topic Re: ASA 5505 Routing Problem!!!!!!!!! in Network Security

ASA 5505 Routing Problem!!!!!!!!!

abhishek.shah — Mon, 11 Mar 2019 20:40:30 GMT

Hi there,

I have ASA 5505 Firewall with security plus license, I configured two VLAN 1 and VLAN 5 as my inside VLAN for different subnet, i need to route the traffic between this two VLANs through ASA.

I configured

int vlan 1

nameif inside

Security level 100

Ip address 172.16.100.1 255.255.255.0

Int vlan 5

namaeif camera

security level 100

ip address 192.168.22.1 255.255.255.0

same-security traffic permit inter interface

same-security traffic permit intra interface

router eigrp 2

network 172.16.100.0

network 192.168.22.0

int e0/6

switchport access vlan 5

The problem is i am not able to ping other subnet, for ex my pc is in VLAN 1 not able to ping 192.168.22.1 ...

For troubleshoot i type debug icmp trace while pinging other sunbet

ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4608 len=32
ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4864 len=32
ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5120 len=32
ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5376 len=32

I trun off the firewall on my local machine, can any one plz help me out??????

thanks

Abhishek

Re: ASA 5505 Routing Problem!!!!!!!!!

zujalal — Tue, 31 May 2011 15:33:29 GMT

Hi Abhishek.

..."The problem is i am not able to ping other subnet, for ex my pc is in VLAN 1 not able to ping 192.168.22.1"

this is as per design. The ASA will not allow you to ping another interface while your PC is behind another interface. You can only ping the VLAN1 interface if your PC is in VLAN 1...you cannot ping the VLAN2 interface on the ASA. Try pinging some other PC in VLAN 2.

Hope this helps.

regards

Zubair

Re: ASA 5505 Routing Problem!!!!!!!!!

abhishek.shah — Tue, 31 May 2011 15:41:53 GMT

Hi there,

As per my knowledge ASA is a layer 3 device, it can able to route the traffic between different subnet.

The ASA will not allow you to ping another interface while your PC is behind another interface. I doubt abt your statement, beacuse before i configured the same senario and it works.

If i configure routing protocol and allow same security traffic allow statement, ASA should route the traffic between different subnet. plz correct me if i am wroung????

Thanks,

Abhishek

Re: ASA 5505 Routing Problem!!!!!!!!!

zujalal — Tue, 31 May 2011 15:59:59 GMT

you are right by saying that ASA can be a L3 device but you dont need a dynamic routing protocol to route between two subnets which are directly connected to the ASA. These two subnets will appear as connected routes. You just need the same-security permit inter-interface command.

Regarding Pinging VLAN5 interface from VLAN1, you cannot do it. You might have done it on a router but it is a very basic check in the ASA alogrithm.The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

Re: ASA 5505 Routing Problem!!!!!!!!!

abhishek.shah — Tue, 31 May 2011 16:43:36 GMT

Hi there,

I removed the eigrp from my config and apply same-security permit inter interface, by doing this on ASA 5505 can route the traffic between different subnet. I did that its not working.......

As you are agree that asa is layer 3 device, i have one question.....if i have two inside netwrok and i want to route the traffic between this two inside network through asa 5505 is that possible or not?? If yes than how can i do it??????

Thanks,

Abhishek

Re: ASA 5505 Routing Problem!!!!!!!!!

zujalal — Tue, 31 May 2011 17:14:39 GMT

Yes, it is possible. Your configuration seems to be ok. However, i would recommend defining "swtichport access vlan 1" command under the physical interface where VLAN 1 is connected to. Secondly, if it is not working i would recommend defining mac addresses on the physical interfaces manually. By default, all the ports on a 5505 share the same MAC address. If your adjacent switch has some problems with this behaviour you can set virtual mac addresses manually using mac-address command under the Interface VLAN configuration. If it is still not working, can you run a debug icmp trace while pinging from a host in VLAN 5 to a host in VLAN1 or vice-versa. Also a show interface and show route output would be useful.

Also, i am assuming that you can ping the IP addresses on Inter vlan 1 and inter vlan 5 from respective VLANs. If the hosts from where you are pinging are a L3 hop away, i hope the routing has been set there properly.

regards

Zubair

######Please rate if this was helpful##############

Re: ASA 5505 Routing Problem!!!!!!!!!

abhishek.shah — Wed, 01 Jun 2011 14:53:22 GMT

Hi there,

After applied below commands both subnet can ping eachother,

VLAN 1 Inside Network

VLAN 5 Camera Network

I need both VLAN 1 and VLAN 5 Should talk to each other, and its working the only problem is VLAN 5 subnet host not able to access internert,

when i applied nat (camera) 1 0.0.0.0 0.0.0.0 both subnet stop pinging each other, able to access internet.

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1-5
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 32
!
interface Ethernet0/6

switchport access vlan 5

interface Vlan1
nameif inside
security-level 100
ip address 172.16.100.101 255.255.255.0 standby 172.16.100.102

interface Vlan5
nameif camera
security-level 100
ip address 192.168.22.1 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

global (inside) 2 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (camera) 1 0.0.0.0 0.0.0.0---- once i removed this command both subnet able to ping each other but no internet access

i think its a nat issue,

Following is the out put of my packet tracer which clearly states packet drop beacuse of nat

ADA-# packet-tracer input camera icmp 192.168.22.2 255 255 172.16.100.11

Phase: 1
Type: UN-NAT
Subtype: dynamic
Result: ALLOW
Config:
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.100.11/0 to 172.16.100.11/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

<--- More --->

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
<--- More --->

Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (camera) 1 0.0.0.0 0.0.0.0
match ip camera any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 167, untranslate_hits = 0
Additional Information:

Result:
input-interface: camera
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Abhishek

Re: ASA 5505 Routing Problem!!!!!!!!!

zujalal — Wed, 01 Jun 2011 15:07:36 GMT

I dont see the config of the outside interface below. I am assuming it is there. Use a different NAT ID and you should be good to go. you just need the below commands.Also i am not sure what the backup interface is?. Remove the other nat and global commands. VLAN 1 and VLAN 5 can still talk to each other unless you have not enabled nat-control.

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

nat (camera) 2 0.0.0.0 0.0.0.0

global (outside) 2 interface

regards

Zubair

######Please rate if this was useful#########

Re: ASA 5505 Routing Problem!!!!!!!!!

abhishek.shah — Wed, 01 Jun 2011 15:32:46 GMT

Hi there,

Please find the attachment of my current config, i applied the commands but no luck, i disable the no-natcontrol still no luck. Can you suggest other option, packet has been denided by

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (camera) 2 0.0.0.0 0.0.0.0
match ip camera any inside any
dynamic translation to pool 2 (No matching global)
translate_hits = 79, untranslate_hits = 0
Additional Information:

Thanks,

Abhishek

Re: ASA 5505 Routing Problem!!!!!!!!!

zujalal — Wed, 01 Jun 2011 15:44:21 GMT

I dont know why the routes are configured the way they are right now. the next hops mentioned are the Interface IP's defined on the ASA itself???

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route backup 0.0.0.0 0.0.0.0 2.2.2.2

I hope you have put these for reference only...

Can you ping any public IP like 4.2.2.2 from the ASA itself. If yes, then can you remove the global (backup) 2 commands and then test.

Re: ASA 5505 Routing Problem!!!!!!!!!

abhishek.shah — Thu, 02 Jun 2011 13:34:46 GMT

Hi, there

Yes the route which i used is only reference, in real i am using different IP address. I removed global (backup) 2 0.0.0.0 0.0.0.0

Yes from firewall i am able to ping 4.2.2.2, and able to access internet from 172.16.100.x subnet.

The only problem is i am not able to access internet from 192.168.22.x subnet, once i remove the command nat(camera) 2 0.0.0.0 0.0.0.0 i am able to access the internet but not able to ping other subnet,

Thanks,

Abhishek