Cisco Infrastructure :: ASA 3750 Firewall To Control Traffic Between VLANs
Jan 20, 2013
We have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.
View 1 Replies
ADVERTISEMENT
Jul 10, 2011
We have the next Settings in our SW. We crate an ACL and aplied to a SVI for Incomming Traffic, I understand that is not necesasry to allow the returning traffic in ACL, but we can't access to rdp for example when we add the ACL, if we remove it, the acces is ok, buet when we add again the access is deny, even we have a log entry, and the ACL i just for Incomming traffic. There is no another ACL.
See attached file
[code]...
View 1 Replies
View Related
Nov 7, 2012
I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels. Tunnels appear to work. I am lab'ing some additional controls that I would like to implement. On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass). I was hoping to lock things down a little without having to reconfigure all of the Tunnels. My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN. One port that I was attempting to block is RDP 3389. When this ACL is applied to the inside interface it does not block Port 3389 at all. What am I missing? Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels?
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389
access-list 145 permit ip any any
ip access-group 145 out interface Internal
This work great on a 2821 Router, but not so much on the ASA.
View 11 Replies
View Related
Aug 20, 2012
I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
When I try to ping there is no reply and the only log message is: 6 Aug 21 2012 09:00:54 302020 10.16.2.10 23336 10.105.11.6 0 Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
View 11 Replies
View Related
May 30, 2011
I have ASA 5505 Firewall with security plus license, I configured two V LAN 1 and V LAN 5 as my inside V LAN for different sub net, i need to route the traffic between this two V LAN's through ASA. I configured
int vlan 1
nameif inside
Security level 100
Ip address 172.16.100.1 255.255.255.0
[Code] .........
The problem is i am not able to ping other sub net, for ex my PC is in V LAN 1 not able to ping 192.168.22.1 ... For troubleshoot i type debug icmp trace while pinging other subnet
ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4608 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4864 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5120 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5376 len=32
I turn off the firewall on my local machine.
View 10 Replies
View Related
Jan 15, 2013
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice
View 4 Replies
View Related
Jun 19, 2012
I have to put an ACL Firewall in front of a public IP range.There's no routing so I want to do it with a transparent layer 2 Firewall. I found this document which descibes exactly that feature I need: [URL]
It seems to be a feature introduced in IOS 12.3.
My Questions:
1.) is it possible use this transparent firewall feature with the 3750 Switch instead of a "normal" IOS-Based router?
2.) I've seen there is no IOS 12.3 for the 3750 but rather 12.2 (currently installed) or 15.0.1. Is this Feature included in 15.0.1?
If the feature described above is not available, is there any other way to achieve my goal?
View 1 Replies
View Related
Mar 15, 2013
I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections. I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.
View 5 Replies
View Related
Apr 18, 2013
I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?
View 21 Replies
View Related
Mar 24, 2005
i have a 3550 catalyst and i configured it for bandwidth controlling i have used POLICE command its work fine and i saw it limit the bandwidth but there is a little problem when i limit the bandwidth at 1024000 and i useing all the bandwidth and monitor the bandwidth i see it shows the network uses half bandwidth.
View 6 Replies
View Related
May 6, 2012
I am working on my CCENT after getting my A+. I have an old 3600 router and I am following CBT Nuggets to configure it. CBT Nuggets seems to have an IOS that supports VLAN and IP Addresses and it looks like mine only goes up to Token Ring so it doesn't mirror the instruction. I know it's an old router but is there a software release (like the 12.4 maybe?) that would allow me to follow the CBT Nuggets more accurately so that I can set the switch up for IP Addresses and VLAN instead of limiting me to token ring?
View 1 Replies
View Related
Jun 1, 2012
WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
View 2 Replies
View Related
Dec 22, 2011
I`m connecting a client directly to a 3750, and giving them a public IP.
On the port I have set spanning-tree bodyguard enable
But I guess I should also set some storm control etc. What settings should I use for storm control?
The client has a 100Mbps internet connection running trough this port....
View 1 Replies
View Related
Aug 4, 2011
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
View 3 Replies
View Related
Apr 3, 2012
We are an A/V integrator and AMX shop and provide our clients with support through the use of VPN tunnels from our RV042 router to their mostly RVS4000 routers.Support is provided through access of remote site equipment using VNC, Telnet, FTP, etc. from multiple PC's at our main office.Netbios is not turned on, but the remote sites have the ability to access equipment on our local LAN should they know our private IP address range.Is there any way to limit the acces from the remote sites back to our LAN while maintaining our access to the equipment on their LAN?I know that one can limt the IP address range on on end of the VPN, but I would like to limit the ability of remote sites to gain "any" access to our LAN. If there's any way to just prevent all traffic from an IP address range on the remote site, that would also do.
View 1 Replies
View Related
Nov 16, 2011
I am in the process of setting up an interop lab for some engineers. The enviornment will consist of some 3750's, H3C's and ProCurves. My concern is that the end user will have Priv-Exec access for CLI usage on the 3750's and they can change the "en" password (I hope they don't but it has happened).Is there a way I can "break in" during the boot process to reset the password? The reason I am doing it this way is because I have an Altiris server with rebuild automation scripts in xpect and I would like to automate the process so I do not have to use a manual factory default reset.
View 5 Replies
View Related
Nov 21, 2011
I have configured SPAN session on 2960 switch, source port being a VLAN and destination being one of the fastethernet ports. All I see in the capture is control traffic (HSRP, RIP, Syslog, DNS..etc). However I dont see any real data traffic being captured. Below is how I have SPAN configured..
monitor session 1 source vlan <vlan_id> both
monitor session 1 destination interface fa0/42
View 1 Replies
View Related
Nov 29, 2011
We have 3 sets of applications. The first does not require much bandwidth but is very critical, the other two is more bandwidth consuming but less critical. I would like to know if it's possible to reflect this priorities on the router configuration. Is it possible to set the ports 10000, 10001 and 10002 of the external IP have higher priority to be handled, for example? Also, is it possible to limit the bandwidth that goes through a set of ports?
I must prevent the 2 sets of less critical applications to strugle the critical ones. What router can provide this capabilities? Is the 1921 able to do this job?
View 2 Replies
View Related
Oct 5, 2011
My network topology consists of 3 directly connected routers where the central router contains sensitive data and i need to block traffic from ENTERING the LAN adjoined to that router. My issue is creating an access list to DENY traffic from entering the network connected to Fa0/1 but ALLOW traffic to exit from that network. I am using one class C network which is subnetted 7 times to provide me with the required LAN's.
View 2 Replies
View Related
Oct 10, 2011
I have a cisco 877 router setup with 2 vlan's and 2 dialers, each vlan routed to a dialer. I have some ports forwarded to my vlan 1 incl vpn traffic. I need to get vlan 2 to be able to vpn to vlan 1, and see some of the servers on vlan 1 which are forwarded from router without allowing normal traffic between the 2?
View 2 Replies
View Related
Jan 20, 2013
I've been digging into some performance issues on a LAN that has a couple of 2960s. The monitoring software I'm using has indicated a high amount of discarded outbound packets (up to 5%). The suggested resolutions were to enable flow control.
My question is does enabling flow control on all ports interrupt network traffic at all? this is a production network so I had already planned on doing it during off hours but also wanted to know if I should be prepared for any significant drop in traffic.
View 14 Replies
View Related
Mar 18, 2012
Im just starting to learn cisco, currently I already have a cisco catalyst 3750 configured for 3 vlans, and now im planning to have another 3750 for redundancy.
View 5 Replies
View Related
Oct 29, 2007
I have an 871 setup at home with a fairly basic configuration (NAT, Firewall, EasyVPN, Wireless). What I've noticed is that for traffic going from the WAN interface (FastEthernet4), it seems to be hitting the ACL in place for NAT. My config: [Code] .......
Where 76.22.98.39 is the dynamic IP address from the cable provider. If the traffic isn't passing through the router, why is it trying to NAT it?
IOS Version is 12.4(6)T9
View 18 Replies
View Related
Apr 15, 2012
Actually i have problem with my connection and i would like to find that problem. i have 3 sites(1,2,3) connected together through fiber multi mode cable. The site 1 having the control room, the maximum distance between site (1 and 3) is 1.8 Km, the other distance(1 and 2) is 1.2 km and i already used 3750X switch and GIBIC GLC-FE 100Fx with support MM cable up to 2 KM.
i have in site (2 and 3) 10 cctv 3 mega pixel cameras and i check for the bandwidth is less than 100Mbps when i connected the 2 switches(2 and 3)to the switch in the site 1 there is a delay i thought maybe because of the bandwidth so i tried to connect only 1 camera but the same problem(delay). i did not make any configuration for the switches.
View 12 Replies
View Related
Feb 18, 2012
Is is correct that vlan's exceeding 128 runs without spanning-tree.?
View 7 Replies
View Related
Jan 24, 2012
I have a stacked Cisco Catalyst 3750 configuration that currently has one V LAN configured. VLAN 192 - 10.192.0.0/16
The Catalyst has an ip on this range of 10.192.0.1. I would like to configured a few more V LAN's to be able to run some more network ranges through this device. Would it be a case of just adding the V LAN's to the master and then configuring an IP for each V LAN within the inter-v lan routing section? Some V LAN's will require access to each other but not all.
View 8 Replies
View Related
May 5, 2011
There is a remote server that downloads info from a server here at HQ. When the dowloads start the rxload on the S0/0/0 interface jumps to 98 percent or so; rxload 250/255. I needed to limit the bandwidth utilization between the servers, so I added the below line to the LAN interface on the remote router.By adding the command, it reduced the download utilization -which is what I wanted.
access-list 185 permit ip host 10.6.27.1 any
!
int f0/0
traffic-shape group 185 10000 8000 8000 1000
Question:How would applying this to the LAN interface cause the download utilization (Coming from s0/0/0) to decrease?
View 4 Replies
View Related
Mar 24, 2013
I have started to notice an increase in traffic from all my LAN workstations to the multicast address of 224.0.1.20, all with the same destination port (79). IANA shows this address as reserved for "experimental testing". Are there any typical applications or protocols that use this multicast address? My first thought was malware running on the hosts but it's a little tricky to prove.
View 5 Replies
View Related
Sep 22, 2011
I require a system that will support 3 VLANs, the VLANs are purely for containment of broadcast traffic and needs to support inter-VLAN communication between client devices. Would the following configuration work:
Port based VLAN on the SRP527W with each port connected to layer 2 switches serving each VLAN.
DHCP server on the SRP527W assigning IP addresses for each of the V LANS in different ranges. (eg 10.10.1.xx, 10.10.2.xx, 10.10.3.xx). Would there be any benefit upgrading the Router to a SRP547W?
View 2 Replies
View Related
Apr 18, 2010
Having trouble resetting the baud rate to 9600 on a 3750-E. Basically the device cannot be set to anything other than 115200 baud rate. I have changed this via startup-config (which lost connection) reconnected and saved config but after reload was back to 115200. Tried via bootloader to 'set 9600' but the termial program paused for a bit then the switch prompt returned. Tried the same to 'unset baud' but the same thing as above happened. I have erased and reloaded flash etc
View 8 Replies
View Related
Oct 26, 2011
I've put a C3KX-NM-1G module into a 3750x but can only get ports 1,3 to stand up, ports 2 and 4 dont operate. ports 2,4 are not shutdown and dont come up with working SFPs etc in another switch.
View 1 Replies
View Related
Jul 27, 2011
A customer is expanding their network into another wing, and they have a good number of existing Small Business switches (specifically the SGE-2010P - [URL] that they're interested in possibly deploying. They have a full-blown Cisco infrastructure and voice deployment (Cat 6500 core switches, 3750 switch stacks, Communications Manager w/ over 1,000 phones, etc.).
The general concern is whether there is ANY known issues or concerns with trying to mix/integrate the Small Business equipment with non-SMB infrastructure. Looking at the datasheet for this switch, it's clearly PoE, supports QoS, although it doesn't specifically indicate it can provide a voice/auxiliary VLAN for a phone detected by CDP - that would be a big deal. So basically, "a switch is a switch", and I'm just posing this question to make sure there's no reason (technically or from a support standpoint) that we would not recommend integrating these.
View 1 Replies
View Related
Apr 29, 2012
I have a Cisco 3750 switch stack and am performing QOS against a number of SVI vlans on per customer basis. I have 8 customers, each with a /29 public subnet and each with an SVI as a gateway within that /29 range. I then have a "routable" SVI vlan for routing upstream to the internet. [code]
The service policy attached to the interfaces above is supposed to perform policing on download and upload traffic. The service policy is attached to the Routable VLAN for download policing and the Customer VLAN for upload policing. For example, traffic entering the routable VLAN will be policed based on traffic matching an access list to the customers IP range (download). Traffic entering the customer VLAN will be policed based on traffic matching an access list from the customers IP range (upload).The command I am using to police is as follows - police 10485500 966080 exceed-action drop.The problem I am experiencing is traffic into the routable VLAN is being successfully policed down to the 10Mbps i have specified on a per customer basis (download).Traffic entering the customer VLAN is NOT being policed at all (upload).I am limited as to the use of the parent policy map I have specified on the interface, as I can only assign it in one direction (input).
View 10 Replies
View Related
