5520 change of subnets

sheuripo-chigiga · ‎05-20-2013

good day

i have a asa 5520 that is working with three zones DMZ, inside and outside.

my DMZ is for all my branches and it had a /24 subnet my inside had a /24 subnet and all was fine i could talk to branches and they could talk to me. i also had all the branchess accessing internet via the ASA which is at HO.

i changed the subnets from /24 to /21 and broke everything

below is the configs for the asa

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.11.4.254 255.255.248.0

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

vlan 708

nameif DMZ

security-level 50

ip address 192.168.128.174 255.255.255.252

!

ftp mode passive

same-security-traffic permit inter-interface

object-group network INSIDE_LAN

description INSIDE LAN users

network-object 10.11.0.0 255.255.248.0

object-group service Web_Service tcp-udp

access-list DMZ extended permit ip 10.11.16.0 255.255.248.0 any

access-list LAN-DMZ extended permit ip 10.11.0.0 255.255.248.0 10.11.16.0 255.255.248.0

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

no failover

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.11.0.0 255.255.248.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

!

route-map DMZ permit 1

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

route DMZ 10.11.16.0 255.255.248.0 192.168.128.173 1

Jouni Forss · ‎05-20-2013

Hi,

The information provided is not really enough to troubleshoot this issue.

Can you list the original networks and the new networks?

Have you configured all the routers in the network to reflect the change in the network mask?

Have the hosts and DHCP configurations been changed to reflect this change in network mask?

Has the larger network mask perhaps created some overlap with the INSIDE and DMZ networks that is preventing end to end connectivity? Do the INSIDE and DMZ hosts share some local DNS server?

You can test the ASA configurations with "packet-tracer" command

packet-tracer input inside tcp

or

packet-tracer input DMZ tcp

- Jouni

sheuripo-chigiga · ‎05-20-2013

the routers have been configured to take this new change. currently this network was not yet in production so no DHCP servers present it is just using laptops sitting behind routers to represent the actual networks

the original was like this

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.11.4.254 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.128.174 255.255.255.252

!

interface GigabitEthernet0/3

shutdown

no nameif

security-level 50

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

object-group network INSIDE_LAN

description INSIDE LAN users

network-object 10.11.4.0 255.255.255.0

object-group service Web_Service tcp-udp

access-list DMZ extended permit ip 10.11.21.0 255.255.255.0 any

access-list LAN-DMZ extended permit ip 10.11.4.0 255.255.255.0 10.11.21.0 255.255.255.0

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

no failover

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list LAN-DMZ

nat (inside) 1 10.11.4.0 255.255.255.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

access-group DMZ in interface DMZ

!

route-map DMZ permit 1

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

route DMZ 10.11.21.0 255.255.255.0 192.168.128.173 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username Admin password MhLn41kUsHw2C9YS encrypted privilege 15

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.128.172 255.255.255.252 DMZ

Jouni Forss · ‎05-20-2013

Hi,

I would check the ASA configuration by using the "packet-tracer" command to see if there is any problems there.

Or you could monitor the ASA logs through ASDM while attempting connections from the DMZ network for example and see if the connections reach the ASA and what happens to them.

As the "inside" seems to be directly connected to the hosts through some switch I would start checking the DMZ related configurations between the hosts and the ASA so that they are correct. I still have no idea of the other devices you might have in the network.

You have very few configurations on the ASA that I can see from above so if there is any problem related to the ASA, there shouldnt be that many possibilities what is causing the problem.

I am not quite sure why you have changed the DMZ to a Trunk interface during the network mask change

- Jouni

sheuripo-chigiga · ‎05-21-2013

the DMZ is coming on a leased line from our telco provider and they give us a fibre link with a VLAN so the need for that. its like their requirment.

i will try and check using the packet-tracer and try and establish where i could be going wrong

thanks