(Redefined the question to match actual LAN topology...)
I have a new Cisco ASA-5512-X firewall, which is going into an existing network stack to separate some specific client servers from the rest of our LAN (i.e. not as the edge device).
The existing LAN infrastructure already has a Data VLAN (where the normal network nodes live), a Management VLAN (where the sysadmins desktops and backup devices live) and a Devices VLAN (where all the 'remote management' interfaces for all the network devices and servers live). The VLANs are all firewalled by the core firewall, with security-level
statements to allow the sysadmins/backup server to access both the Data and Devices VLANs, while preventing the Data and Devices VLANs from talking to each other.
Below is an attempted diagram to explain the current setup.
213.48.xx.xx ( MGT_VLAN Gi0/1.10 sec 100 )
| ____( DVCS_VLAN Gi0/1.12 sec 80 )
| / ( DATA_VLAN Gi0/1.100 sec 80 )
| /
+------------------------[Core F/W]------------------------+
| | |
172.31.0.10 172.31.255.10 172.31.100.10
| | |
-------------------------------------------------------------------------------------
MgtVLAN#10:172.31.0.0/24 | DvcsVLAN#12:172.31.255.0/24 | DataVLAN#100:172.31.100.0/23
-------------------------------------------------------------------------------------
| | | | | \ \ \
[SysAdmins] 172.31.255.136 172.31.100.252 [LAN Clients]
| |
+------------[New ASA]
|
172.31.250.10
|
-----------------------------------------
SecretLAN:172.31.250.0/24 [L2 Switching]
-----------------------------------------
| | |
[Secret Servers]
In keeping with the current LAN, I would like to specify the Management0/0
interface on the new ASA to live within the Devices VLAN, so it can only be accessed by Telnet/SSH/ADSM via an address in that VLAN's subnet. Ma0/0
has management-only
enforced, preventing through traffic. It can't be removed from the new 5512-X model and I can't use one of the other interfaces, because the IPS component of the new ASA (the very reason we have to do this) is only accessible via Ma0/0
.
If I plug a sysadmin desktop into an access-port for the Devices VLAN, I can access the management interface of the new ASA. However, a sysadmin desktop in its normal home in VLAN10 cannot, even though the security-level
on the core firewall should permit this.
I believe I have narrowed it down to a basic routing issue: the new ASA is configured with route OUTSIDE 0.0.0.0 0.0.0.0 172.31.100.10
(i.e. the default gateway is the address of the core firewall's Data VLAN subinterface), and Ma0/0
is configured with ip address 172.31.255.136 255.255.255.0
(firmly in the Devices VLAN subnet). The new ASA will accept a management connection from the Management VLAN (172.31.0.0/24) but cannot send the reply because it tries to route back through the OUTSIDE interface.
I cannot add route MANAGEMENT 172.31.0.0 255.255.255.0 172.31.255.10
, however, because that will surely cause the backup server's traffic (also on a 172.31.0.0/24 address) to mis-route via the MANAGEMENT interface (a 100Mbps NIC) instead of the OUTSIDE (a 1Gbps NIC).
Can I get the Ma0/0
interface working in this fashion? Or would I have to put in a terminal on the Devices VLAN and use it as a double-hop from my Management VLAN (e.g. by SSH remote port forwarding; or telnet to one, then telnet to the other)?
There are two ways you can do this.
The preferred method will depend on how many machines in the SysAdmin VLAN need direct access to servers behind the firewall. The easiest solution is to manage the firewall from the Outside interface and disable the MA0/0 interface if your local policy will allow this.