topic Re: Unable to Access Some IP's from Outside Network in Network Security

Unable to Access Some IP's from Outside Network

Dayanand.Jadhav — Wed, 09 Dec 2020 15:12:54 GMT

Dear All,

I am facing one strange issue with the Network. I am unable to access some specific range of IP's from outside network of CISCO ASA-5506. Below are ten ip routes configured . I could access all the IP's except 10.1.1.0.. Access rule for all the Host' are same. There is no any difference in the access rule configuration.

route INSIDE_L3 10.1.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.3.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.5.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.7.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.9.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.23.1.0 255.255.255.0 10.24.0.254 1

Can you all please analyze the issue and let me know the Workaround.

Re: Unable to Access Some IP's from Outside Network

balaji.bandi — Wed, 09 Dec 2020 15:20:44 GMT

Do you have NAT ? or post complete config

Re: Unable to Access Some IP's from Outside Network

Dayanand.Jadhav — Wed, 09 Dec 2020 16:26:12 GMT

Dont have NAT...

!
interface GigabitEthernet1/1
description Connectivity to DCS Inside Netwrok / CMNESW02Y Port 3 [10.24.0.251]
speed 100
duplex full
nameif INSIDE_L3
security-level 100
ip address 10.24.0.231 255.255.248.0 standby 10.24.0.232
!
interface GigabitEthernet1/2
speed 100
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
description Connectivity to PGIM Network + HWOPC Server
speed 100
duplex full
nameif FWDMZ
security-level 50
ip address 192.168.220.231 255.255.255.0 standby 192.168.220.232
!
interface GigabitEthernet1/4
description Connectivity to Corporate Network
speed 100
duplex full
nameif FWOUT-BUSINESS-LAN
security-level 0
ip address 192.168.116.231 255.255.255.0
!
interface GigabitEthernet1/5
description ALMS Core server connectivity interface
shutdown
nameif FWDMZ_ALMS
security-level 50
ip address 172.20.1.231 255.255.255.0
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description LAN/STATE Failover Interface
!
interface Management1/1
description Management port
management-only
nameif Managment
security-level 100
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.10
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
domain-name www.cisco.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network L3.5_OPCSRV01_P
host 192.168.220.30
description 255.255.255.0
object network L2_U01SRV01A
host 10.1.1.1
description UNIT1- Primary Experion Server
object network L2_U01SRV01B
host 10.1.1.2
description UNIT1- Secondary Experion Server
object network L2_U02SRV01A
host 10.1.1.101
description UNIT2- Primary Experion Server
object network L2_U02SRV01B
host 10.1.1.102
description UNIT2- Secondary Experion Server
object network L2_U03SRV01A
host 10.3.1.1
description UNIT3- Primary Experion Server
object network L2_U03SRV01B
host 10.3.1.2
description UNIT3- Secondary Experion Server
object network L2_U04SRV01A
host 10.3.1.101
description UNIT4- Primary Experion Server
object network L2_U04SRV01B
host 10.3.1.102
description UNIT4- Secondary Experion Server
object network L2_U05SRV01A
host 10.5.1.1
description UNIT5- Primary Experion Server
object network L2_U05SRV01B
host 10.5.1.2
description UNIT5- Secondary Experion Server
object network L2_U06SRV01A
host 10.5.1.101
description UNIT6- Primary Experion Server
object network L2_U06SRV01B
host 10.5.1.102
description UNIT6- Secondary Experion Server
object network L2_ELESRV01A
host 10.7.1.1
description ELECTRICAL- Primary Experion Server
object network L2_ELESRV01B
host 10.7.1.2
description ELECTRICAL -Secondary Experion Server
object network L2_BOPSRV01A
host 10.9.1.1
description BOP-P-Primary Experion Server
object network L2_BOPSRV01B
host 10.9.1.2
description BOP-P-Secondary Experion Server
object network L2_BOPSRV02A
host 10.9.1.101
description BOP-D-Primary Experion Server
object network L2_BOPSRV02B
host 10.9.1.102
description BOP-D-Secondary Experion Server
object service TCP_9876
service tcp destination eq 9876
description Acronics backup Components
object service TCP_22
service tcp destination eq ssh
description SFTP
object service TCP_123
service tcp destination eq 123
description Time_sync
object service UDP_123
service udp destination eq ntp
description Time sync_UDP
object service TCP_80
service tcp destination eq www
description HTTP
object service TCP_8081
service tcp destination eq 8081
object service TCP_8443
service tcp destination eq 8443
object service TCP_8444
service tcp destination eq 8444
object service TCP_443
service tcp destination eq https
object service TCP_445
service tcp destination eq 445
object service UDP_8082
service udp destination eq 8082
object network L3_AVSRV01
host 10.23.1.2
description ePO Server at Level 3
object network L3_EBRSRV01
host 10.23.1.3
description EBR manager
object network L3.5_OPCSRV01_S
host 192.168.220.31
description OPC Server backup interface port
object network L3_DMNSRV01A
host 10.23.1.4
description Additional Domain controller
object network L3_DMNSRV01B
host 10.23.1.5
description Root Domain controller
object service UDP_2911
service udp destination eq 2911
object service TCP_50001-50004
service tcp destination range 50001 50004
object network L3_DYNDESRV
host 10.23.1.6
description ALMS Server
object network L3_DYNMRSRV
host 10.23.1.7
description ALMS Server
object network L3.5_DYNCORSRV
host 192.168.116.232
description Core ALMS Server
object service TCP_449
service tcp destination eq 449
description Https
object network ABB_OGC200_ABB_192.168.220.32
host 192.168.220.32
description ABB_OGC200_Matricon scanner to fetch logs from OPC Server
object network L4_ALMS_Client1
host 192.168.116.208
description ALMS Client from Corporate NW access Dynamo Core server
object network L4_ALMS_Client2
host 192.168.112.209
description ALMS Client from Corporate NW access Dynamo Core server
object network L4_ALMS_Client3
host 192.168.112.210
description ALMS Client from Corporate NW access Dynamo Core server
object-group network DM_INLINE_NETWORK_2
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group service EBR
service-object object TCP_22
service-object object TCP_9876
object-group service AV_Deloyement
service-object object TCP_443
service-object object TCP_445
service-object object TCP_80
service-object object TCP_8081
service-object object TCP_8443
service-object object TCP_8444
service-object object UDP_8082
object-group network DM_INLINE_NETWORK_1
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group service OPC_and_EPKS_Comm
service-object object TCP_50001-50004
service-object object UDP_2911
object-group network EPKS_SERVERs_Grp
network-object object L2_BOPSRV01A
network-object object L2_BOPSRV01B
network-object object L2_BOPSRV02A
network-object object L2_BOPSRV02B
network-object object L2_ELESRV01A
network-object object L2_ELESRV01B
network-object object L2_U01SRV01A
network-object object L2_U01SRV01B
network-object object L2_U02SRV01A
network-object object L2_U02SRV01B
network-object object L2_U03SRV01A
network-object object L2_U03SRV01B
network-object object L2_U04SRV01A
network-object object L2_U04SRV01B
network-object object L2_U05SRV01A
network-object object L2_U05SRV01B
network-object object L2_U06SRV01A
network-object object L2_U06SRV01B
object-group network DM_INLINE_NETWORK_3
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group network DM_INLINE_NETWORK_4
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group network DM_INLINE_NETWORK_5
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group network DM_INLINE_NETWORK_6
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group network DM_INLINE_NETWORK_7
network-object object L3_DMNSRV01A
network-object object L3_DMNSRV01B
object-group network DM_INLINE_NETWORK_8
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group network DM_INLINE_NETWORK_10
network-object object L3_DMNSRV01A
network-object object L3_DMNSRV01B
object-group network DM_INLINE_NETWORK_9
network-object object L3.5_OPCSRV01_P
network-object object L3.5_OPCSRV01_S
object-group service DM_INLINE_SERVICE_1
service-object icmp
group-object EBR
object-group service DM_INLINE_SERVICE_2
service-object icmp
group-object AV_Deloyement
object-group service DM_INLINE_SERVICE_3
service-object icmp
group-object OPC_and_EPKS_Comm
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object object TCP_123
object-group service DM_INLINE_SERVICE_5
service-object icmp
group-object OPC_and_EPKS_Comm
object-group service DM_INLINE_SERVICE_6
service-object icmp
group-object AV_Deloyement
object-group service DM_INLINE_SERVICE_7
service-object icmp
group-object EBR
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object object TCP_123
object-group network L4_ALMS_Client_Grp
network-object object L4_ALMS_Client2
network-object object L4_ALMS_Client3
network-object object L4_ALMS_Client1
object-group network DM_INLINE_NETWORK_11
network-object object L3_DYNDESRV
network-object object L3_DYNMRSRV
object-group network DM_INLINE_NETWORK_12
network-object object L3_DYNDESRV
network-object object L3_DYNMRSRV
object-group service DM_INLINE_SERVICE_10
service-object icmp
service-object object TCP_80
object-group service DM_INLINE_SERVICE_9
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object object TCP_80
object-group service DM_INLINE_SERVICE_11
service-object icmp
service-object object TCP_80
object-group service DM_INLINE_SERVICE_12
service-object icmp
service-object object TCP_80
object-group network DM_INLINE_NETWORK_13
network-object object L3_DYNDESRV
network-object object L3_DYNMRSRV
object-group service DM_INLINE_SERVICE_13
service-object icmp
service-object object TCP_449
access-list FWDMZ_access_in remark EBR functionality.
access-list FWDMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 object L3_EBRSRV01
access-list FWDMZ_access_in remark AV patch deployement.
access-list FWDMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_2 object L3_AVSRV01
access-list FWDMZ_access_in remark OPC Server and All the unit Experion Servers comm.
access-list FWDMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_3 object-group EPKS_SERVERs_Grp
access-list FWDMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list FWIN1_access_in remark OPC Server and All the units Expenion Server comm
access-list FWIN1_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group EPKS_SERVERs_Grp object-group DM_INLINE_NETWORK_4
access-list FWIN1_access_in remark AV Patch deployment.
access-list FWIN1_access_in extended permit object-group DM_INLINE_SERVICE_6 object L3_AVSRV01 object-group DM_INLINE_NETWORK_5
access-list FWIN1_access_in remark EBR Functionality.
access-list FWIN1_access_in extended permit object-group DM_INLINE_SERVICE_7 object L3_EBRSRV01 object-group DM_INLINE_NETWORK_6
access-list FWIN1_access_in remark Time sync.
access-list FWIN1_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list FWIN1_access_in extended permit object-group DM_INLINE_SERVICE_10 object-group DM_INLINE_NETWORK_12 object L3.5_DYNCORSRV
access-list FWDMZ_ALMS_access_in extended permit object-group DM_INLINE_SERVICE_9 object L3.5_DYNCORSRV object-group DM_INLINE_NETWORK_11 inactive
access-list FWDMZ_ALMS_access_in extended permit object-group DM_INLINE_SERVICE_11 object L3.5_DYNCORSRV object-group L4_ALMS_Client_Grp inactive
access-list FWDMZ_ALMS_access_in extended permit ip any any inactive
access-list FWOUT1_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group L4_ALMS_Client_Grp object L3.5_DYNCORSRV inactive
access-list FWOUT1_access_in extended permit ip any any inactive
access-list FWOUT1_access_in extended permit object-group DM_INLINE_SERVICE_13 object L3.5_DYNCORSRV object-group DM_INLINE_NETWORK_13
access-list FWOUT1_access_in extended permit icmp object L3.5_DYNCORSRV object L4_ALMS_Client1 inactive
pager lines 24
logging enable
logging asdm informational
mtu INSIDE_L3 1500
mtu FWDMZ 1500
mtu FWOUT-BUSINESS-LAN 1500
mtu FWDMZ_ALMS 1500
mtu Managment 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet1/8
failover replication http
failover link folink GigabitEthernet1/8
failover interface ip folink 172.18.1.251 255.255.255.0 standby 172.18.1.252
no monitor-interface FWOUT-BUSINESS-LAN
no monitor-interface FWDMZ_ALMS
no monitor-interface Managment
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group FWIN1_access_in in interface INSIDE_L3
access-group FWDMZ_access_in in interface FWDMZ
access-group FWOUT1_access_in in interface FWOUT-BUSINESS-LAN
access-group FWDMZ_ALMS_access_in in interface FWDMZ_ALMS
route INSIDE_L3 10.1.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.3.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.5.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.7.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.9.1.0 255.255.255.0 10.24.0.254 1
route INSIDE_L3 10.23.1.0 255.255.255.0 10.24.0.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Managment
no snmp-server location
no snmp-server contact
auth-prompt prompt Please enter your username and password
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 300
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config INSIDE_L3
!
ntp server 10.23.1.11 source INSIDE_L3 prefer
dynamic-access-policy-record DfltAccessPolicy
username admin password i9yVQvvf7pGDUqaP encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

Re: Unable to Access Some IP's from Outside Network

balaji.bandi — Wed, 09 Dec 2020 19:17:42 GMT

as per the config you have only 1 entry that is static route point to below IP

route INSIDE_L3 10.1.1.0 255.255.255.0 10.24.0.254 1

we need more information what is that 10.24.0.254 ? do you have route back from 10.24.0.254 to FW ?

we need more topology where this traffic coming ?

Re: Unable to Access Some IP's from Outside Network

Rafal Sobecki — Wed, 09 Dec 2020 20:30:22 GMT

Routing issue most probably. Well, static routes don't propagate through the network just by themselves.

Re: Unable to Access Some IP's from Outside Network

Dayanand.Jadhav — Thu, 10 Dec 2020 03:36:47 GMT

10.24.0.254 is standby ip for Vlan in Inside Network at Router side

interface GigabitEthernet1/0/3
description **** CONNECTION TO Firewall Inside /CMNFWL1A 10.24.0.1 Port No : 1 ****
switchport access vlan 201
switchport mode access

interface Vlan201
ip address 10.24.0.251 255.255.248.0
no ip redirects
no ip unreachables
no ip proxy-arp
standby 200 ip 10.24.0.254
standby 200 timers 1 3
standby 200 priority 106
!

ip route 10.1.0.0 255.255.248.0 10.11.0.251
ip route 10.3.0.0 255.255.248.0 10.11.0.251
ip route 10.5.0.0 255.255.248.0 10.11.0.251
ip route 10.7.0.0 255.255.248.0 10.11.0.251
ip route 10.9.0.0 255.255.248.0 10.11.0.251
ip route 10.9.1.0 255.255.255.0 10.11.0.251
ip route 10.24.0.0 255.255.255.0 10.24.0.231
ip route 172.20.1.0 255.255.255.0 10.24.0.231
ip route 192.168.116.0 255.255.255.0 10.24.0.231
ip route 192.168.220.0 255.255.255.0 10.24.0.231

Re: Unable to Access Some IP's from Outside Network

balaji.bandi — Thu, 10 Dec 2020 04:38:43 GMT

I get that that is the virtual IP of the device. but from that device? you routing to again

ip route 10.1.0.0 255.255.248.0 10.11.0.251 ? So looks like you have many static routes here.

take small paper and pen, write your network, give us information about how your network looks like ? It hard to say for now what is the issue.

High level it is routing issue.

Re: Unable to Access Some IP's from Outside Network

Dayanand.Jadhav — Thu, 10 Dec 2020 04:53:33 GMT

PFA network diagram,,,

Re: Unable to Access Some IP's from Outside Network

Rafal Sobecki — Thu, 10 Dec 2020 17:24:42 GMT

Despite the diagram, we don't even know how many hops there are end-to-end.

Is the path from src to 10.1.1.0 expected the same as 10.3.1.0?

Issue traceroute from same src to both dst again to compare assumptions with facts.

If traceroute incomplete (ref. firewall), find another way to determine the paths to compare them.

Re: Unable to Access Some IP's from Outside Network

Dayanand.Jadhav — Thu, 10 Dec 2020 18:11:47 GMT

PFA Detailed Network diagram. and error logs in FW for Ping request from 10.1.X.X TO 192.168.220.30

Path from src to 10.1.1.0 expected the same as 10.3.1.0.

Re: Unable to Access Some IP's from Outside Network

balaji.bandi — Thu, 10 Dec 2020 18:20:30 GMT

I would ask you to check from to bottom and bottom to top you have all the route corect.

or post all the device config, if confidential remove the config confidential post or PM me the config to look and advise what is wrong.

Re: Unable to Access Some IP's from Outside Network

Dayanand.Jadhav — Fri, 11 Dec 2020 03:57:37 GMT

PFA tracert output from 10.1.1.1

Re: Unable to Access Some IP's from Outside Network

balaji.bandi — Fri, 11 Dec 2020 07:34:02 GMT

as per your tracert 10.11.0.241 - check routing from there to down. also do same from top to down also.