Solved: Confused and need some advice

crash5050 · ‎07-19-2011

I am attaching a basic diagram of what I am trying to do, but I will try and explain in detail in the post.

I have an AT&T Router that is my gateway to the internet, I have no access to it. I do have the inside ip address of it which is on my private LAN. Just for shiggles we will call it 10.25.240.1 255.255.248.0. That is my gateway address for all of my current devices.

I have this shiny new ASA that I want to throw in there to eliminate a proventia and a sidewinder.

The diagram shows two stacks, these are my virtual server clusters with 3560X switches with the vlans configured, and several more switches all configured with vlan 832, connected to a 2950, which is connected to my internal 2600 router. I have 4 Vlans running on 4 different ip ranges, all controlled by the internal router, with only one vlan, let's say 832 that is trunked to the outside world. That vlan has 172.16.1.x 255.255.0.0 network attached to it. All is well, and traffic is routing behind the internal router, but I cannot seem to figure out how to get the traffic to pass thru the ASA.

Gateway 10.25.240.1

Outside of the ASA 10.25.240.25

Inside of the ASA 172.16.1.25

Eth0/0 on the router 172.16.1.1

Eth0/0.1 on the router 172.16.1.2 832

Encapsulation is dot1q

This might be just a bunch of babble, if you need more information just let me know what to throw at you.

Crash

varrao · ‎07-19-2011

Hi David,

Great!!!, this is definitely progress here.

You would not be able to ping outside interface, deafult behavior of ASA (remote interfaces are not pingable), but yes DG should ping from the PC.

Ok now lets take captures and logs on the ASA.

first of all you need to configure this on ASA:

logging enable

logging buffered 7

and then for captures:

lets say your PC ip is 172.16.1.1,

access-list cap permit ip host 172.16.1.1 host 10.25.240.1

access-list cap permit ip host 10.25.240.1 host 172.16.1.1

access-list cap permit ip host 10.25.240.25 host 10.25.240.1

access-list cap permit ip host 10.25.240.1 host 10.25.240.25

cap capin access-list cap interface inside

cap capo access-list cap interface outside

and also enable the debugs:

debug icmp trace

and after enabling the logs, captures and debugs, initiate pings from PC and collect these outputs.

Debugs would pop up themselves

For logs, do " show logging" and copy the ping traffic logs

For captures do " show cap capin" and "show cap capo"

Kindly provide these.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎07-19-2011

HI David,

OK just for starters, we would need to put some basic config on the firewall and then move on to each requirement:

int eth0/1

ip address 10.25.240.25 255.255.255.0

nameif outside

no shut

int eth0/0

ip add 172.16.1.1 255.255.255.0

nameif inside

no shut

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface these stements would nat the inside traffic to the internet router

route outside 0.0.0.0 0.0.0.0 10.25.240.1 1 -----> DG on the ASA

access-list out_in permit icmp any any

access-group out_in in interface outside -------------> to allow ping replies and requests from outside interface

icmp permit any inside ----------------> to allow ping to firewall inside

This should be the basic for pinging interfaces on the firewall and pinging the router.

Lets do this first and then move on to next issue. Could you also post an output of "show tech-support" from the ASA

Thanks,

Varun

Thanks,
Varun Rao

crash5050 · ‎07-19-2011

Ok, I tried all that, set the ASA back to factory-default and followed your directions, I could ping between the interfaces, but the PC on the inside interface couldn's ping thru to the Gateway router.

Attached are my sh run and sh tech-support files

varrao · ‎07-19-2011

Hi David,

I am not sure about this config, you have no ip address assigned on isnide interface:

interface Ethernet0/0

nameif inside

security-level 100

no ip address

But you have one on management interface:

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

Could you verify,which interfaces have you configured????

-Varun

Thanks,
Varun Rao

crash5050 · ‎07-19-2011

OOps, that should be

int e0/0

ip address 10.25.240.248 255.255.255.0

crash5050 · ‎07-19-2011

I am all confused now

inside 10.25.241.1

outside 10.25.240.248

default gateway 10.25.240.1

varrao · ‎07-19-2011

Hi David,

, well don't worry let's not get confused, you're doing everything right untill now, so now moving ahead:

int eth0/1

ip address 10.25.241.25 255.255.255.0

nameif inside

no shut

int eth0/0

ip add 10.25.240.248 255.255.255.0

nameif outside

no shut

* Remember these no shut commands are very important, as theyw ould bring the firewall interfaces up.

Now try pinging again, first ping interface 10.25.241.25 from the computer, it should be successful.

Then try pinging your DG 10.25.240.1, taht shud also b successful, but if not, lets take captures on ASA, you would need to tell me the ip address of the computer from whr you are pingi8ng and i'll let you know the capture commands.

Thanks,

Varun

Thanks,
Varun Rao

crash5050 · ‎07-19-2011

Ok, progress is being made. I can, from the ASA now ping the DG. I can ping the inside address only if I am plugged directly into the eth0/1 port on the back of the ASA. I did a wr er reload on my switch, and I can now ping the inside interface from the switch. But I cannot get the outside interface or the DG from the PC.

Attaching new run and tech support files

varrao · ‎07-19-2011

Hi David,

Great!!!, this is definitely progress here.

You would not be able to ping outside interface, deafult behavior of ASA (remote interfaces are not pingable), but yes DG should ping from the PC.

Ok now lets take captures and logs on the ASA.

first of all you need to configure this on ASA:

logging enable

logging buffered 7

and then for captures:

lets say your PC ip is 172.16.1.1,

access-list cap permit ip host 172.16.1.1 host 10.25.240.1

access-list cap permit ip host 10.25.240.1 host 172.16.1.1

access-list cap permit ip host 10.25.240.25 host 10.25.240.1

access-list cap permit ip host 10.25.240.1 host 10.25.240.25

cap capin access-list cap interface inside

cap capo access-list cap interface outside

and also enable the debugs:

debug icmp trace

and after enabling the logs, captures and debugs, initiate pings from PC and collect these outputs.

Debugs would pop up themselves

For logs, do " show logging" and copy the ping traffic logs

For captures do " show cap capin" and "show cap capo"

Kindly provide these.

Thanks,

Varun

Thanks,
Varun Rao

crash5050 · ‎07-19-2011

Here is the capture file

varrao · ‎07-19-2011

Hi David,

Did you try pinging after enabling these commands, if yes, i do not see any packets on the firewall arriving, so dow e have a route on the switch for directing all the traffic to ASA inside interface???

Thanks,

Varun

Thanks,
Varun Rao

crash5050 · ‎07-20-2011

Yeppers, I ran a ping for about 10 minutes. Ran packet tracer, and it seems that the NAT is where it is failing. Result Packett Dropped.

David

varrao · ‎07-20-2011

Ok, so can you provide thos packet captures and the logs that you get on the firewall???

I need to check which nat is failing. Plz provide the latest show run as well.

-Varun

Thanks,
Varun Rao

crash5050 · ‎07-20-2011

I hhave resorted to the BFH configuration method. Big Freaking Hammer!

varrao · ‎07-20-2011

Lol

Thanks,
Varun Rao