Possible 3com VLAN issues

[tyarber]

The underlining problem I have is that I cannot get my webserver to communicate properly outside of our LAN and i'm starting to believe its a VLAN issue. Actually 3com dosent have an issue with VLAN's, it's me

I have been tring to get our companies web server up since middle August now, and its starting make me look really bad. Ill try to give as much info as possible.

What is happening is that we have 6 3com superstack II 3300 swtches. 4 of these is matrix together to form one logical switch. 1 is our server switch that is port trunked to unit 1 in the matrix stack. The other is mine.

We have 3 VLAN's set up (well 4, one I can't get rid of) VLAN 1 is default, and of course it has to be there and all ports from all switches are a member of this VLAN.

VLAN 2 is our firewall/router VLAN. Basically Our PIX is connected to unit 1 port 1 and port 1 is a member of VLAN 2.

VLAN 3 is our webserver DMZ (at least its suppose to be), where unit 1 port 23 is a member of this VLAN. Now I can give our webserver an internal address and it works fine, I can connect to it and administer it (of course its on our LAN). But when I change the IP addy to whats it suppose to be for external access as a web server, it don't work. Our PIX is prety tight as far as the config goes. It hasnt changed, the config is correct (Had a CCNA dude look at it). A few months ago we added all these switches (up from 1 switch to 6 switches) I belive that the VLAN's isnt set right. It also might have something to do with this tagging untagged crap that 3com does.


If anyone can help, please tell me what you need to know. I'm sure I'm being vague right now. Just let me know, and I appreciate any help.

 

[tyarber]

Here is the PIX 506e config if needed:


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet1 vlan10 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan10 webvlan security90
enable password encrypted
passwd encrypted
hostname firewall
domain-name pplastic.com
clock timezone EST -5
fixup protocol dns maximum-length 1535
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list inbound permit icmp any any echo-reply
access-list inbound permit tcp any host 65.40.78.136 eq ldap
access-list inbound permit tcp any host 65.40.78.136 eq 522
access-list inbound permit tcp any host 65.40.78.136 eq 1503
access-list inbound permit tcp any host 65.40.78.136 eq 1731
access-list inbound permit tcp any host 65.40.78.136 eq h323
access-list inbound permit tcp any host 65.40.78.136 eq ftp
access-list inbound permit tcp any host 65.40.78.137 eq imap4
access-list inbound permit tcp any host 65.40.78.137 eq 11111
access-list inbound permit tcp any host 65.40.78.138 eq exec
access-list inbound permit tcp any host 65.40.78.139 eq pop3
access-list inbound permit tcp any host 65.40.78.139 eq imap4
access-list inbound permit tcp any host 65.40.78.139 eq 366
access-list inbound permit tcp any host 65.40.78.139 eq https
access-list inbound permit tcp any host 65.40.78.139 eq 993
access-list inbound permit tcp any host 65.40.78.139 eq 995
access-list inbound permit tcp any host 65.40.78.139 eq 1000
access-list inbound permit tcp any host 65.40.78.139 eq 3000
access-list inbound permit tcp any host 65.40.78.139 eq 8080
access-list inbound permit tcp any host 65.40.78.139 eq 30000
access-list inbound permit tcp any host 65.40.78.139 eq 30001
access-list inbound permit tcp any host 65.40.78.139 eq smtp
access-list inbound permit tcp any host 65.40.78.140 eq www
access-list inbound permit tcp any host 65.40.78.140 eq ftp
access-list inbound permit tcp any host 65.40.78.141 eq smtp
access-list inbound permit tcp any host 65.40.78.141 eq pop3
access-list inbound permit tcp any host 65.40.78.141 eq imap4
access-list inbound permit tcp any host 65.40.78.141 eq 366
access-list inbound permit tcp any host 65.40.78.141 eq https
access-list inbound permit tcp any host 65.40.78.141 eq 993
access-list inbound permit tcp any host 65.40.78.141 eq 995
access-list inbound permit tcp any host 65.40.78.141 eq 1000
access-list inbound permit tcp any host 65.40.78.141 eq 3000
access-list inbound permit tcp any host 65.40.78.141 eq 8080
access-list inbound permit tcp any host 65.40.78.141 eq 30000
access-list inbound permit tcp any host 65.40.78.141 eq 30001
access-list webvlan permit icmp any any echo-reply
access-list outbound permit tcp host 10.0.0.12 any eq smtp
access-list outbound deny tcp any any eq smtp
access-list outbound permit ip any any
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list split-tunnel-acl permit ip 10.0.0.0 255.255.255.0 192.168.99.0 255.255.255.0
pager lines 24
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered debugging
logging trap debugging
logging host inside 10.0.0.53
logging host inside 10.0.0.7
logging host inside 10.0.0.17
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside 65.40.78.136 255.255.255.128
ip address inside 10.0.0.1 255.255.255.0
ip address webvlan 172.19.19.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name INFOPOLICY info action alarm drop reset
ip audit name ATTACKPOLICY attack action alarm drop reset
ip audit interface outside INFOPOLICY
ip audit interface outside ATTACKPOLICY
ip audit interface inside INFOPOLICY
ip audit interface inside ATTACKPOLICY
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip local pool vpnpool1 192.168.99.100-192.168.99.250
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (webvlan) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.40.78.137 11111 10.0.0.15 telnet netmask 255.255.255.255 0 0
static (webvlan,outside) 65.40.78.140 172.19.19.2 netmask 255.255.255.255 0 0
static (inside,webvlan) 10.0.0.17 10.0.0.17 netmask 255.255.255.255 0 0
static (inside,outside) 65.40.78.139 10.0.0.12 netmask 255.255.255.255 0 0
static (inside,outside) 65.40.78.141 10.0.0.11 netmask 255.255.255.255 0 0
static (inside,webvlan) 10.0.0.7 10.0.0.7 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 65.40.78.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 207.46.130.100 source outside
http server enable
http 10.0.0.50 255.255.255.255 inside
http 10.0.0.9 255.255.255.255 inside
http 10.0.0.46 255.255.255.255 inside
http 10.0.0.19 255.255.255.255 inside
http 10.0.0.53 255.255.255.255 inside
http 10.0.0.7 255.255.255.255 inside
http 10.0.0.17 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn_policy1 esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set vpn_policy1
crypto map vpn_map1 40 ipsec-isakmp dynamic dynmap
crypto map vpn_map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup precision address-pool vpnpool1
vpngroup precision dns-server 10.0.0.2
vpngroup precision wins-server 10.0.0.2
vpngroup precision default-domain ppipdc01.com
vpngroup precision split-tunnel split-tunnel-acl
vpngroup precision idle-time 1800
vpngroup precision password
vpngroup ens address-pool vpnpool1
vpngroup ens dns-server 10.0.0.2
vpngroup ens wins-server 10.0.0.2
vpngroup ens default-domain pplastic.com
vpngroup ens split-tunnel split-tunnel-acl
vpngroup ens idle-time 1800
vpngroup ens password
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 webvlan
telnet timeout 30
ssh 66.249.227.16 255.255.255.240 outside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 30
terminal width 80

 

[SYQUEST]

A VLAN is like a private circuit. So VLANs can't talk to one another unless you use a router or layer 3 device. If you don't need to segragate your traffic then leave all the ports in VLAN 1. Otherwise you have to define routing in some fashion for them to talk to one another.

Hope this helps!

....JIM....

 

[tyarber]

Thanks Jim for showing interest. Everything you have mentioned I clearly understand. There is something that isnt happening here though. I should be able to type in

http://www.pplastic.com

and see our web page, but I don't. As far as my knowledge goes, everything is set up right. I was hoping someone with alot more experience than me would be able to lead me in a certain direction as what to do here.

So far I can give the Web Server a local private IP Addy and connect to it and manage it like I should be able to.

When I change the IP from an private inside to the IP that the PIX routes out to the real world it dont work. 172.19.19.2 is what the Web Server IP should be set as. The PIX translates that to 65.40.78.140, which is one of many ISP assigned IP addresses.

According to the PIX, we have it set up so only a couple internal Static IP's can communicate with the Web Server when its setup right. If someone looks at the PIX config and knows cisco configs well enough, they can see that.

Furthermore, all DNS A records I have set up on the Web Server point to itself, which it should.

I'm lost as to what to do really, I can only google so much.

 

[ADB100]

I hope I am not stating the obvious but your PIX is configured for 802.1q trunking on the ethernet1 interface - The Native (or untagged) VLAN is configured as well as a Logical VLAN (Tagged) interface:

interface ethernet1 vlan10 logical

You have used VLAN 10 on the PIX, but you have VLAN 3 on the 3300 switch so the 802.1q Tags won't line up on the 802.1q Trunk link between the PIX and the 3300. My suggestion would be to remove VLAN 3 on the 3300 and add VLAN 10, then make the port on the 3300 that connects to the PIX ethernet1 interface have the untagged VLAN set to 2 and add on the Tagged VLAN 10.

HTH

Andy

 

[tyarber]

When I said VLAN 3, I meant the third in my list. That VLAN is actually called VLAN 10 on the switch and port 23 is assigned to it. VLAN 2 has port 1 assigned to it (thats the PIX). VLAN 2 also has port 23 assigned to it as well (I'm not to sure if this is set up right)...

when I look at the configuration, it says this:

VLAN 10

VLAN Members: Unit1 Port23, 802.1Q

VLAN 2

VLAN Members: Unit1 Port1, 802.1Q <---PIX
Unit1 Port23, 802.1Q


Hey Andy if you could please explain a little more your suggestion? Appreciate your help BTW.

 

[tyarber]

Anyone else that can help is needed...

 

[IRudebwoy]

The port the server is connected to should be an untagged member of VLAN10, since it's the only member on that port. If you can define 802.1Q interfaces on your server your current set up should work.

Have Fun!

 

[tyarber]

Should port 23 be a tagged member of VLAN2 ?

 

[tyarber]

Ok what I have done is re-did VLAN10 a little:

VLAN 10:

VLAN members Unit 1 Port 23 <--- Untagged (webserver)

VLAN 2:

VLAN Members Unit 1 Port 1, 802.1Q <--- PIX



IRudebwoy, sorry to ask a stupid question, but what do you mean defining 802.1Q interfaces on my webserver. I thought the only place I even need to worry about this stuff is on the 3com and routers to route the traffic. As long as the network interface on the server is setup right (ip address, gateway, A records, DNS...), the server should be ok? right?

 

[IRudebwoy]

On some OSes you can define an 802.1Q (tagged) interface just like a switch, usually linux (almost every NIC) and windows (with the right NIC and driver). It's seems promising but I've never found a need to set one up (linux servers, BTW).

I think I may have mixed up your VLANS. The Webserver should be an untagged member of VLAN 2 (the 172.19.19.0/24 segment) not VLAN 10 (The 65.40.78.128/25 segment). Sorry 'bout that.

Can you ping 172.19.19.1 from your internal hosts? From the webserver?

 

[tyarber]

Ok , I set the VLANs up right.


VLAN 2:

VLAN Members - Unit 1 Port 1, 802.1Q <--- PIX
Unit 1 Port 23 <--- Webserver


VLAN 10:

VLAN Members - Unit 1 Port 23, 802.1Q <--- Webserver

-------------------

I still can't access the webserver, and I still can't ping the server from the designated internal host. As far as pinging out from the webserver, I can't physically hook up a Monitor, mouse or keyboard (its a raq4 colbalt server). And its all Linux Red Hat 7.2, I think. Well anyways I know NOTHING about Linux, let alone getting it to ping via CLI using telnet or something :0...

Now if I setup up the webserver with an internal Ip on our LAN, its all good.

 

[IRudebwoy]

Can you ping the 172.19.19.1 interface of the firewall from you internal hosts? If you can't, then you probably won't reach anything on the 172.19.19.0/24 network segment.

Remove Unit 1 Port 23 from VLAN 10. The only interfaces that should be on VLAN 10 should be the internet router and the outside interface of the firewall.

Can you explain these statements. I can interpret them but I need to know what you think they do. To me, they are suspect.

static (inside,webvlan) 10.0.0.17 10.0.0.17 netmask 255.255.255.255 0 0
static (inside,webvlan) 10.0.0.7 10.0.0.7 netmask 255.255.255.255 0 0

Shouldn't it be more like this.

static (inside,webvlan) 172.19.19.2 10.0.0.1 netmask 255.255.255.255 0 0

Have Fun!

 

[tyarber]

I'm hoping those entries are telling the router that the only IP addresses internally that can connect directly to the webvlan (and manage it) are those 2 IP addresses.
Everyone else wanting to see the webpage would have to type in

http://www.pplastic.com

(which translates to 65.40.78.140). Those two Ip addys are mine and my bosses We really don't want anyone else internally connecting to the webserver and being able to manage it. Another thing is, that I put those entries in the config. Before I did that the IP addy's were just diffeent (10.0.0.46), i just changed my pc to static so I wanted that to reflect on the PIX. Before it said.

static (inside,webvlan) 10.0.0.46 10.0.0.46 netmask 255.255.255.255 0 0
static (inside,webvlan) 10.0.0.45 10.0.0.45 netmask 255.255.255.255 0 0
static (inside,webvlan) 10.0.0.53 10.0.0.53 netmask 255.255.255.255 0 0

I took those out and added:

static (inside,webvlan) 10.0.0.17 10.0.0.17 netmask 255.255.255.255 0 0
static (inside,webvlan) 10.0.0.7 10.0.0.7 netmask 255.255.255.255 0 0


Thanks for your help btw

 

[IRudebwoy]

Can you ping the webserver from the firewall?

To help you troubleshoot, put another host (with a keyboard and monitor) on the same VLAN as the webserver to rule out VLAN issues. Personally, I think it is a firewall/routing issue.

As for allowing or denying access you really should use access lists instead of static routes. That's what ACLs are for.

Have Fun

 

[tyarber]

umm, no I can't pint the webserver from the firewall. Of course I can ping the .1 interface, but not the webserver.

I have done the host thing, with no luck. Wasnt able to do anything with the host plugged in as well.

 

[IRudebwoy]

Change the vlan assignment of the webvlan on the PIX from VLAN10 to VLAN2 to match the untagged port of the webserver.

I think that should do it.

Have Fun!

 

[tyarber]

So change:

interface ethernet1 vlan10 logical

nameif vlan10 webvlan security90

except replace vlan10 with vlan2 and walla, its all good?

I thought if I had the switches set backup right to reflect the PIX, then all would be ok. Guess not ...

Thanks IRude, I'll let you know.