01-14-2011 08:27 PM - edited 03-11-2019 12:35 PM
At a branch MPLS site I have an ASA 5505 (Security Plus license and provides DHCP) with about a dozen devices behind it (PCs, phones, and a network printer). The MPLS is the only connection outside of the office until it is replaced with a dedicated Internet and site-to-site VPN connection in a couple months.
I need all traffic from the main office to flow through the ASA (without statics) to the branch systems and I don't want outbound traffic translated.
I removed the NAT and global and thought/hoped simply changing vlan2 (outside) security-level to 100 would complete the objectives. No luck. I added same-security-traffic permit inter-interface - again, no luck.
Is there a way to achieve the goal other than using firewall transparent (it's remote and from what I understand once changed I'll lose access to it and it would have to be changed back when MPLS is replaced with Internet).
The only option I see is to set up site-to-site VPN across MPLS. Hopefully I'm missing something and there's a better/easy way.
Thanks for your help.
Regards,
JD
01-14-2011 08:36 PM
Don't quite understand your topology, can you pls share a topology diagram?
From what i understand, branch office and main office is connected via MPLS, and internet is also via MPLS. You have ASA at the branch office and would like to route traffic from the main office destined to the internet towards the branch office. However, if internet is also via the MPLS, traffic from the main office will never be routed towards the branch office because it will go straight out directly via the MPLS if the internet connection is routed via the MPLS.
Unless if i understand your topology incorrectly, you won't be able to force internet traffic from main office towards branch office if they are all using the same MPLS to route to each other. The only option as you said would be to set up site-to-site vpn.
01-14-2011 08:42 PM
5505 -- ISP-managed MPLS router -- MPLS cloud -- ISP-managed MPLS router -- HQ Firewall
I simply need any traffic originating in HQ and destined for systems behind the Remote 5505 to pass thorugh the 5505 without any firewalling on the 5505... like it's a switch.
ASA is running Version 8.2(1).
01-14-2011 09:03 PM
OK, so the internet connection is at HQ, and for your branch office to access the Internet, it will be routed via the MPLS towards the HQ, and out to the Internet via the HQ internet connection?
Your statement: "I need all traffic from the main office to flow through the ASA (without statics) to the branch systems and I don't want outbound traffic translated."
--> do you mean, you would like traffic from branch office to flow through the ASA (without statics) to the main office, since the Internet connection is at the HQ?
If that is correct, assuming that you have inside (security level 100) and outside (security level 0) interface on your ASA at the branch office, then you can configure the following:
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
Then "clear xlate", and traffic should not be translated from branch office towards the main office.
01-14-2011 09:14 PM
Thanks for the replies.
Forget about the Internet. Simply put. All systems in HQ needing to communicate with Branch systems behind the 5505 should not be filtered by the 5505. As it is right now, I would have to set up statics and an ACL for the outside interface on the 5505 which is no good.
Also, in my original post I indicated having removed the nat and global statements, set security-level on vlan2 (5505's outside) to 100 (same as 5505's vlan1 - insdie), and enabled same-security-traffic permit inter-interface.
01-14-2011 09:18 PM
OK, if you don't want to configure any NAT statement nor ACL, then you would need to configure the following on the ASA:
1) Security level needs to be the same on both vlan 1 and vlan 2.
2) Configure: same-security-traffic permit inter-interface
3) Remove all the NAT and global statement as well as the static statements.
4) Configure: no nat-control
5) Remove access-list applied to any of the interfaces (especially the outside interface).
Traffic will then flow freely in both direction with no translation as well no requirement to configure any access-list.
01-14-2011 09:02 PM
Seems my previous, incomplete, response will not update.
5505 -- ISP-managed MPLS router -- MPLS cloud -- ISP-managed MPLS router -- HQ Firewall
I need traffic originating from HQ and destined for the Branch systems behind the 5505 to pass unfiltered... like the firewall is a simply a switch.
ASA is running 8.2(1).
Thanks for your efforts!
01-14-2011 09:07 PM
Yup, that NAT exemption statement should do:
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
And to initiate traffic from low security level (outside), ie: HQ, towards high security level (inside), branch LAN, you would need to configure ACL to permit the traffic, and apply that on the outside interface.
01-14-2011 09:32 PM
Traffic from Branch to HQ is not the problem - I have NAT under control. How can I "disable" "filtering" of traffic coming from HQ to Branch? It all needs to pass untouched and without having to configure statics and inbound ACL (although I already have one which didn't help).
interface Vlan1
nameif inside
security-level 100
ip address 10.30.20.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 100
ip address 10.30.8.2 255.255.255.0
...
same-security-traffic permit inter-interface
...
access-list outin extended permit ip any any
...
access-group outin in interface outside
...
Traffic coming from HQ to Branch is still filtered. Short of setting up a site-to-site VPN or using 'firewall transparent' what can be done to allow HQ-to-Branch traffic to pass the 5505 untouched?
01-14-2011 09:34 PM
Remove "access-group outin in interface outside".
If you have same security level on both inside and outside, you don't need to apply any access-list.
01-14-2011 09:45 PM
I only added the access-group when same-security-traffic permit inter-interface didn't work. At your suggestion though I have
removed the access-group... still no love. Verified security-levels are both 100 and that same-security-traffic is
inter and not intra
*scratching head*
.
01-14-2011 09:48 PM
Sorry, when you say it didn't work, what do you mean? Where exactly is it failing? If you run packet capture on both outside and inside interface of the ASA, do you actually see the traffic from HQ towards branch?
01-14-2011 09:56 PM
It didn't work = traffic originating from HQ destined to Brach systems (for example, web interface on a printer, RDP to a Windows box, ping to whatever) stops at the 5505.
On the 5505...
packet input outside tcp some_hq_ip some_port some_branch_ip some_other_port detailed
...result is allowed.
01-14-2011 10:03 PM
If packet tracer allows, it doesn't seem to be issue with the ASA configuration.
Can you share some logs that says it stops at the ASA? and also run packet capture on both outside and inside interface of the ASA. Need to confirm where exactly it's failing.
I assume that you are trying to access hosts in 10.30.20.0/24 subnet, and those hosts have default gateway configured to be 10.30.20.2?
Also, if there is any personal firewall, etc on the hosts, please disable it as it normally does not allow inbound connection from different subnets.
01-14-2011 10:22 PM
Yes, trying to communicate with 10.30.20.x hosts and their gateway is 10.30.20.2. I can't easily sniff on either side of the 5505 (remote and no technical people at the site) but I can demonstrate clearly that this is a firewall issue.
Prior to the firewall being put in-line there was an unmanaged switch (failing which is one of two reasons the firewall was put in - the other being MPLS is going to be replaced at the remote site with broadband). With the switch in place I could access anything I wanted from HQ to Remote... access web interface on print server (no personal firewall to interfere), RDP to all Windows machines (yes, firewall is enalbed but RDP and ICMP are allowed), I could ping anything, and 4-digit dialing on phone calls from HQ to Branch... take the failing switch out - put the firewall in - now no connectivity from HQ to Branch. Again, statics and an ACL isn't acceptable.
If I can't get this work then my only options are site-to-site VPN or 'firewall transparent' which I think presents other configuration challenges for me with it being remote.
A quick look in the 5505's log shows...
%ASA-2-106001: Inbound TCP connection denied from 10.99.21.21/10001 to 10.30.20.20/80 flags SYN on interface inside
10.30.20.20 is the print server. I don't know when the log entry appeared relative to the many changes I have made (other than the entry immediately above it shows me chaning outside's security-level to 100.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide