Solved: 5510 Not Allowing ICMP to PBX Thru Same Interface

jeff6strings · ‎06-01-2013

Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.

We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.

My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.

Appreciate any help.

Jeff

nkarthikeyan · ‎06-02-2013

Hi Jeff,

If you set the DGW to 2811 router u are able to reach both the IP's of PBX from Work Station right?????. But you lose the internet access wherein your SIP trunks stopped working.....

You are able to ping from ASA/2811/6509 because its all connected directly to your 3750 switch......

Can you try this.

You can try configuring a default route @ 2811 pointing to your firewall..... to the untrusted zone you can have the static routes....... in that case you both problems will solve.....

Please correctme if my understanding is wrong here

Regards

Karthik

View solution in original post

Jouni Forss · ‎06-02-2013

Hi,

Yes, I was asking about the 2811 default gateway to confirm that after the PBX default gateway change the Internet SIP traffic would still be returned from the PBX back to the Internet through the ASA. Naturally if you can change the default route on 2811 to point to the ASA then I would expec the PBX Internet traffic should be fine.

I am a bit confused about the ICMP in the original setup where the ASA is the gateway of the PBX

The traffic flow should be identical for ICMP to both IP addresses of the PBX.

To my understanding it would go

PC 10.10.102.82 to 6509
6509 to PBX
PBX to ASA
ASA to 6509 (depending on the routing on the ASA)
6509 to PC 10.10.102.82

Essentially the above setup is also suffering from asymmetric routing as the ASA is not seeing the whole traffic. But the situation should be the same for both destination IP addresses. Naturally the PBX and the ASA configuration are not known to us so its hard to say what might be causing this.

The log message you refer to states the same thing I wrote above.

"Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session"

The ASA says that its seeing an ICMP message of Type 0 Code 0 which is ICMP Echo reply from the PBX IP address of 10.20.0.30 and it denies the Echo reply since it has never seen the ICMP Echo (which directly goes from 6509 to the PBX)

The actual log message description says the following

Explanation    ICMP packets were dropped by the adaptive security appliance because of security  checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid  echo request already passed across the adaptive security appliance or ICMP error messages not  related to any TCP, UDP, or ICMP session already established in the adaptive security appliance.

- Jouni

View solution in original post

Jouni Forss · ‎06-01-2013

Hi,

I am not quite sure why the other IP address of the PBX isnt answering in the original setup and why the changing of the default gateway of the PBX stops connection from the Internet working?

Essentially the problem seems to be related to asymmetric routing.

A better place for the PBX with regards to Routing/ASA would probably be some DMZ interface on the ASA. I dont know if this would cause any problems for the PBX.

The ASA is quite picky about allowing traffic through that according to the packet itself is part of an existing connection but the ASA hasnt seen this.

To my understanding in the original situation when the Workstation PINGs the PBX (either of the IP addresses) the connections should go so that ICMP arrivies on the PBX and the Echo Reply message gets forwarded to the default gateway of the PBX which is the ASA. In the cases of both PBX IP addresses the ICMP should either fail or succeed. I dont know what causes other to work and the other to fail? Do they have somehow separate configurations for the interfaces?

Usually to correct the situation where asymmetric routing is happening we need several configurations to make it work

We first probably need the configuration

same-security-traffic permit intra-interface

To make it possible for traffic to enter and leave the same interface on the ASA

Then we would need probably a NAT0 configuration on the "inside" interface of the ASA so it wont NAT the local traffic. Format ofcourse depends on your software level.

access-list INSIDE-NAT0 permit 10.20.0.0 255.255.255.0 10.10.102.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Then we would probably beed TCP State Bypass to have any hope of passing TCP connections through the ASA when the ASA is not seeing all the TCP connections packets.

I am not 100% sure about this setup as I have never had to implement this. Mainly because the network setup has always been change so that there is no room for asymmetric routing.

access-list TCP-STATE-BYPASS permit ip 10.20.0.0 255.255.255.0 10.10.102.0 255.255.255.0

access-list TCP-STATE-BYPASS permit ip 10.10.102.0 255.255.255.0 10.20.0.0 255.255.255.0

class-map TCP-STATE-BYPASS

match access-list TCP-STATE-BYPASS

policy-map global_policy

class TCP-STATE-BYPASS

set connection advanced-options tcp-state-bypass

This would make it so that the ASA didnt care if connections were coming through it between the 2 networks mentioned in the ACL. Naturally it goes around a functionality that the firewall is supposed to have but to me it seems the only way to correct things without moving the PBX to a place where the ASA ALWAYS sees its traffic. And this was for example moving it to its own DMZ on the ASA where everyone would have to go through the ASA to access it.

But still I cant help but feel that there is something else wrong. As I said I find it wierd that you would be able to PING the other IP address of the device but not the other when there was asymmetric routing going on. I also I am not quite sure why any connection from the Internet would stop working to the PBX if you change it default gateway. To my understanding ASA would still see all the packets of a certain connection even if the PBX was using the router as the default gateway as the router would still probably forward the traffic to a default gateway which is ASA? Or does the router in question have a default route to some other WAN connection as I am not quite sure what the Untrusted network is? Internet?

- Jouni

jeff6strings · ‎06-02-2013

Jouni, thanks for the reply.

* We do have same-security-traffic permit intra-interface configured.

* I would have to ask our telecom admin about the seperate config for each IP address (there is only one interface on the PBX).

* The 5510 is running version 8.2.

* I will check the 2811 router routes.

* The untrusted network is an existing network (acquisition) so we NAT over to it to access a server on that network.

If it helps all 3 devices (6509, ASA, 2811 router) show the following in their ARP table:

10.20.0.30 0080.f0c2.3dd0

10.20.0.31 0080.f0c2.3dd1

Appreciate the help.

Jeff

nkarthikeyan · ‎06-02-2013

Hi Jeff,

If you set the DGW to 2811 router u are able to reach both the IP's of PBX from Work Station right?????. But you lose the internet access wherein your SIP trunks stopped working.....

You are able to ping from ASA/2811/6509 because its all connected directly to your 3750 switch......

Can you try this.

You can try configuring a default route @ 2811 pointing to your firewall..... to the untrusted zone you can have the static routes....... in that case you both problems will solve.....

Please correctme if my understanding is wrong here

Regards

Karthik

jeff6strings · ‎06-02-2013

Karthik,

Yes when we pointed the PBX to the 2811 we were able to ping both IP address from the workstation but the SIP from the Interet thru the 5510 no longer connected.

I checked and the 2811 router has a default route (0.0.0.0) to 10.20.0.254 which is a VLAN interface on the 6509 which the workstations in the remote office use as a default gateway. I can remove or change this route since EIGRP is configured and working.

I need to confirm all my options as the PBX requires a consultant to make changes which requires consulting fees and scheduling time, especially for when this office is closed in which they do have long hours.

Thanks for the help.

Jeff

Jouni Forss · ‎06-02-2013

Hi,

I first though that the 2811 router held some default route towards some WAN link and therefore broke the PBX connections to the Internet through the ASA as the connection coming from the Internet through the ASA would head to PBX and then to the new default gateway device 2811 and from there out to the Untrusted network.

According to your above post it would seem to me that the default route on the 2811 points towards the actual LAN network though. Where does the default route on the 6509 point to? I would imagine if its the ASA then the return traffic from the PBX (for the connections coming from the Internet) should still work even though the return traffic takes a bit wierd turn in the network going through 2811 -> 6509 -> ASA.

As I said before, the network setup isnt exactly ideal when we have multiple routers in the same network and an ASA is involed. The PBX would be good to have on some own network (atleast from the perspective of the ASA) but as I understood from your above post, it would seem that such a change would require some resources that you yourself dont have and would have to bring outside help to handle.

I am still a bit confused as to why the connections from the Internet to the PBX would stop working with the 2811 acting as the gateway. Does the 6509 have proper routing to handle the return traffic from the PBX back to the Internet?

- Jouni

jeff6strings · ‎06-02-2013

Jouni,

The 6509 (IOS w/ IP services) handles over 120 VLANs and 50+ physical interfaces plus on the corp network there are ASA pairs, etc..so there are little options for the corporate side except static ARP entries or routes if necessary.

I need the remote office traffic to kind of stay remote if possible but I can change the default route on the 2811 to the ASA which is 10.20.0.2 as I agree this may be the problem with the PBX and the Internet SIP as what Karthik is suggesting.

Still baffled as to why only one of the two addresses will return ICMP traffic but since we may point the PBX to the 2811 as the final solution I may not pursue this one issue further, but would remain an unsolved mystery.

Again thanks as all suggestions, comments, etc.. are welcome.

jeff

Jouni Forss · ‎06-02-2013

Hi,

Yes, I was asking about the 2811 default gateway to confirm that after the PBX default gateway change the Internet SIP traffic would still be returned from the PBX back to the Internet through the ASA. Naturally if you can change the default route on 2811 to point to the ASA then I would expec the PBX Internet traffic should be fine.

I am a bit confused about the ICMP in the original setup where the ASA is the gateway of the PBX

The traffic flow should be identical for ICMP to both IP addresses of the PBX.

To my understanding it would go

PC 10.10.102.82 to 6509
6509 to PBX
PBX to ASA
ASA to 6509 (depending on the routing on the ASA)
6509 to PC 10.10.102.82

Essentially the above setup is also suffering from asymmetric routing as the ASA is not seeing the whole traffic. But the situation should be the same for both destination IP addresses. Naturally the PBX and the ASA configuration are not known to us so its hard to say what might be causing this.

The log message you refer to states the same thing I wrote above.

"Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session"

The ASA says that its seeing an ICMP message of Type 0 Code 0 which is ICMP Echo reply from the PBX IP address of 10.20.0.30 and it denies the Echo reply since it has never seen the ICMP Echo (which directly goes from 6509 to the PBX)

The actual log message description says the following

Explanation    ICMP packets were dropped by the adaptive security appliance because of security  checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid  echo request already passed across the adaptive security appliance or ICMP error messages not  related to any TCP, UDP, or ICMP session already established in the adaptive security appliance.

- Jouni

jeff6strings · ‎06-04-2013

I did a packet capture on the inside interface of the ASA and pinged both IP addresses (.30 & .31) from the workstation and the .31 is not hitting the ASA but the .30 is. I have an email out to our PBX conusltant asking if both IP addresses share the same network settings such as default gateway.

Again, thanks for all the help.

Jeff

jeff6strings · ‎06-11-2013

We changed the default gateway of the PBX to the 2811 which on this router we changed the GW of last resort to point to the ASA 5510 inside interface IP address which resolved the issue.

Thanks to everyone who posted as I appreciate the support.

Jeff