Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4186
Views
0
Helpful
10
Replies

Asa 5506-X Firewall configuration

matthieu.euzen1
Level 1
Level 1

‎05-18-2016 07:15 AM - edited ‎03-12-2019 12:45 AM

Hello,

I'm currently trying to set up a new router in my company's network.

Everything works fine concerning Internet access, unfortunately my company is using a software which has to go through a VPN (another Cisco router) using a static route, and despite all my efforts, I'm still unable to make it work.

The Netgear router is working fine, but has to be replaced by the Asa 5506-X.

All the frames concerning the software are redirected by the Netgear through the internal switch to the Cisco VPN.

Here is the conf for the Asa 5506-X:

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 95... 255.255.255.192 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.50.205 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ree.com
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service efluid tcp-udp
 port-object range 1 65535
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
access-list efluid extended permit object-group DM_INLINE_PROTOCOL_4 any any 
access-list global_access_2 remark Explicit rule
access-list global_access_2 extended permit object-group DM_INLINE_PROTOCOL_5 any any 
access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_6 any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
access-group inside_access_out out interface inside
access-group global_access_2 global
route outside 0.0.0.0 0.0.0.0 95...
route inside 10.1.0.0 255.255.0.0 192.168.50.10 1
route inside 192.168.113.0 255.255.255.0 192.168.50.10 1
route inside 192.168.200.0 255.255.255.0 192.168.50.10 1
route inside 192.168.210.0 255.255.255.0 192.168.50.10 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
service resetinbound
service resetoutside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure

Thank you in advance for your help!

Labels:
0 Helpful
10 Replies 10

Sergio Ceron Ramirez
Cisco Employee
Cisco Employee

‎05-18-2016 12:27 PM

Hello Matthieu, based on your explanation and on the diagram.. you are expecting traffic to come from Internet through your ASA and go out through the VPN concentraror to the software, or traffic coming from the inside should take the path to the Database by using this concentrator? I see your software Database has a Public IP served on the same subnet as your ASA.. is that correct or is it a typo? Let me know...

0 Helpful

matthieu.euzen1
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎05-19-2016 11:22 AM

Hello,

The database is hosted by the software's company which provide us the public IP.

The software is based on a web interface, so its traffic, using the Gateway set on every internal device, go to the Netgear which route it to the VPN.

Here is a network schematic where you can see in red the path took by the software's traffic(knowing that the Asa 5506-X has to do the same) :

Here are the static routes concerned :

route inside 10.1.0.0 255.255.0.0 192.168.50.10 1
route inside 192.168.113.0 255.255.255.0 192.168.50.10 1
route inside 192.168.200.0 255.255.255.0 192.168.50.10 1
route inside 192.168.210.0 255.255.255.0 192.168.50.10 1

The software's traffic will never have to go through the Asa's outside interface.

Thank you for your help!

0 Helpful

Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to matthieu.euzen1

‎05-19-2016 11:22 AM

Which is the IP or subnet you want to reach through VPN on these routes you share? You may need a twice NAT on the ASA to configure a hairpining.

0 Helpful

matthieu.euzen1
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎05-19-2016 11:51 PM

The Cisco VPN is already configured and works fine. Its outside subnet is 255.255.255.192.

What is the hairpining for?

Once the Asa well configured, it will replace the Netgear and I will have to change the IP from its Inside interface from 192.168.50.205 to 192.168.50.202.

0 Helpful

Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to matthieu.euzen1

‎05-20-2016 02:47 PM

Hairpining will allow you to send back the traffic on the same interface where it was received by doing a Twice NAT or "no-NAT" on the ASA. Try setting up something like this:

nat (inside,inside) source static any any destination [remote app IP] [remote app IP] no-proxy-arp route-lookup
!
route inside [remote IP][Subnet mask] 192.168.50.10

With this configuration, when traffic hits the ASA, it will send it back through the same inside interface and will use the route out to 192.168.50.10 where this traffic is known and your traffic will remain with the real source.

0 Helpful

matthieu.euzen1
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎05-24-2016 06:16 AM

Hello,

Thanks for your answers,

I've been trying your solution by adding the Nat rule to the firewall:

nat (inside,inside) 1 source static any any destination static 192.168.210.1 
192.168.210.1 no-proxy-arp route-lookup

Unfortunately, I'm still unable to connect to the software, and I keep getting the same error:

I also added the following commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

We can see that the connection tore down before the TCP connection

However, the static routes seems to work fine.

May it come from the Access control rules?

Preview file
23 KB
Preview file
57 KB
0 Helpful

Kornelia Gutierrez
Level 1
Level 1
In response to matthieu.euzen1

‎05-24-2016 05:21 PM

Hi Matt,

From the wireshark screenshot it seems that host 192.168.50.108 is resetting the connection, could you please check the seq and acknowledge numbers for the connection and place a wireshark capture in the 192.168.50.108 host to verify if he is the one sending the RST packet making the ASA to close the connection.

Best regards,

0 Helpful

mateuzen1
Level 1
Level 1
In response to Kornelia Gutierrez

‎08-01-2016 07:09 AM

Hello,

Sorry for the delay, I've been away for a while.

I'm still working on the router, and I'm facing the same problems again.

The ip adress 192.168.50.108 is used by my computer, and the wireshark capture has been made from it.

I'm currently trying your suggestions and I'll come back to you with more informations

Thanks a lot for your consideration !

0 Helpful

mateuzen1
Level 1
Level 1
In response to mateuzen1

‎08-02-2016 04:55 AM

Problem solved!

I finally succeeded by bypassing the TCP verification:

Cisco(config)# access-list bypass permit tcp any any 
Cisco(config)# class-map bypass_traffic 
Cisco(config-cmap)# match access-list bypass 
Cisco(config)# policy-map tcp_bypass_policy 
Cisco(config-pmap)# class bypass_traffic 
Cisco(config-pmap-c)# set connection advanced-options tcp-state-bypass 
Cisco(config)# service-policy tcp_bypass_policy interface inside

Once again, thank you very much for your help!

0 Helpful

Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to matthieu.euzen1

‎06-14-2016 01:46 PM

Matthieu, sorry I could not continue with this thread before. That error message is due to the ASA not seeing the initial TCP (syn) packet and is when the message shows up as (No connection).

We can try a tcp bypass to understand if this could be related on sending the initial SYN packet to a different destination, or somehow not reaching the ASA correctly.

Let me know if you are still working on this or if we have missed on solving this together.

Have a nice one.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card