topic Problem accessing another public ip in same subnet in Network Security

Problem accessing another public ip in same subnet

erik.gunstad — Tue, 12 Mar 2019 03:49:30 GMT

Hi,

I have searched around for a previous post regarding this but can't find an issue similar to mine (or I'm just too stupid to understand that it is )

I have a Cisco 5505 at a small business that I help. The problem is that the ISP are providing public IPs to multiple customers in a /24 subnet. The ASA has a single public IP configured 8.8.8.8 (not really, just for the examples sake) with a subnet mask of 255.255.255.0.

The webserver I have to access is not managed by me and is located in a different location (same town though) has 8.8.8.115, it is located in the same subnet as the ASA.

How would I make this work? I have tried to configure a static arp entry for the web server but it just won't work. If i place a computer directly on the outside interface I have no problem accessing the web server.

I am running ASA version 8.2, but I could upgrade if it would help me solve the problem.

Any help with this issue is much appreciated.

Problem accessing another public ip in same subnet

Jon Marshall — Mon, 24 Feb 2014 11:56:20 GMT

Erik

Could you clarify the topology in relation to the ASA and the web server ie.

1) is the web server protected by the ASA

2) what interface has the 8.8.8.8 IP ?

3) what interface is the web server located off eg. inside, DMZ

4) are you using the real public IP on the web server or are you using a private IP and NAT ?

Jon

Problem accessing another public ip in same subnet

erik.gunstad — Mon, 24 Feb 2014 12:23:58 GMT

Thanks for your time Jon.

1. The web server is protected by another firewall that I don't know the type of since I'm not responsible for that location. It is a third party web server.

2. It's not really 8.8.8.8 (I know it is a google dns server) but just to have something to referens in this issue. It is used on the wan interface on the customers ASA.

3. The web server will be accessed via the wan interface since it is not located on the same site but share the same public subnet with my customer since their ISP gives out ip addresses from the same /24 subnet. I guess it is to save a couple of public addresses.

4. To access the web server I must use a public address since I can't access it any other way. There is no other path but via the ISP.

I think this is a ASA specific issue since the third party haven't had this issue with other firewalls and I can access the web server if I remove the ASA and puts the public address on my laptop.

I hope this clarify the issue Jon.

Problem accessing another public ip in same subnet

Jon Marshall — Mon, 24 Feb 2014 12:32:01 GMT

Erik

I'm still not getting this sorry.

You have an ASA with an outside interface of 8.8.8.8 (i know these are dummy addresses). Is that correct ?

If so the web server has an IP from the same subnet. But the real web server sits behind another firewall.

So this web server must have a different real IP ?

How is the other firewall connected to the ASA ie. which interface on the ASA ?

Jon

Problem accessing another public ip in same subnet

Swaraj Nambiar — Mon, 24 Feb 2014 12:32:14 GMT

Hi Erik,

Do you have static NAT configured on the ASA?

You need to have the following configured on the ASA -

#static (inside,outside) 8.8.8.15 inside and outside are the names of the two interrfaces. I have assumed that the server is connected to the interface named "inside" and the IP 8.8.8.8 is configured on the "outside" interface.

You also need to allow this traffic in an access-list that should be applied on the "outside" interface -

#access-list inbound permit tcp any host 8.8.8.15 eq 80 --> this is assuming that "inbound" is the name of the ACL on the outside interface.

If there is no ACL applied to the outside interface, you may apply the following command as well -

#access-group inbound in interface outside

Problem accessing another public ip in same subnet

Jon Marshall — Mon, 24 Feb 2014 12:34:17 GMT

Erik

I think Swaraj is correct.

I was just trying to clarify the topology to make sure this is how you have it setup.

Jon

Problem accessing another public ip in same subnet

erik.gunstad — Mon, 24 Feb 2014 12:58:16 GMT

I know that I'm not beeing clear, It's hard to explain. I have drawn a Visio sketch that I hope clarify my issue. I have nothing to do with the third party site only the Customer site.

Once again, thanks for your time.

Problem accessing another public ip in same subnet

erik.gunstad — Mon, 24 Feb 2014 13:01:20 GMT

Thank you for taking the time to answer but this has nothing to do with my issue. I have tried to clarify further in an earlier post answering Jons post.

Problem accessing another public ip in same subnet

Jon Marshall — Mon, 24 Feb 2014 13:05:29 GMT

Erik

Okay, so if you replace the ASA with a laptop using the 8.8.8.8 IP it all works ?

So are you doing NAT for the internal clients on the ASA eg.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

assuming the clients are connected to the inside interface.

Jon

Problem accessing another public ip in same subnet

erik.gunstad — Mon, 24 Feb 2014 13:14:51 GMT

That is correct. If i connect a laptop with the public address instead it works. Also, it works from pretty much any other place as long as you are not behind an asa on the same subnet. I can for example connect from my office.

I am doing nat

global (outside) 1 interface

nat (inside) 0 access-list inside_VPNClients

nat (inside) 1 0.0.0.0 0.0.0.0

The clients are connected to the inside interface.

Re: Problem accessing another public ip in same subnet

Jon Marshall — Mon, 24 Feb 2014 13:17:16 GMT

Erik

What does the arp table show when you try to connect through the ASA ?

From the ASA can you ping the other firewall IP ?

Jon

Problem accessing another public ip in same subnet

erik.gunstad — Mon, 24 Feb 2014 14:01:13 GMT

The ASA has a correct ARP entry for the host.

The other firewall does not respond to pings but other host in the public subnet responds to ping.

I don't know if i matters but I do get an entry in the log viewer.

Feb 24 2014

13:38:05

405001

Received ARP request collision from 8.8.8.115/0003.fc04.ccbf on interface outside

Problem accessing another public ip in same subnet

Jon Marshall — Mon, 24 Feb 2014 20:13:03 GMT

Erik

The mac address reported in the ARP colliision message, is that the same mac address shown in the arp cache on the ASA ?

Jon

Problem accessing another public ip in same subnet

erik.gunstad — Tue, 25 Feb 2014 12:48:55 GMT

Sorry, marked your anwer as correct by mistake but can't see anywhere to change it. Yes it is correct that that the mac address is the same as in my arp cache on the ASA.

Re: Problem accessing another public ip in same subnet

Jon Marshall — Tue, 25 Feb 2014 13:24:15 GMT

Erik

Unfortunately you can't retract a correct answer mark.

Anyway, can you post the ASA config.

Also when you use the laptop with the public IP what is it's default gateway set to ?

Jon

Problem accessing another public ip in same subnet

erik.gunstad — Wed, 26 Feb 2014 12:20:05 GMT

The ISP only specify one gateway in that range and that is 8.8.8.1 so any other would not let me access internet.

Once again thank you for your time.

: Saved

ASA Version 8.2(1)

hostname ciscoasa

domain-name XXXXXXX

enable password XXXXXXX encrypted

passwd XXXXXXX encrypted

names

name 8.8.8.8 Outside_IP

name 192.168.20.2 Server

name 192.168.20.11 rav-dc01

name 192.168.20.12 rav-ms01

name 192.168.20.13 rav-rds01

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address Outside_IP 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name XXXXXXX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0

access-list RemoteVPNSplittunnel standard permit 192.168.20.0 255.255.255.0

access-list outside_access_in extended permit tcp host 100.100.100.228 interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit udp any interface outside eq 4125

access-list outside_access_in extended permit tcp any interface outside eq 4125

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit tcp any interface outside eq 444

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit udp any interface outside eq 444

access-list outside_access_in extended permit tcp any interface outside eq www

access-list inside_access_in extended permit tcp host rav-ms01 any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RemoteVPNPool 192.168.25.100-192.168.25.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) udp interface 4125 Server 4125 netmask 255.255.255.255

static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255

static (inside,outside) tcp interface https rav-ms01 https netmask 255.255.255.255 dns

static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255

static (inside,outside) tcp interface 3389 rav-rds01 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp interface smtp rav-ms01 smtp netmask 255.255.255.255

static (inside,outside) udp interface 444 Server 444 netmask 255.255.255.255

static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255

static (inside,outside) tcp interface www Server www netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 8.8.8.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server rav_Intern protocol radius

aaa-server rav_Intern (inside) host rav-dc01

key CiscoAsa5505RAV2012

radius-common-pw CiscoAsa5505RAV2012

http server enable 8080

http 192.168.20.0 255.255.255.0 inside

http 192.168.25.0 255.255.255.0 inside

http 100.100.101.128 255.255.255.192 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 192.168.20.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.20.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

dhcpd address 192.168.20.190-192.168.20.200 inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server rav-dc01 source inside

webvpn

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

wins-server value 192.168.20.11

dns-server value 192.168.20.11

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPNSplittunnel

default-domain value rav.nu

split-dns value rav.nu

username SupportVPN password XXXXXXX encrypted privilege 0

username SupportVPN attributes

vpn-group-policy RemoteVPN

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool RemoteVPNPool

authentication-server-group rav_Intern

accounting-server-group rav_Intern

default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect pptp

inspect icmp

inspect icmp error

service-policy global_policy global

prompt hostname context

Cryptochecksum:8481ab3aa01b23bad17bacb2aca7197a

: end

asdm image disk0:/asdm-621.bin

no asdm history enable

Problem accessing another public ip in same subnet

Jon Marshall — Wed, 26 Feb 2014 18:45:17 GMT

Erik

I can't see anything obviously wrong with your config.

That ARP colliision request message does suggest an issue. It basically means the ASA is seeing the same mac address for two different IP addresses.

You could try a "debug arp" (or "debug ip arp") to see if that reveals anything.

Jon