Cisco Switching/Routing :: Sonic Wall 3060 - Filter Traffic From VLAN Through ASA?
Dec 18, 2011
I'm decommissioning my SonicWall PRO 3060 and upgrading to an ASA5550 (we're increasing our WAN link speed to 1Gig and need the 5550). In any case, I want to copy over the configuration from the PRO to the ASA. I have everything documented and I've started doing the changeover, but in looking at some other network diagrams on the net I'm seeing router symbols between the LAN switches and the ASA and I'm beginning to worry that I might need routers to do this which, of course, would increase cost quite a bit.
So my question is this: If I have a core switch carved into multiple VLANs and I connect each VLAN to a port on the ASA, will I be able to route and filter traffic from VLAN to VLAN through the ASA? If so how, in general, is this accomplished (I'm betting ACLs). I think that the ASA will be able to do this easily, but I just want to be sure before I get too far into the configuration of this unit,.
ASA
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GigE0/0 GigE0/1 GigE0/2 GigE0/3 GigE1/0 GigE1/1 GigE1/2 GigE1/3
| | | | | | | |
| | | | | | | |
WAN BackupWAN VLAN400 VLAN500 VLAN600 VLAN700
View 4 Replies
ADVERTISEMENT
Jun 1, 2011
I haven't worked with Cisco devices before (yepp, another one of those) but I am getting there. I have replaced my silly Draytek router now with a Cisco877 and it works perfectly fine. But the whole networking side of things such as NAT / ROUTE / ACLs is a BIT black magic.
Basically my problem is that I cannot get proper traffic through the tunnel
From any station behind the Cisco (Site2) I can ping the local IP of the Sonic, but none of the other stations. From behind the Sonic I can ping any station behind the Cisco but unable to connect on any port (RDP for example)
Bear in mind that a lot of settings are from forums, google and the sorts because as I mentioned, before I got this one I have limited experience with Cisco .. Everything configured is working fine, the internet connection, the incoming pptp VPN to the Cisco etc., just not the IPSec VPN.
View 1 Replies
View Related
Apr 29, 2013
Have a Sonicwall with multiple VLANS on LAN interface going to the SG-300 in Layer 3 mode.Trunk Port has VLAN 1 untagged and PVID and other VLANS (20,30,40) tagged.Setting a port to Access for particular VLAN (40) does not pull DHCP from Sonicwall.Sonicwall support says DHCP request is coming from VLAN1 and something wrong in switch setup.Setting 2 ports to VLAN 40 allows communication between the two.Also, replacing SG300 with a Netgear L2 works.Seems like an issue with the trunk, no?
View 2 Replies
View Related
Feb 12, 2012
I have a side gig that I do some work for and they've had a Sonicwall TZ200 device in their branch office and also in their data center that has a site to site VPN connection between the two devices. About a month ago the bandwidth throughput got severly decreased. They went from getting about 28Mbps/27Mbps to now ~3Mbps/12Mbps.
I've spent days troubleshooting with Sonicwall which could be a whole dedicated thread on it's own but I digress. I even had the ISP come out and test the line and when they hooked up their own laptop it got the speeds it should be getting. I've rebuilt the config on the sonicwall from scratch which was a major pain in the ass because I'm not a firewall guy by any means. After firmware updates and pulling my hair out I've decided to dump the tz200, to what I don't know. I need two devices, one for the data center and one for the branch office. I'm pretty sure something in the config is causing this and after being escalated to the highest level at sonicwall and them sending me a replacement unit which I rebuilt the config on and also tried to import the old settings with no luck. I very well could have done something or made a change to cause this but I'm at a loss and willing to try another product.
I get spammed from Barracuda all the time, do they have quality devices? Something with a web interface would be great since I'm not a firewall guru by any means and had set up a bunch of address objects with NATs and all that.
View 19 Replies
View Related
Feb 23, 2013
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
View 2 Replies
View Related
Apr 9, 2013
I have a ASA 5585 and a Nexus 5596, and i need a sugestion to configure this cenário:
My users in the Vlan 10 need access on the network in the Vlan 20, but this traffic must be filtered for firewall. In the firewall a received a trunk port for Nexus 5596, and i created subinterfaces to receive the Vlans for this trunk.
The gateway for my users is the address for the ASA subinterfaces.
What i do to filter the traffic between the Vlans?
View 3 Replies
View Related
Nov 16, 2011
Can the SRP547W be configured to allow traffic on port 25 from an external ip range to an internal address?
View 0 Replies
View Related
Dec 19, 2012
We want to filter IP traffic by MAC address on Catalyst 4500. Since we are using bonding (active-backup mode) we need those mac addresses appear on different ports. Below are solutions that we have tried: ACL but it does not work since mac acls only match non ip traffic (We CAN NOT use ip acl). Use a static mac address-table entry to ALLOW specific mac addresses. It does not work either since the same MAC address needs to be seen on a different port. Catalyst 4500 does not support auto-learn option (as e.g. Nexus 5000).
View 3 Replies
View Related
Oct 10, 2012
I am trying to filter ARP answer arriving on a C6500 trunk port, for a specific vlan.Filtering conditions are:
- packet arrive from vlan ID x on the trunk (on only for this vlan ID)
- source MAC address = xx:xx:xx:xx:xx:xx
Thae aim is that the C6500 with never enter into its CAM table this MAC address.I looked at several methos like service policy or vlan filter, but no solution for the moment.
View 3 Replies
View Related
Jun 22, 2012
I have couple C2960G and C3750. Is there any way to filter (on ingress port) type of traffic? I would like to allow IP only, and discard (i.e.) IPX, or other garbage, that any device can produce.I have tried to find something about this, but only thing I have found is feature : protocol filter, which doesn't seems to be working on my hardware.
View 6 Replies
View Related
Feb 11, 2013
I have 2 hosts, 1 plugged in fa 0/21 in VLAN 101 and another in fa 0/22 in VLAN 101 on our L2 Cisco 2960. If I try and transfer files from either host the gig 0/1 trunk port on the 2960 leading tot he 3750 fa 0/1 port hits 100mb (using a real time bandwidth monitor tool), but why? This VLAN is on the same switch, why does it go one way up the trunk to the L3 3750 switch? The L3 3750 is the VTP server and the 2960 is a client. I would of thought the traffic stays local. The 2 hosts don't even have a gateway set.To sum up the typology the 2960 and 3750 are trunked using a single cable. The 3750 hangs of a ASA firewall using SVIs.Here is whatthe traffic looks like when copying a file between hosts (2gb file).
3750 L3 Switch (VTP Server)
interface FastEthernet1/0/4
description Trunk to Cisco 2960 Gig 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
[code]....
View 6 Replies
View Related
Oct 10, 2012
Have a quick question regarding inter-vlan routing on a 3750. Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw). I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x. I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch. I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to. The ASA is set to nat internal traffic for all the vlans.
Now my question: short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this? I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example. I was thinking to create an acl like this:
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
and then applying this to the interface for the appropriate vlan.
View 4 Replies
View Related
Jul 17, 2012
I have problems in my Cisco network until I connected some Moxa devices.This Moxa are models EDS-316 and EDS-208
My principal trouble is the traffic UDP. Suddently the network don't permit the traffic UDP in VLAN where are connected Moxa devices.
During an hour the Moxa can send TCP traffic, but can't send UDP. If a Moxa device is unplugged from network, all devices connected to him can work offile from principal network, but if I plugg again the Moxa is like disable.
After one hour (more or less) the system restart all functions and work fine.I catch the logs from TXerrorsInPorts and all the ports where is connected a Moxa have errors all time.
I don't know which is the problem, but I think that problem is in negotiation from Moxa to Cisco.This is the configuration from a port where is connected a Moxa: [code]
View 1 Replies
View Related
Jun 14, 2012
I have a requirement to monitor all traffic going from the internal LAN to the cloud. The LAN is a layer 2 VLAN which spans multiple Cisco 4507 switched and other smaller switches.
The VLAN has an IP address which the hosts use as the default gateway.
The exit port is on a Cisco 3600X switch connecrted to 4507 #1 via a 10G fiber link. 4507 #1 connects the rest of the LAN. Those switches interconnect via 10G fiber and 1G copper links.
Currently the monitor host is connected to a 1G copper port, configured as a monitor port, on one of the backside 4507s The switch manager says he has the switches configured so that I can see all traffic on the VLAN.
View 1 Replies
View Related
Apr 11, 2012
We have a switch gc2960. It has ports configured on vlan 27 and vlan 29.It is connected to switch ch3550. It has presence of vlan 27 vlan 29 and also vlan 18 and several other vlans.Our internet firewall is connected to ch3550. It is a fortinet product, so this is not indicated on the diagram.
When the two switches were connected on vlan 29 access ports, pc's on vlan 29 on gc2960 worked as expected. vlan 27 clients of course did not work.When we switched the connecting ports to trunk ports, some weird stuff happened. Clients on gc2960 on vlan 29 could ping and resolve dns, but not browse the intenet. The same was true for clients on gc2960 vlan 27. We verified that packets from the web were coming in through the firewall. What we were thinking, is that they somehow were not being tagged to vlan 29 even though we were trunking.
When we set native vlan 29 on the trunk, then clients on gc2960 vlan 29 operated as expected. However, clients on gc2960 vlan 27 are still having this problem, we can ping and resolve dns but not browse.Consider the other switch ch2960-jstreet which has presence of vlan 18 and vlan 27. It is also connected on trunk to ch3550. We are not using native vlan on this trunk, and traffic works as expected.Is the lack of presence of vlan 18 a factor as to why gc2960 is not receiving the tagged packets correctly? Should the interface vlan18 on gc2960 have an ip address on the vlan 18 network?
View 5 Replies
View Related
Nov 27, 2012
I want to know what is the best way to black traffic inside the same VLAN, this VLAN is a user VLAN, it means that I am talking about access layer.I wanted to use private vlan, but C2960S doesn't support this feature. Any other way to prevent any to any traffic in the user vlan, this vlan only have to speak at the Layer 3.
View 2 Replies
View Related
Jan 24, 2012
At present we are having a 4900 series switch where we are running one monitor session.Additionaly we are in need of capturing VLAN traffic and set the destination to 2 * GE ports , both are in the same switch.Due to the limitation of two monitor sessions per switch , we thought of putting the destination ports as port channel but it looks like it is not supported.
View 1 Replies
View Related
Feb 21, 2013
I have One switch 3750 and many switch 2960 c.I use one ASA 5510 to reach emote branche site (vpn conexion).I use one router 1841 for internet conexion.Router 1841, ASA and catalyst 2960 are connected on the 3750.Default gateway of all user is ASA IP
I configured Vlan 3750 and it work.Now I need to implement security : permit/block specific traffic between vlan [code] From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34.
View 1 Replies
View Related
Jul 5, 2012
We run a network of several 2960G and 3650G switches in a network with a number of VLANs. One one particular VLAN (let's call it VLAN 10) it appears that non-broadcast traffic (i.e. normal unicast traffic) is being copied to every port in VLAN 10 only on one switch . The traffic is not crossing trunk ports and does not appear on other switches that have ports in VLAN 10. We first spotted this by noticing that a UPS port had an unusual amount of activity on our port througput graphs:
This traffic at 4 am is not expected and this profile is repeated across all ports in VLAN 10 on this switch (a WS-C2960S-48TD-L stack running IOS 15.0(1)SE3)\iffed one port using local SPAN (the UPS port) and discovered that this traffic was not broadcast, which was running at a normal low rate at all times. The traffic appeared to be unicast traffic from other ports of the sort you might see on a hub. It was from various hosts that live on VLAN 10, most (not all) of the conversations had one end station homed on the 'problem' switch. There are about 800 non-broadcast packets per hour and this is a busy VLAN so it does not account for all the traffic on the VLAN.
View 3 Replies
View Related
Nov 27, 2011
We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan
VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10. [code]
View 9 Replies
View Related
Nov 13, 2011
I am trying to setup a network using Cisco 2960 switches with vlans configured. One vlan will handle video coming from four cameras that are connected to another 2960.
We have four cameras feeeding one port each on a 2960, that 2960 in turn feeds one port on the main 2960 which is the video vlan for that site. From the site it goes back to a Cisco 3750 to be sent over to a Sonicwall firewall. If we connect to the 2960 that the camera are connected to we can see the video, but not on the main site 2960.
View 5 Replies
View Related
Apr 22, 2013
I have pair of 5596 switches in vPC. One host say "HOST A" is connected to the primary vPC peer and other "HOST B" on secondary vPC peer.Both are in same VLAN 10. Both hosts are vpc orphan ports as their NIC is configured in active/standby mode.I have configured span session on both vPC peers with span source as VLAN 10 in rx mode.Span destination is connected to secondary vPC peer. The issue here is that I am not able to capture the traffic originating from HOST A destined to HOST B which is traversing vPC peer-link.Same issue occurs for the traffic in reverse way and span destination on primary vPC peer. In a nutshell, any traffic which crosses vPC peer-link is not getting captured.
What could be the issue and is there any solution for it. Below mentioned is the span config and relevant interfaces. [code]
View 4 Replies
View Related
Mar 28, 2013
We recently extended our access layer using a pair of 5ks with extenders. We have a pair of 6509s at our core and they handle the intra-VLAN routing with SVIs. I recently noticed that access hosts connected to the extenders cannot pass traffic between each other if they are in different VLANs. The strange thing is these same hosts can ping devices in other VLANs as long as the other devices are not connected to the 5k environment.
For example, consider the following hosts. Each host has their gateway set to the appropriate SVI on our core.
HostA - VLAN100 - connected to 5k extender
HostB - VLAN200 - connected to 5k extender
HostC - VLAN100 - connected to 2960 off our core
HostD - VLAN200 - connected to 2960 off our core
Each host can ping each other with the exception of HostA and HostB. As for specifics, we use HSRP (no VSS) between our cores.
When I ping between hostA and hostB, I see the egress packets on either 5k1 or 5k2. I then see ingress AND egress on Core1. There are no ingress packets on 5k1 or 5k2.The egress packets from Core1 show the correct destination MAC address of the target host. The mac address table shows the mac address on po31.
View 16 Replies
View Related
Nov 21, 2012
i'm going mad on following problem. I'm trying to get 2 networks seeing each other while one of the network is a non VLAN network and the other one is a VLAN network.They should use the same interface so i added VLAN e0/0.122 to the interface e0/0.Send a ping from my asa to both gw-IP's made me happy at first. In second in figured out that i cannot reach any client in the other network. For testing purpose i created an permit acl to any/any for both networks, but the packets still get dropped by the default implicit rule. (deny any/anyMaybe i'm to stupid for this
View 10 Replies
View Related
Mar 13, 2013
I have configured a vlan interface on a 3750 switch. there is aprox 4Mb active traffic flowing through the interface, but when I do a "show interface vlan (vlanid)" the output show zero bits in and zero bits out. Its a typical L3 config with one IP on the vllan interface acting as the gateway for the VLAN devices. Is this a normal behaviur ? and if so is there any way to get the traffic in/out stats. The end PC/devices are connected to this switch via an L2 TRUNK and I dont have access to the L2 switch on which the actual devices connect. so cant get the real time stats of those interfaces.
View 2 Replies
View Related
May 22, 2013
I am attempting to filter a specific host(s) from my OSPF routiing table on a ASA 5550 (ABR) using LSA prefix lists. However, when I look at the other routers in that area, I notice that ALL LSA type-3's are being removed (10 hosts are now missing from the routing table). I have verified the filter is working on the ABR, but I can't figure why ALL hosts/routes that were coming into the area are now being filtered instead of the specific one that I want to filter out.
Here is the config on the ABR:
prefix-list pdm_pl_000 seq 10 permit 206.253.180.137/32
!
!
router ospf 1
network 10.0.0.0 255.255.255.0 area 0
network 10.150.10.0 255.255.255.0 area 10
network 10.150.252.0 255.255.255.224 area 10
[code]....
The 206.253.180.137 host is actually coming from Area '3'. Am I doing something that is removing all type-3 LSA's?
View 3 Replies
View Related
May 29, 2013
Most of our VPN connections are done with our Cisco 3030 and the internet goes out the ASA. We are able to filter all web traffic by doing a a span port for web traffic.
When we move VPN connections to the ASA we will loose the ability to span web traffic becuase its coming in and going out the same interface on the ASA. We will loose the ability to filter web traffic when this happens.
How we can filter web traffic on VPN connections on the ASA. We are using websense. I know there is some integration that can be done with the ASA and websense but it doesn't have all the capabilities as doing a span port for websense to monitor.
View 1 Replies
View Related
Feb 6, 2013
I've got a PIX running 7.2(4) with its outside interface on the Internet. The only thing this PIX is doing is acting as the endpoint for an IPSEC LAN-to-LAN tunnel with an Internet-connected ASA on another network.
I'd like to filter inbound Internet traffic to this PIX so that only the designated ASA can attempt to establish an IPSEC connection -- in other words, I want to prevent any other device on the Internet from even being able to attempt to establish an IPSEC connection to the PIX. As far as I know (and have seen), this can't be done with an access-list on the outside interface, since that access-list doesn't apply to traffic to the PIX itself.
View 3 Replies
View Related
Nov 1, 2011
We have one SGE2000P switch that we are testing in Layer 3. We have a very simple configuration with some vlans that we want to route to our corporate network, but I want to test if there is actually traffic coming out from the up-link port first.
1- Created the vlans:
VLAN1: 10.10.1.12 /16 (native)
VLAN10: 172.16.10.1 /24
[Code].....
View 1 Replies
View Related
Mar 20, 2012
Is it possible to filter remote access VPN traffic on a PIX 501 (like you can on an ASA?)
View 1 Replies
View Related
Aug 28, 2012
VLAN MAC address filter does not seem to be working on my 4900 switch. However the same config works fine when tested on my 3750 & 3560 switches.
Since user from different VLANs requires to be blocked, Unicast MAC address filter will not be feasible solution. VACL did not work on my 4506 switch too. K
Below is the config done on 4900 switch
mac access-list extended ABCpermit host 0003.0de9.d5ea anyexit
!
vlan access-map drop-mac 10
[Code]......
View 2 Replies
View Related
Jun 21, 2012
I am unable to configure an interface using the "ip igmp filter <profile #>" command on a 2960G running 12.2(58)SE2. The switch allows me to create a profile using the "ip igmp profile <profile #>" global configuration command. It also lets me enable filtering with the global "ip igmp filter" command (which I didn't see in the documentation). But, the command is not accepted when configuring an interface. "ip igmp ?" does not even show "filter" as a valid auto-complete when in configure interface mode, and the command is rejected if I try to enter it.
I verified the command worked on a much earlier version of IOS, so it must have broken somewhere along the line. I'm wary of moving up to 15.0(1)SE. Is that a major IOS change?
View 5 Replies
View Related
Jan 23, 2011
Is it possible to configure cisco router like C3800 or catalyst switches like C4500 or C2960 to filter traffic based on allowable mac addresses only? I would like only to allow those devices that belongs to the domain, meaning if a user connects a computer or any devices that concerns network which I have not allowed the mac addresses, it will be denied access to the network. However, any of the allowable devices could able to use any port of the switch, meaning I dont want to associate an allowable Mac Address to a physical port on the switch.
View 2 Replies
View Related
