Announcement

Collapse
No announcement yet.

How to make this routing work

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to make this routing work

    Currently we have the DMZ ACL in the ASA firewall. One interface that was assigned as DMZ was connected to the core switch and within a VLAN. The server that was untagged to this DMZ VLAN will have the DMZ ACL applied to the inbound/outbound traffic. This was quite simple setup.

    The issue now I am facing is: we are going to move the ASA firewall to the Colo rack but the servers will stay in the central office. I am afraid this will not work.

    Currently....
    ASA 172.16.1.1
    DMZ - 10.254.254.0/24
    |
    Core switch 172.16.1.2
    VLAN for DMZ server (10.254.254.0/24)

    The ip route is to route 10.254.254.0/24 over to ASA. So ASA DMZ interface receives the traffic, applies the ACL and the traffic will then get to the DMZ VLAN to reach to the server.

    Here is part of the new MPLS network.....
    (Colo)
    ASA 172.16.100.1
    DMZ - 10.254.254.0/24
    |
    router1
    ||
    MPLS
    ||
    router2
    |
    Core switch 172.16.1.2
    VLAN for DMZ server (10.254.254.0/24)

    As you can see the ASA and Core switch is not in the same subnet any more. How can I make the DMZ working? I don't know how to make the ip route. Perhaps it just won't work this way. Perhaps I will have to just create the ACL within the core switch.

    Any thought is appreciated.

  • #2
    Re: How to make this routing work

    May be able to use a gre tunnel
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: How to make this routing work

      Great to hear this option. Thanks alot. I am not familar with gre tunnel. Could you tell me more about it?

      Comment


      • #4
        Re: How to make this routing work

        Basically its a tunnel between the two endpoints, actually its a VPN but without the ipsec . Its transparent to the transit devices. The only thing they will see is gre traffic (protocol 47) between the 2 endpoints. The two endpoints will see themselves as directly connected. Most of the tunnels I have done have been on routers so Im not sure how it works with the ASA side. As long as you have routes to the endpoints the tunnel will come up.


        int tunnel 0
        ip address x.x.x.x x.x.x.x
        tunnel source (interface or ip adress)
        tunnel destination x.x.x.x x.x.x.x

        The default tunnel mode is gre. There will be some additional overhead for the gre traffic.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: How to make this routing work

          Hmm after doing some research I dont think the ASA can terminate a gre tunnel so I belive that option is out.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: How to make this routing work

            Appreciate you spending time testing. Maybe I should just move the dmz ACL from ASA to the core switch if that's the only way.

            Comment

            Working...
            X