4

(Redefined the question to match actual LAN topology...)

I have a new Cisco ASA-5512-X firewall, which is going into an existing network stack to separate some specific client servers from the rest of our LAN (i.e. not as the edge device).

The existing LAN infrastructure already has a Data VLAN (where the normal network nodes live), a Management VLAN (where the sysadmins desktops and backup devices live) and a Devices VLAN (where all the 'remote management' interfaces for all the network devices and servers live). The VLANs are all firewalled by the core firewall, with security-level statements to allow the sysadmins/backup server to access both the Data and Devices VLANs, while preventing the Data and Devices VLANs from talking to each other.

Below is an attempted diagram to explain the current setup.

                                   213.48.xx.xx    ( MGT_VLAN  Gi0/1.10  sec 100 )
                                         |     ____( DVCS_VLAN Gi0/1.12  sec 80  )
                                         |    /    ( DATA_VLAN Gi0/1.100 sec 80  )
                                         |   / 
           +------------------------[Core F/W]------------------------+
           |                             |                            |
     172.31.0.10                   172.31.255.10                172.31.100.10
           |                             |                            |
-------------------------------------------------------------------------------------
MgtVLAN#10:172.31.0.0/24 | DvcsVLAN#12:172.31.255.0/24 | DataVLAN#100:172.31.100.0/23  
-------------------------------------------------------------------------------------
         | | |                           |                |              \ \ \
      [SysAdmins]                 172.31.255.136    172.31.100.252    [LAN Clients]
                                         |                |
                                         +------------[New ASA]
                                                          |
                                                    172.31.250.10
                                                          |
                                       -----------------------------------------
                                       SecretLAN:172.31.250.0/24  [L2 Switching]
                                       -----------------------------------------
                                                        | | |
                                                   [Secret Servers]

In keeping with the current LAN, I would like to specify the Management0/0 interface on the new ASA to live within the Devices VLAN, so it can only be accessed by Telnet/SSH/ADSM via an address in that VLAN's subnet. Ma0/0 has management-only enforced, preventing through traffic. It can't be removed from the new 5512-X model and I can't use one of the other interfaces, because the IPS component of the new ASA (the very reason we have to do this) is only accessible via Ma0/0.

If I plug a sysadmin desktop into an access-port for the Devices VLAN, I can access the management interface of the new ASA. However, a sysadmin desktop in its normal home in VLAN10 cannot, even though the security-level on the core firewall should permit this.

I believe I have narrowed it down to a basic routing issue: the new ASA is configured with route OUTSIDE 0.0.0.0 0.0.0.0 172.31.100.10 (i.e. the default gateway is the address of the core firewall's Data VLAN subinterface), and Ma0/0 is configured with ip address 172.31.255.136 255.255.255.0 (firmly in the Devices VLAN subnet). The new ASA will accept a management connection from the Management VLAN (172.31.0.0/24) but cannot send the reply because it tries to route back through the OUTSIDE interface.

I cannot add route MANAGEMENT 172.31.0.0 255.255.255.0 172.31.255.10, however, because that will surely cause the backup server's traffic (also on a 172.31.0.0/24 address) to mis-route via the MANAGEMENT interface (a 100Mbps NIC) instead of the OUTSIDE (a 1Gbps NIC).

Can I get the Ma0/0 interface working in this fashion? Or would I have to put in a terminal on the Devices VLAN and use it as a double-hop from my Management VLAN (e.g. by SSH remote port forwarding; or telnet to one, then telnet to the other)?

jimbobmcgee
  • 2,675
  • 4
  • 27
  • 43
  • 1
    The sysadmins and the ASA management interface sit on the 172.31.255.0/24 network? Are you sure the management interface is getting an IP? Can you ping your SysAdmin workstation from the ASA? – resmon6 Aug 10 '12 at 16:06
  • Yes: both the sysadmins and the ASA management iface are plugged into access ports for VLAN12 on the core switching layer, and are assigned addresses in the 172.31.255.0/24 network; No: I can't ping in either direction -- a packet-tracer run shows an implicit access-list drop, but I thought ASA commands such as `ssh`, `telnet` and `http` were supposed to override access-lists – jimbobmcgee Aug 10 '12 at 16:37
  • I've realised that, in attempting to simplify the diagram, I've missed a major piece, so I have updated the diagram to reflect it. It now makes much more sense why the sysadmins clients can't see the management interface of the new ASA (a basic routing issue). The problem still stands, though, but I'll redefine it in the OP. Upvote for @resmon6, though, since you were essentially completely correct ;-) – jimbobmcgee Aug 10 '12 at 18:55

1 Answers1

1

There are two ways you can do this.

  1. Use a dedicated jump box in the SysAdmins VLAN and only route this IP across the management interface.
  2. Route the SysAdmins VLAN across the MA0/0 interface and only route individual IP addresses that need to access Secret Servers over the Outside interface (such as the backup server).

The preferred method will depend on how many machines in the SysAdmin VLAN need direct access to servers behind the firewall. The easiest solution is to manage the firewall from the Outside interface and disable the MA0/0 interface if your local policy will allow this.

resmon6
  • 1,352
  • 6
  • 8
  • Yeah, this is what I figured too. Tried both but I think I prefer the jump box approach -- for the time being, I've commissioned a small CentOS VM into the DEVICES_VLAN that the sysadmins can use for this, either by SSH remote port forwarding or telnet-on/telnet-off. If I can tidy up the MANAGEMENT_VLAN enough, I might re-investigate routing the MANAGEMENT_VLAN subnet across Ma0/0 and a 'services' sub-subnet across OUTSIDE (actually, that might help for things like Nagios -- although I could put a Nagios worker agent on the new CentOS VM)... – jimbobmcgee Aug 13 '12 at 16:58