topic Confused and need some advice in Network Security

Confused and need some advice

crash5050 — Mon, 11 Mar 2019 21:00:26 GMT

I am attaching a basic diagram of what I am trying to do, but I will try and explain in detail in the post.

I have an AT&T Router that is my gateway to the internet, I have no access to it. I do have the inside ip address of it which is on my private LAN. Just for shiggles we will call it 10.25.240.1 255.255.248.0. That is my gateway address for all of my current devices.

I have this shiny new ASA that I want to throw in there to eliminate a proventia and a sidewinder.

The diagram shows two stacks, these are my virtual server clusters with 3560X switches with the vlans configured, and several more switches all configured with vlan 832, connected to a 2950, which is connected to my internal 2600 router. I have 4 Vlans running on 4 different ip ranges, all controlled by the internal router, with only one vlan, let's say 832 that is trunked to the outside world. That vlan has 172.16.1.x 255.255.0.0 network attached to it. All is well, and traffic is routing behind the internal router, but I cannot seem to figure out how to get the traffic to pass thru the ASA.

Gateway 10.25.240.1

Outside of the ASA 10.25.240.25

Inside of the ASA 172.16.1.25

Eth0/0 on the router 172.16.1.1

Eth0/0.1 on the router 172.16.1.2 832

Encapsulation is dot1q

This might be just a bunch of babble, if you need more information just let me know what to throw at you.

Crash

Re: Confused and need some advice

varrao — Tue, 19 Jul 2011 15:34:33 GMT

HI David,

OK just for starters, we would need to put some basic config on the firewall and then move on to each requirement:

int eth0/1

ip address 10.25.240.25 255.255.255.0

nameif outside

no shut

int eth0/0

ip add 172.16.1.1 255.255.255.0

nameif inside

no shut

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface these stements would nat the inside traffic to the internet router

route outside 0.0.0.0 0.0.0.0 10.25.240.1 1 -----> DG on the ASA

access-list out_in permit icmp any any

access-group out_in in interface outside -------------> to allow ping replies and requests from outside interface

icmp permit any inside ----------------> to allow ping to firewall inside

This should be the basic for pinging interfaces on the firewall and pinging the router.

Lets do this first and then move on to next issue. Could you also post an output of "show tech-support" from the ASA

Thanks,

Varun

Re: Confused and need some advice

crash5050 — Tue, 19 Jul 2011 16:33:13 GMT

Ok, I tried all that, set the ASA back to factory-default and followed your directions, I could ping between the interfaces, but the PC on the inside interface couldn's ping thru to the Gateway router.

Attached are my sh run and sh tech-support files

Confused and need some advice

varrao — Tue, 19 Jul 2011 16:42:18 GMT

Hi David,

I am not sure about this config, you have no ip address assigned on isnide interface:

interface Ethernet0/0

nameif inside

security-level 100

no ip address

But you have one on management interface:

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

Could you verify,which interfaces have you configured????

-Varun

Confused and need some advice

crash5050 — Tue, 19 Jul 2011 16:48:47 GMT

OOps, that should be

int e0/0

ip address 10.25.240.248 255.255.255.0

Confused and need some advice

crash5050 — Tue, 19 Jul 2011 16:50:39 GMT

I am all confused now

inside 10.25.241.1

outside 10.25.240.248

default gateway 10.25.240.1

Confused and need some advice

varrao — Tue, 19 Jul 2011 17:04:52 GMT

Hi David,

, well don't worry let's not get confused, you're doing everything right untill now, so now moving ahead:

int eth0/1

ip address 10.25.241.25 255.255.255.0

nameif inside

no shut

int eth0/0

ip add 10.25.240.248 255.255.255.0

nameif outside

no shut

* Remember these no shut commands are very important, as theyw ould bring the firewall interfaces up.

Now try pinging again, first ping interface 10.25.241.25 from the computer, it should be successful.

Then try pinging your DG 10.25.240.1, taht shud also b successful, but if not, lets take captures on ASA, you would need to tell me the ip address of the computer from whr you are pingi8ng and i'll let you know the capture commands.

Thanks,

Varun

Re: Confused and need some advice

crash5050 — Tue, 19 Jul 2011 17:35:51 GMT

Ok, progress is being made. I can, from the ASA now ping the DG. I can ping the inside address only if I am plugged directly into the eth0/1 port on the back of the ASA. I did a wr er reload on my switch, and I can now ping the inside interface from the switch. But I cannot get the outside interface or the DG from the PC.

Attaching new run and tech support files

Confused and need some advice

varrao — Tue, 19 Jul 2011 17:52:22 GMT

Hi David,

Great!!!, this is definitely progress here.

You would not be able to ping outside interface, deafult behavior of ASA (remote interfaces are not pingable), but yes DG should ping from the PC.

Ok now lets take captures and logs on the ASA.

first of all you need to configure this on ASA:

logging enable

logging buffered 7

and then for captures:

lets say your PC ip is 172.16.1.1,

access-list cap permit ip host 172.16.1.1 host 10.25.240.1

access-list cap permit ip host 10.25.240.1 host 172.16.1.1

access-list cap permit ip host 10.25.240.25 host 10.25.240.1

access-list cap permit ip host 10.25.240.1 host 10.25.240.25

cap capin access-list cap interface inside

cap capo access-list cap interface outside

and also enable the debugs:

debug icmp trace

and after enabling the logs, captures and debugs, initiate pings from PC and collect these outputs.

Debugs would pop up themselves

For logs, do " show logging" and copy the ping traffic logs

For captures do " show cap capin" and "show cap capo"

Kindly provide these.

Thanks,

Varun

Re: Confused and need some advice

crash5050 — Tue, 19 Jul 2011 18:21:29 GMT

Here is the capture file

Confused and need some advice

varrao — Tue, 19 Jul 2011 18:30:22 GMT

Hi David,

Did you try pinging after enabling these commands, if yes, i do not see any packets on the firewall arriving, so dow e have a route on the switch for directing all the traffic to ASA inside interface???

Thanks,

Varun

Confused and need some advice

crash5050 — Wed, 20 Jul 2011 13:20:58 GMT

Yeppers, I ran a ping for about 10 minutes. Ran packet tracer, and it seems that the NAT is where it is failing. Result Packett Dropped.

David

Confused and need some advice

varrao — Wed, 20 Jul 2011 13:38:42 GMT

Ok, so can you provide thos packet captures and the logs that you get on the firewall???

I need to check which nat is failing. Plz provide the latest show run as well.

-Varun

Confused and need some advice

crash5050 — Wed, 20 Jul 2011 14:58:50 GMT

I hhave resorted to the BFH configuration method. Big Freaking Hammer!

Confused and need some advice

varrao — Wed, 20 Jul 2011 15:20:59 GMT

Lol

Confused and need some advice

crash5050 — Wed, 20 Jul 2011 15:42:41 GMT

I did a write erase reload, then factory-default so it is new again. I am about to apply this config. Is it right?

int eth0/0
ip address 10.25.240.248 255.255.255.0
nameif outside
no shut

int eth0/1
ip address 10.25.241.25 255.255.255.0
nameif inside

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 10.25.240.1 1
access-list out_in permit icmp any any
access-group out_in in interface outside
icmp permit any inside
logging enable
logging buffered 7

access-list cap permit ip host 10.25.241.2 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.241.2
access-list cap permit ip host 10.25.240.25 host 10.25.240.1
access-list cap permit ip host 10.25.240.1 host 10.25.240.25
cap capin access-list cap interface inside
cap capo access-list cap interface outside
debug icmp trace

Confused and need some advice

crash5050 — Wed, 20 Jul 2011 15:54:16 GMT

I applied that config, and it works now. Se the BFH route always works!!

Confused and need some advice

varrao — Wed, 20 Jul 2011 16:02:25 GMT

Wow ...... I have started believing it too great work .... let me know if you get stuck anywhere.....

-Varun

Re: Confused and need some advice

crash5050 — Wed, 20 Jul 2011 18:21:07 GMT

okie dokie. What I have now is PC <-->(inside)<-->outside<-->Internet

what I need to have is

PC<--->Switch<-->Router<--->ASA<---> Internet

The tools we have to work with, a 3590X Switch and a 2600 Cisco

What I have done, I have configured Router on a stick with all 4 of my VLANS that I need, assigned IP addresses on eth0/0.x respectivley. Set encapsulation to dot1q, and did no shut on all of the sub interfaces (see attached file), Set the switch ports up with trunking and access. When I plug 10.25.241.2 up on the 804 VLAN, all I can ping is my router sub, nothing past. sh ip route shows gateway of last resort not set, with no connected networks. Do I need OSPF on a connected network? Then there is a question of physical layer, does the asa plug into the switch (my 1st choice) or the router?