topic Re: New Subnet Requiring Internet Access via ASA in Network Security

New Subnet Requiring Internet Access via ASA

drikilbride — Mon, 11 Mar 2019 17:44:18 GMT

Our current network only has a handful of vlans with vlan1 with an ip range for PC's and servers of 10.255.0.0 255.255.0.0.

We have started to create new Vlans and our first test one is VLAN2 with an IP address range of 10.254.25.0/24.

We have a new 6500 switch and the subnet and dhcp is created on that with a static default gateway set to our firewall of 10.255.251.211.

On the firewall for testing purposes has an any any rule allowing everyone internally access out to the internet (or so I thought)

Currently anyone on the 10.255.0.0 range has internet access, those on the 10.254.25.0 range don't.

Have I missed something on the firewall config for this new subnet?

Thanks in advance

Re: New Subnet Requiring Internet Access via ASA

Jon Marshall — Wed, 12 May 2010 09:43:11 GMT

drikilbride wrote:
Hi
Our current network only has a handful of vlans with vlan1 with an ip range for PC's and servers of 10.255.0.0 255.255.0.0.
We have started to create new Vlans and our first test one is VLAN2 with an IP address range of 10.254.25.0/24.
We have a new 6500 switch and the subnet and dhcp is created on that with a static default gateway set to our firewall of 10.255.251.211.
On the firewall for testing purposes has an any any rule allowing everyone internally access out to the internet (or so I thought)
Currently anyone on the 10.255.0.0 range has internet access, those on the 10.254.25.0 range don't.
Have I missed something on the firewall config for this new subnet?
Thanks in advance

You need a route added so the firewall knows how to send the return traffic back ie.

route inside 10.254.0.0 255.255.255.0

Jon

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Wed, 12 May 2010 09:48:54 GMT

Thanks Jon

So I would need to add

route inside 10.254.0.0 255.255.255..0 10.255.250.51

Thanks a mil!

Re: New Subnet Requiring Internet Access via ASA

Jon Marshall — Wed, 12 May 2010 10:05:24 GMT

drikilbride wrote:

Thanks Jon

So I would need to add

route inside 10.254.0.0 255.255.255..0 10.255.250.51

Thanks a mil!

If 10.255.250.51 is the vlan 1 interface IP on the switch then yes that should do it.

Jon

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Wed, 12 May 2010 15:00:59 GMT

Hi John

I have tried that but still no luck.

From the 10.254.25.0/24 network I can ping my firewall. I just cant get internet.

In under routing I had one route set there from before all of this for my old network.

It was simply and outside rule

outside 0.0.0.0 0.0.0.0 77.75.x.x 255 (metric)

I thought this rule sends everything internal out through my ISP gateway.

I have added the inside rule also but this isnt working. Maybe I have missed something silly?

Thanks again, your help is much appreciated.

Re: New Subnet Requiring Internet Access via ASA

Kimberly Adams — Wed, 12 May 2010 15:27:38 GMT

First off can you ping the next hop outside of the ASA from the network in question? Also, I am just wondering why would you set a metric of 255 on the default route out to the Internet?

Thanks,

Kimberly

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Wed, 12 May 2010 15:31:15 GMT

Hi Kimberly

No I cant ping the next hop which is the ISP's gateway.

Im actually not sure why the lads set the metric to 255, have just changed it back to 1.

Thanks a mil!

Re: New Subnet Requiring Internet Access via ASA

Kimberly Adams — Wed, 12 May 2010 15:38:39 GMT

Metric of 1 for the default route is usually best and signifies that it is one hop away. From the network in question are you able to ping anything outside of the ASA? Some good tests to run would be run a continuous ping to 4.2.2.2 and then telnet/ssh into the ASA and see if you are hitting the xlate table or connection table.

commands would be:

show xlate | include [your systems ip here]

show conn | include [your systems ip here]

This is just another test to see what the ASA is doing. By the way, what is the default gateway of the subnet that cannot get to the internet?

Kimberly

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Wed, 12 May 2010 15:47:02 GMT

Now here lies the problem.....

Our new subnets are being created by a third party engineer and he is the one who is saying I need to make changes on my firewall although he cant tell me what.

The subnet he has created has the following dgw 10.254.25.3. This subnet has been created on a 6500 switch which has a dgw set to 10.255.250.39

I hope that makes sense.

If I ping 4.2.2.2 from the pc on the new subnet i get the following

reply from 10.254.25.2 (which is the DHCP Server on the new 6500 Switch)...destination host unreachable

Re: New Subnet Requiring Internet Access via ASA

Kimberly Adams — Wed, 12 May 2010 16:01:15 GMT

I am assuming there is a route somewhere on your network that points to the ASA for Internet. At this time I am not seeing where that would be coming from. Can you please provide a little more information on the routing on your LAN and if you can get to the ASA at all?

Thanks,

Kimberly

Re: New Subnet Requiring Internet Access via ASA

Jon Marshall — Wed, 12 May 2010 17:47:37 GMT

drikilbride wrote:

Now here lies the problem.....

Our new subnets are being created by a third party engineer and he is the one who is saying I need to make changes on my firewall although he cant tell me what.

The subnet he has created has the following dgw 10.254.25.3. This subnet has been created on a 6500 switch which has a dgw set to 10.255.250.39

I hope that makes sense.

If I ping 4.2.2.2 from the pc on the new subnet i get the following

reply from 10.254.25.2 (which is the DHCP Server on the new 6500 Switch)...destination host unreachable

Why is the DHCP server coming back with a destination host unreachable message ?

Is the 6500 routing for the vlans ?

What is 10.254.25.3, is this the L3 vlan interface on the 6500 switch ?

The 6500 has a default-gateway ?? - is the 6500 routing or simply acting as a L2 switch. The dgw of 10.255.250.39, what exactly is that device.

As Kimberly says, if the 6500 is responsible for routing the vlans then you need a default-route (not default-gateway) pointing to the ASA. But it sounds like it is a bit more complicated than this.

Jon

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Fri, 14 May 2010 13:16:58 GMT

Hi Jon

I have managed to persuade the third party engineer to add a default route on his 6500 to the firewall.

So now instead of getting destination host unreachable I am getting the normal request timed out when I ping an external IP Address so I now suspect it must be an access rule issue on the firewall.

It looks like my ping is getting out but just not being returned to the new vlan 10.254.25.0/24. Is there anything additional I can add in on the firewall to test this?

Thanks again

Re: New Subnet Requiring Internet Access via ASA

Kimberly Adams — Fri, 14 May 2010 13:51:50 GMT

On the firewall, you may need a route inside statement that would look like this:

route inside 10.254.25.0 255.255.255.0 [IP of your 6500]

See if this helps the traffic come back to your new network.

Kimberly

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Fri, 14 May 2010 14:01:03 GMT

Hi Kimberly

Unfort I already have that route added.

Still no internet.

Thanks

Re: New Subnet Requiring Internet Access via ASA

Kimberly Adams — Fri, 14 May 2010 14:03:56 GMT

Can you post up a new copy of your configuration of your firewall please?

This will help us help you with the changes needed to get the internet working.

Kimberly

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Fri, 14 May 2010 14:04:15 GMT

If I wanted to test a ping from 10.254.25.42 to 208.67.222.222 what rule would I add to accomplish this?I have tried a few but have had no luck with

it.

I already have an outside rule with the source being 208.67.222 and destination any and this allows pings to work from my old network out and back in.

Just no luck with the new subnet.

I still feel there could be an issue on the 6500 but its hard to prove as the engineer feels its all firewall and I cant access the config of it!

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Fri, 14 May 2010 14:16:30 GMT

Here is the updated config!

Thanks

Re: New Subnet Requiring Internet Access via ASA

Scott Conklin — Fri, 14 May 2010 15:57:32 GMT

Your config shows a NAT statement for users in the 10.255.x.x subnet- nat (inside) 1 10.255.0.0 255.255.0.0, but this does not cover the users in the new subnet, 10.254.25.0. I would remove the current nat (inside) command and add the following line- nat (inside) 1 0.0.0.0 0.0.0.0 - this command will cover all of your internal subnets and will PAT them to the outside interface.

Please let me know if this works for you.

Re: New Subnet Requiring Internet Access via ASA

Kent Heide — Fri, 14 May 2010 18:33:26 GMT

I've looked at your configuration and Scott Conklin is right. You are lacking a NAT statement for your new subnet. Using packet-tracer would have revealed this for you though as you would have seen the flow being created and no NAT rule matching.

Re: New Subnet Requiring Internet Access via ASA

drikilbride — Mon, 17 May 2010 09:40:23 GMT

Hi Scott

Thanks for that.

I have added that NAT command but still no luck.

Any ideas?

Thanks again for all your help.