topic ASA5505 Routing Issue in Network Security

ASA5505 Routing Issue

pwynne2009 — Mon, 11 Mar 2019 18:16:30 GMT

Hi,

I have recently added a layer2 leaf to my network configuring ASA's at each of my two locations. the remote site config is working fine but I have having major issues with my ASA5505. I use a tracked route to treat data going from my primary site to the remote site but the link keeps dropping.

Please see below some of my config.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.147.148.134 255.255.255.252
!
interface Vlan3
nameif digiwebl2
security-level 90
ip address 192.168.160.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

access-list L2_access_in extended permit icmp 192.168.160.0 255.255.255.0 192.168.160.0 255.255.255.0
access-list L2_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list L2_access_in extended permit icmp 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0

access-group outside_access_in in interface outside
access-group L2_access_in in interface digiwebl2
route digiwebl2 192.168.20.0 255.255.255.0 192.168.160.254 255 track 1
route inside 172.31.60.0 255.255.255.0 192.168.16.254 1
route outside 0.0.0.0 0.0.0.0 83.147.148.133 1
route outside 192.168.20.0 255.255.255.0 83.147.148.133 254

if I plug into ether0/4 I cannot ping back to the 192.168.16.10 interface which leads me to think that there is a bug somewhere on the applicance.

I have just had the device upgraded to version 7.2(5)

thanks,

Paul.

Re: ASA5505 Routing Issue

Magnus Mortensen — Tue, 27 Jul 2010 10:53:37 GMT

Paul,

If you plug into Eth0/4 then you will be on Vlan 3 which is the 192.168.160.x subnet. While on this subnet, you will only be able to ping the interface facing you, the Vlan3 interface at 192.168.160.10. This is by design and summarized here:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/trouble.html#wpmkr1048373

Note For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.

This applies to other to-the-box traffic like telnet/ssh/asdm as well. You can only communicate withthe interface facing you. When you are plugged into Eth0/4, can you ping 192.168.160.10? Do you have any 'icmp permit' statements? What does 'show run icmp' show?

- Magnus

Re: ASA5505 Routing Issue

pwynne2009 — Tue, 27 Jul 2010 10:58:16 GMT

Hi Magnus,

i believe part of my issue is that I cannot ping the interface facing me. how i recovered this yesterday and only for a short period of time was to move another interface into the VLAN 3 but again this went down shortly after. Would you have any idea why it would not be able to ping the 192.168.160.10 interface?

Paul.

Re: ASA5505 Routing Issue

Magnus Mortensen — Tue, 27 Jul 2010 11:03:23 GMT

Paul,

The interface should not go 'down' if a host is physically connected to the port. RIght after connecting the host to Eth0/4, can you ping 192.168.160.10? What is the output of 'show int vlan3' and 'show int eth0/4' at the time? Does your machine directly connected to Eth0/4 show any arp entries (on windows you can do 'arp -an' to see the arp cache).

- Magnus

Re: ASA5505 Routing Issue

pwynne2009 — Tue, 27 Jul 2010 12:42:15 GMT

Strange thing is I cannot ping the interface when directly connected to ether0/4

Arp on the laptop returns an empty mac-address field. all Zero's.

5505Crecora# sh int vlan 3
Interface Vlan3 "digiwebl2", is up, line protocol is up
Hardware is EtherSVI
        MAC address 0024.9740.0af7, MTU 1500
        IP address 192.168.160.10, subnet mask 255.255.255.0
Traffic Statistics for "digiwebl2":
        46446 packets input, 7095832 bytes
        40823 packets output, 10948114 bytes
        1254 packets dropped
      1 minute input rate 0 pkts/sec, 80 bytes/sec
      1 minute output rate 0 pkts/sec, 110 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 83 bytes/sec
      5 minute output rate 0 pkts/sec, 122 bytes/sec
      5 minute drop rate, 0 pkts/sec

5505Crecora# sh int ether0/4
Interface Ethernet0/4 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 0024.9740.0af3, MTU not set
        IP address unassigned
        78844 packets input, 10359034 bytes, 0 no buffer
        Received 7 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        32373 switch ingress policy drops
        40843 packets output, 11718191 bytes, 0 underruns
        41 output errors, 39 collisions, 0 interface resets
        0 babbles, 0 late collisions, 30 deferred
        0 lost carrier, 0 no carrier
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops

Rgds,

Paul.

Re: ASA5505 Routing Issue

Nagaraja Thanthry — Tue, 27 Jul 2010 13:20:01 GMT

Hello,

From your output, it seems like the interface Ethernet 0/4 is in half dulpex mode. This looks more like a physical layer issue. What kind of Ethernet cable you are using? Could you please try straight cable instead of crossover (if you are using crossover)? Also, check the speed/duplex settings on the laptop and make sure that they are set to auto. If we can fix the physical layer issue, I guess the other issues will get fixed automatically.

Hope this helps.

Regards,

Re: ASA5505 Routing Issue

pwynne2009 — Tue, 27 Jul 2010 14:06:23 GMT

Hi,

I just got a reply from the NOC at my SP regarding the layer 2 supplied and I think this may explain it however not quite sure how to get around it.

"Both connections to our switch on site with you in Limerick should be set to 100mbit full duplex with auto-negotiation turned off.

Both the internet and the layer2 connections are presented as access ports on the switch on site with you in Limerick, so there should be no vlan tagging presented to our switch on either port."

Paul.

Re: ASA5505 Routing Issue

pwynne2009 — Tue, 27 Jul 2010 14:55:10 GMT

ok! the physical side of things is now sorted however a sh conn address 192.168.16.57 (My IP) is showin paths out over the VPN still but some traffic is going up the layer2.

I need the vpn as a backup so i dont want to take it down. can i clear out the connections learned my the ASA so the tracked route will take preference?

Paul.

Re: ASA5505 Routing Issue

pwynne2009 — Wed, 28 Jul 2010 09:20:09 GMT

Ok! I can answer this one now myself.

Once the ping issue from the interface back to the Firewall interface was resolved there was still little or no utilization of the layer2 pipe. The reason for this was that all users were working from previously learned paths which in this case was the VPN connection. this was identified through the

"sh conn address 192.168.16.57" - My IP address. "sh conn" showed that all other users were using VPN also.

I issued a "clear conn all" and this dropped the ASA connection momentarily but it enforced the tracked route entry in the firewall and now over 90% of my traffic is using the Layer2.

Magnus thanks for your assistance with the MAC issue.