Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2476
Views
5
Helpful
4
Replies

ASA 5505 and MPLS routing

itdept0011111
Level 1
Level 1

‎07-18-2015 08:08 PM - edited ‎03-11-2019 11:17 PM

I've got a new installation with a 5505. Besides the firewall, I have a router on the internal network which connects us to other offices over MPLS.  

With my existing configuration, users on the inside can access the internet but not any of the other offices.  I was assuming that with route statements pointing to the other gateway to the other offices, traffic to those offices would go back out the inside interface.  However, that doesn't seem to work. 

The default gateway for the workstations is 10.245.15.2 (the firewall).  The MPLS router is at 10.245.15.1.

 

Below is my slightly scrubbed configuration.  Can somebody please tell me what I am doing wrong?

 

ASA Version 8.2(5) 
!
hostname fw-01
domain-name abc.com
enable password 0h/fP6ghIAzzLSaF encrypted
passwd 2KFQABC.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.245.15.2 255.255.240.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.252.94 255.255.255.0 
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name abc.com
same-security-traffic permit intra-interface
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 10 burst-size 5
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.245.0.0 255.255.240.0
route outside 0.0.0.0 0.0.0.0 111.222.252.1 1
route inside 10.103.0.0 255.255.240.0 10.245.15.1 1
route inside 10.104.0.0 255.255.240.0 10.245.15.1 1
route inside 10.105.0.0 255.255.240.0 10.245.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.245.0.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 10.245.0.0 255.255.240.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 10.200.1.100 8.8.8.8
dhcpd domain abc.com
dhcpd option 3 ip 10.245.15.2
!
dhcpd address 10.245.1.1-10.245.1.32 inside
dhcpd enable inside
!
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp 
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:3083b765914c850d216b60397fbd064f
: end

szx-fw-01# 

Labels:
0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-18-2015 11:16 PM

Hi,

As workstations' gateway is 10.245.15.2, it will forward the packet to firewall's inside interface.
Also assuming the offices that are reachable through MPLS are on subnets 10.103.0.0,10.104.0.0 and 10.105.0.0,firewall will leverage these routes

route inside 10.103.0.0 255.255.240.0 10.245.15.1 1
route inside 10.104.0.0 255.255.240.0 10.245.15.1 1
route inside 10.105.0.0 255.255.240.0 10.245.15.1 1
 
and send the packets back towards LAN on 10.245.15.1. Since we are trying to send packets within the zone , we would need to enable intra zone traffic via "same-security-traffic permit intra-interface" , which seems to be already present.

Try to run a test ping from workstation to host reachable through MPLS and perform this:
Run "cap asp type asp-drop all" on ASA.
Then "show cap asp | match x.x.x.x" where x.x.x.x is destination host connected via MPLS.

You might want to check whether MPLS router has correct routes present as well.
P.S: Sharing topology diagram might help understanding the scenario better.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎07-19-2015 09:16 AM

This won't work with the current configuration as you are having asymmetric routing. Your LAN, ASA inside, and router as in the same VLAN.

 

Workstation will forward the traffic to ASA which sends the traffic back to the router then to MPLS. Return traffic will reach the router and go to workstation directly because they are in the same subnet (even if you have routes pointing back to ASA). This means that ASA will see half-open TCP sessions and will drop them.

One way to resolve this is to enable ICMP redirect on ASA which may fix the problem if everything else is configured correctly.

 

The other solution which I recommend to create a new Zone called MPLS with different subnet. Then route MPLS traffic over this zone. This will add extra security as the firewall will be able to filter traffic crossing the zones and will resolve asymmetric routing problem.

 

You need to sit down, redesign the network then configure.

itdept0011111
Level 1
Level 1
In response to Mohammed al Baqari

‎07-19-2015 11:05 AM

Thanks, Mohammed.  Your explanation of asymmetric routing makes sense.  

 

I'm not fluent with the ASA, so if you can show an example of how to fix this without reconfiguring the MPLS router (which I don't have access to), that would be extremely helpful. 


Otherwise I guess I could push static routes out to the workstations or change the subnet the workstations are on, neither of which is appealing to me. 

0 Helpful

Santimac
Level 1
Level 1
In response to itdept0011111

‎09-05-2019 07:00 AM

Hello,

Is the MPLS Router connected to an Interface on the ASA?

Thnks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card