. I think the switch is just doing the routing for you, which you don't want.

Gateway of last resort is 192.168.99.1 to network 0.0.0.0

C 192.168.14.0/24 is directly connected, Vlan34
C 192.168.8.0/24 is directly connected, Vlan28
C 192.168.10.0/24 is directly connected, Vlan30
C 192.168.99.0/24 is directly connected, Vlan40
C 192.168.6.0/24 is directly connected, Vlan26
C 192.168.0.0/24 is directly connected, Vlan20
C 192.168.100.0/24 is directly connected, Vlan120
S* 0.0.0.0/0 [1/0] via 192.168.99.1

I set up a interface vlan on the switch as a last resort to communicate with that server. The IP is 192.168.100.2. Doing that I can ping the server on the DMZ from the switch but not from any other network.

* # ¿ Jul 6, 2007 01:15
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!

Tremblay posted:

Yeah see how:

C 192.168.0.0/24 is directly connected, Vlan20
C 192.168.100.0/24 is directly connected, Vlan120

Are connected? Thats bad. That means the switch is routing and not the ASA. Statefull firewalls don't like asymetric routing. Are hosts in the DMZ initiating traffic to the inside or is it only inside hosts initiating connections? Also fix your mask, I don't think you want to have a /16 on Vlan20.

I want the switch to do all the routing except for the DMZ Vlan. The server in the DMZ is an ISA server and needs to communicate with Exchange which is on the 20 Vlan so connections come in from the internet, to the DMZ through the ISA server which needs to talk to the 20 vlan to get to exchange. Also, I have subnet-zero enabled. That's why I have 192.168.0.0/24.

* # ¿ Jul 6, 2007 01:28
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!

Tremblay posted:

Right, so what I am saying is, since you have a L3 vlan interface on the switch that resides in the DMZ subnet. The switch is currently routing between the .99 and .100 subnets and not the ASA. This is NOT what you want to happen.

Thanks.

Even when the 4507 was not routing, i still couldn't get through. What's the next step?

* # ¿ Jul 6, 2007 01:37
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!

Tremblay posted:

You need the static nats I posted above. ASA by default requires a NAT config to get traffic from one interface to another. So basically what we do is write NAT statements that essentially NAT traffic to their original IP addresses. The order of the interfaces is important since it controls which interface proxy ARPs for the subnet or host IP configured. If you flip the interface order you can wind up having the FW and hosts ARPing for the same addresses and that makes a headache.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/index.htm


I've got to head out but I'll check the thread when I get home.

This is fantastic, I didn't know i could use NAT to route traffic that way. I had to go for the day but I'll pick this up in the morning. I only saw half of your post before so I missed the static entries. Now that I'm home, I'm going to read up on this to speed things up tomorrow.

Thanks again.

* # ¿ Jul 6, 2007 02:25
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!
Is there a way to alter the access list of a PIX 515e on a live network without it being automatically removed from the interface? I have an entry that needs to go at the very top. :argh: Should I just write it up in notepad and execute it quick to minimize downtime? I'm worried about making typo or something and then I have a half finished ACL with erroneous entries that I have to clean up.

So, editing a firewall ACL without downtime. Impossible?

* # ¿ Aug 1, 2007 18:13
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!

Tremblay posted:

Hey, sorry I missed your previous IMs. It depends on the version of code. I think line numbers were introduced in 6.3.

access-list foobar line X ...

Depending on load and ACL size there could be a brief impact to traffic. This is due to ACL compilation which is an option in 6.3 and default in 7+.


Thanks for the response. This version hasn't introduced accesslist numbers yet and PDM isn't installed. I ended up just asking permission to have a brief lapse in connectivity and applied the new rules successfully without too much noise.

* # ¿ Aug 3, 2007 17:20
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!
Cisco's site is down!

Can someone verify if it's just on my end? I really need to get my hands on some of those sweet docs.

* # ¿ Aug 8, 2007 19:03
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 27, 2024 20:55
  • Quote
TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!
Interesting. What used to return a timeout now gives this:

code:
Forbidden

You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0 Server at [url]www.cisco.com[/url] Port 80
I guess they're working on it.

* # ¿ Aug 8, 2007 20:52
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)