Routing issue

I'm trying to bypass the ASA as seen in the image. By changing the default route on the switch to 10.20.145.8 and configuring NAT on the router all 10.20.145.0 traffic successfully translates and can connect to the internet. No other VLANs can even ping 10.20.145.8, but they can ping and connect to 10.20.145.5 (DSL router) and 10.20.145.2 (ASA). I'm getting a huge headache trying to figure out why they can't connect to 10.20.145.8. Right now the port from the 4503 to the 2800 router is on vlan 145, so I figured I'd make it a trunk. By doing that no devices can ping 10.20.145.8, not even devices on the 145 VLAN. Also, the ports connected to the DSL router and ASA are on VLAN 145 but other devices connect (because of L3 switching) so why can any VLANs other than 145 connect to 10.20.145.8?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dtlokee

Why on earth are you trying to intentionally bypass a firewall and connect your core network to the Internet? It's seriouly foolish.

ITdude

dtlokee wrote:

Why on earth are you trying to intentionally bypass a firewall and connect your core network to the Internet? It's seriouly foolish.

I was kinda wondering that myself!

flares2

Foolish yes, but for a purpose. The ASA is getting replaced by a Sonicwall. Timing got screwed up somewhere and the ASA will be on it's way out very soon to another company that purchased it and we need to maintain connectivity until the Sonicwall is here. On a good note, we have two physically separate networks and this is the much smaller and less important of them.
I know it doesn't make sense and I should tell my boss that there's other ways around, etc etc. But my boss is a very single minded person, I've found it's much easier to just get things running his way (regardless of how stupid they may be) than to argue and justify my ideas for weeks and months, just to do it his way in the end anyway.

dtlokee

Tell him I have put up honeypots on an external network that are attacked within MINUTES, not days, weeks or years, but minutes.

You need something that can open and close connections securely. Is the edge router running a security IOS?

tiersten

flares2 wrote:

Foolish yes, but for a purpose. The ASA is getting replaced by a Sonicwall. Timing got screwed up somewhere and the ASA will be on it's way out very soon to another company that purchased it and we need to maintain connectivity until the Sonicwall is here. On a good note, we have two physically separate networks and this is the much smaller and less important of them.
I know it doesn't make sense and I should tell my boss that there's other ways around, etc etc. But my boss is a very single minded person, I've found it's much easier to just get things running his way (regardless of how stupid they may be) than to argue and justify my ideas for weeks and months, just to do it his way in the end anyway.

Find an old PC somewhere. Put two NICs into it. Install IPCOP or whatever until you get your Sonicwall installed.

shednik

tiersten wrote:

Find an old PC somewhere. Put two NICs into it. Install IPCOP or whatever until you get your Sonicwall installed.

Best option for you if you have nothing else in the mean time i would never leave a network open like that, as DT pointed out it doesn't take long to get hit!