07-18-2015 08:08 PM - edited 03-11-2019 11:17 PM
I've got a new installation with a 5505. Besides the firewall, I have a router on the internal network which connects us to other offices over MPLS.
With my existing configuration, users on the inside can access the internet but not any of the other offices. I was assuming that with route statements pointing to the other gateway to the other offices, traffic to those offices would go back out the inside interface. However, that doesn't seem to work.
The default gateway for the workstations is 10.245.15.2 (the firewall). The MPLS router is at 10.245.15.1.
Below is my slightly scrubbed configuration. Can somebody please tell me what I am doing wrong?
ASA Version 8.2(5)
!
hostname fw-01
domain-name abc.com
enable password 0h/fP6ghIAzzLSaF encrypted
passwd 2KFQABC.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.245.15.2 255.255.240.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.222.252.94 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name abc.com
same-security-traffic permit intra-interface
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 10 burst-size 5
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.245.0.0 255.255.240.0
route outside 0.0.0.0 0.0.0.0 111.222.252.1 1
route inside 10.103.0.0 255.255.240.0 10.245.15.1 1
route inside 10.104.0.0 255.255.240.0 10.245.15.1 1
route inside 10.105.0.0 255.255.240.0 10.245.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 10.245.0.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 10.245.0.0 255.255.240.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 10.200.1.100 8.8.8.8
dhcpd domain abc.com
dhcpd option 3 ip 10.245.15.2
!
dhcpd address 10.245.1.1-10.245.1.32 inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3083b765914c850d216b60397fbd064f
: end
szx-fw-01#
07-18-2015 11:16 PM
Hi,
As workstations' gateway is 10.245.15.2, it will forward the packet to firewall's inside interface.
Also assuming the offices that are reachable through MPLS are on subnets 10.103.0.0,10.104.0.0 and 10.105.0.0,firewall will leverage these routes
route inside 10.103.0.0 255.255.240.0 10.245.15.1 1
route inside 10.104.0.0 255.255.240.0 10.245.15.1 1
route inside 10.105.0.0 255.255.240.0 10.245.15.1 1
and send the packets back towards LAN on 10.245.15.1. Since we are trying to send packets within the zone , we would need to enable intra zone traffic via "same-security-traffic permit intra-interface" , which seems to be already present.
Try to run a test ping from workstation to host reachable through MPLS and perform this:
Run "cap asp type asp-drop all" on ASA.
Then "show cap asp | match x.x.x.x" where x.x.x.x is destination host connected via MPLS.
You might want to check whether MPLS router has correct routes present as well.
P.S: Sharing topology diagram might help understanding the scenario better.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-19-2015 09:16 AM
This won't work with the current configuration as you are having asymmetric routing. Your LAN, ASA inside, and router as in the same VLAN.
Workstation will forward the traffic to ASA which sends the traffic back to the router then to MPLS. Return traffic will reach the router and go to workstation directly because they are in the same subnet (even if you have routes pointing back to ASA). This means that ASA will see half-open TCP sessions and will drop them.
One way to resolve this is to enable ICMP redirect on ASA which may fix the problem if everything else is configured correctly.
The other solution which I recommend to create a new Zone called MPLS with different subnet. Then route MPLS traffic over this zone. This will add extra security as the firewall will be able to filter traffic crossing the zones and will resolve asymmetric routing problem.
You need to sit down, redesign the network then configure.
07-19-2015 11:05 AM
Thanks, Mohammed. Your explanation of asymmetric routing makes sense.
I'm not fluent with the ASA, so if you can show an example of how to fix this without reconfiguring the MPLS router (which I don't have access to), that would be extremely helpful.
Otherwise I guess I could push static routes out to the workstations or change the subnet the workstations are on, neither of which is appealing to me.
09-05-2019 07:00 AM
Hello,
Is the MPLS Router connected to an Interface on the ASA?
Thnks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: