Solved: The config should be simple - Page 2

j_j624001 · ‎07-03-2016

Having a few problems with my outside vlan 5 and inside vlan 10; my outside vlan are all pingable; but when i try to ping from the or switch my inside vlan10 gateway its unpingable to inside gateway. I have two route setup on the ASA5510 firewall; one for my outside network default 0.0.0.0 0.0.0.0 Outside and i have another to allow my internal vlans to reach the outside network 10.0.0.0 255.0.0.0 Outside. I don't what else can be blocking ping access to my internal gateway; all of my acl are allowing traffic. Does any else have this problem where your outside network are pingable but your internal network is not pingable to the gateway; Could it be a switch port on the switch or could it be the router ??

Please if any have some suggestions feel free

thanks

j_j624001 · ‎07-05-2016

Hello;

I just implemented new config on firewall; can you take a look at my config; to make sure it correct or could be better; so far im reaching traffic from IN and Out; i haven't implemented any changes on the switch side.

Result of the command: "show run"

: Saved
:
ASA Version 8.2(3)
!
firewall transparent
hostname JFW
enable password hE3tTzx4XvGURupW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description OUT
nameif OUT
security-level 0
!
interface Ethernet0/0.110
description Client-Out
vlan 110
no nameif
no security-level
!
interface Ethernet0/1
description IN
nameif IN
security-level 100
!
interface Ethernet0/1.10
description Client-In
vlan 10
no nameif
no security-level
!
interface Management0/0
nameif Manage
security-level 100
ip address dhcp
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list IN_access_in extended permit ip any any
access-list OUT_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu OUT 1500
mtu IN 1500
mtu Manage 1500
no ip address
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUT_access_in in interface OUT
access-group IN_access_in in interface IN
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Manage
http 10.10.0.0 255.255.255.0 IN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:943a1e5eeb36eac10dec9622669e5cf7
: end

Francesco Molino · ‎07-05-2016

Hi

You set nameif on interface instead of subinterface.

Your missing the bridge group and bvi interface.

And what about other vlans.

The config I've provided for asa is good. You can take it. Just access-list and maybe bvi IP needs to be adapted.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-05-2016

Hello;

From the gui i enter vlan 10 for IN and Vlan110 for Out it automatically set it as a subinterface along with my vlan id. For the bridge group method i don't have that feature from cli nor gui using ASA Version (8.2)(3) not sure if that matters but i look everywhere for bridge group nor bvi interface. So that method couldn't work. Im just using one Vlan for test before i start adding more config for the other vlans; gotta get one vlan running first lol.... I still haven't done anything on the switch nor router side yet; just working on this firewall at first... Plus in transparent i can't add ip address unless its an network object.... see screen shots

Francesco Molino · ‎07-05-2016

I don't remember equivalent in old asa version. Let's continue in that way. I will try to downgrade a asa tomorrow evening if I have time and come back to you. Or if you want you can upgrade to newer version. Thanks PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-05-2016

Hello;

Ok; if you can downgrade a asa tom that would be awesome lol..... hopefully using my design lol.... seems like this is an ol asa firewall.. lol... But thanks again for the help; ill keep working on it

Francesco Molino · ‎07-05-2016

The asa I used was on 8.4 but I respected your design.

Maybe I will try as well to build a asa on GNS3 with your version.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎07-06-2016

Hi

I'm sorry I'm back at home and didn't get time to downgrade any ASA in old version.

However, it would be better for your to upgrade in latest version, at least with version 8.4.7 (that's the most stable for ASA 5510). Moving to new version you will be able to use the config provided.

Again it's been a long time I've not done any configuration on old version (all my customers have migrated to new code after 8.4). As far as I remember, you'll need to create different context (1 context per vlan). The config on each context will be the same as the config provided, I mean 1 vlan for inside and 1 vlan for outside even if the subnet is the same on both end).

You'll need to add a route on each context with the IP of the router as next-hop like (route outside 0.0.0.0 0.0.0.0 10.10.0.1)

I hope this is clear enough.

Thanks

PS: Please don't forget to rate any useful answers and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-06-2016

Hello;

Its ok no worries; ill see if i can find a downloadable new version to use; but in the mean time; if i was change my firewall back to routed what kind of design do i need or what would i have to change in order for the firewall to work in routed mode...

Please advised ???

Francesco Molino · ‎07-06-2016

In routed mode:

all vlans including dhcp are done on the switch. The switch will be the default gateway
create interconnection subnet between switch and firewall. (Could be an existing vlan for example vlan 10)
default route on the switch to the firewall.
create interconnection subnet between firewall and router
default route on firewall to the router
nat on router.

these are the high level steps.

if you want to filter inter vlan communications, you can remove the first 2 steps and replace them by this one:

all vlan layer 2 on switch.
Default gateway are subinterfaces on the firewall. The firewall should also act as dhcp (even if I don't recommend that). If you have a dhcp server, firewall can be configured as dhcp relay.

hope that's clear.

thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎07-05-2016

The config should be simple with just trunk vlans and that's it but test it otherwise I will try to test it tomorrow

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-09-2016

Hello;

I was able to get some time to work on the network but im running into alil problem; i was able to use your guide as steps and redo my whole network in routed mode. see attachment for config and layout... Now im only using one vlan for test; so far the firewall is able to ping the outside network on a different subnet and inside network on a different subnet; i also got an dhcp on the firewall which is working; now the problem comes into play is that the firewall nor the switch can ping google server 8.8.8.8 but the router can ping google server. Can you look over my config and see if im missing something or need to add something; also im seeing traffic from my access point IN but im not seeing any traffic on the outside network.. Please advise im so close on getting this firewall working correctly....

Francesco Molino · ‎07-09-2016

Hi

on your switch the default route should be: ip route 0.0.0.0 0.0.0.0 10.10.0.1 instead of 10.10.0.0

on your router, your acl should be more restrictive like access-list 50 permit ip 10.10.0.0 255.255.255.0

When you run a ping from switch to 8.8.8.8, do you see some traffic on the firewall and do you see nat on the router?

thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-09-2016

Hello;

Thanks for your response; the route on my switch has been changed as your requested and also ACL on my router has been changed; so now im able to see nat on router; i do see traffic hit the firewall when ping 8.8.8.8 from sw; see screen shot when ping 8.8.8.8; as im looking at my real time log buffer im getting alot of tcp teardowns on inspect icmp..So that could be my problem with pinging to the outside network; cause im still not getting as much traffic from the outside network...

But what else can I be missing ???

NAT on Router

R1#sint
Pro Inside global      Inside local       Outside local      Outside global
udp 192.168.0.85:40215 10.10.0.85:40215   64.62.142.12:7351 64.62.142.12:7351
udp 192.168.0.85:40587 10.10.0.85:40587   64.62.142.12:7351 64.62.142.12:7351
udp 192.168.0.85:40975 10.10.0.85:40975   199.231.78.185:7351 199.231.78.185:7351
udp 192.168.0.85:43788 10.10.0.85:43788   199.231.78.126:7351 199.231.78.126:7351
udp 192.168.0.85:44131 10.10.0.85:44131   108.161.147.7:7351 108.161.147.7:7351

When viewing real time log


%-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num} 
gaddr {gaddr | cmp_type} laddr laddr

An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.

Francesco Molino · ‎07-09-2016

You're missing also a route on your router to indicate what is the next hop to join 10.10.0.0/24 network

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

j_j624001 · ‎07-09-2016

GOT IT !!!!!!!!! The switch is able to ping 8.8.8.8 and i was able to see the traffic on firewall; but my only concern is when i try to ping from the FW to 8.8.8.8 either from the outside network i get this

An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.

But when i ping from the inside network from the Firewall i get this

An error occurred when the adaptive security appliance tried to find the next hop on an interface routing tabl

Any idea on what im missing that can resolve that issue; my switch works fine when pinging 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 42/55/83 ms
SW#ping 8.8.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 34/48/67 ms
SW#

Outside Vlan & inside Vlan ASA5510