 
					
				
		
03-04-2013 06:35 AM - edited 03-11-2019 06:09 PM
Hey Folks,
I would appreciate any feedback I can get on this. I recently added a business cable modem to help relieve some of the conjestion I was getting on my T1 for our MPLS network. There was an ASA 5510 collecting dust in a closet here and I thought it would be the perfect device for firewalling the traffing coming in from the Cable modem, and handling the routing of our internal MPLS traffic as well. Internet setup was cake. The test laptop I have using the ASA as it's gateway has great internet service but it cannot ping across either of our MPLS networks. I have one MPLS with AT&T and one MPLS with EarthLink. My hope was to use the cable modem as the Default route for all unspecified internet traffic and route our internal MPLS traffic to the cisco 2800 routers that are currently in place for the MPLS. I can ping across the MPLS when I telnet to the ASA, but I cannot ping across the MPLS from the client that is connected to the ASA.
Here's the topology I'm working with
Internet
|
Cable Modem
|
ASA 5510 10.52.120.23
|
LAN 10.52.120.0/24
|
Cisco 2800 10.52.120.1
|
MPLS Cloud
|
Cisco 2800 10.52.121.3 (remote gateway)
If I ping from the client here is what I get:
C:\>ping 10.52.121.3
Pinging 10.52.121.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.52.121.3:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
When I ping from the ASA this is what I get:
ciscoasa# ping
Interface: inside
Target IP address: 10.52.121.3
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Sending 5, 100-byte ICMP Echos to 10.52.121.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/254/280 ms
My first thought was that the ASA could be NAT'ing traffic from client on the inside interface, routing to a router on the inside interface, but when I tried to setup a NAT exemption for inside to inside traffic the ASA errored and told me that was not allowed. So I can only assume the ASA is smart enough to know not to NAT traffic coming in and out on the same interface. I've googled my heart out but I cannot find out what I've done wrong. The solutions I've read lead me to believe my configuration is fine, but obviously there is something I'm missing here. I would appreciate any advice or kicks in the right direction. Here's the config I'm working with at the moment. The 10.52.120.56 gateway is for the second MPLS network we connect to. If I can determine why I cannot ping 10.52.121.3 the same fix should apply for the networks connected behind the 10.52.120.56 gateway.
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.1.10.3 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
enable password xxxxx encrypted
passwd xxxxx encrypted
hostname ciscoasa
domain-name default.domain.invalid
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
monitor-interface management
monitor-interface inside
monitor-interface outside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.52.120.0 255.255.255.0
route inside 10.52.121.0 255.255.255.0 10.52.120.1 1
route inside 10.52.127.0 255.255.255.0 10.52.120.1 1
route inside 10.52.126.0 255.255.255.0 10.52.120.56 1
route inside 10.52.125.0 255.255.255.0 10.52.120.56 1
route inside 10.52.124.0 255.255.255.0 10.52.120.56 1
route inside 10.52.123.0 255.255.255.0 10.52.120.56 1
route inside 10.52.122.0 255.255.255.0 10.52.120.1 1
route inside 172.16.0.0 255.240.0.0 10.52.120.1 1
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username wbenson password xxxxx encrypted privilege 15
aaa authentication telnet console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 management
http 10.52.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet 10.52.120.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
management-access inside
Cryptochecksum:fc159f3714d20305335f0db434c67de8
: end
Solved! Go to Solution.
03-04-2013 06:47 AM
Hi, take a look at intr-interface config
The following example shows how to enable traffic to enter and exit the same interface:
hostname(config)# same-security-traffic permit intra-interface
taken from here
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html
 
					
				
		
03-04-2013 06:50 AM
There's a little thing called Hairpinning aka U-turn.
static (inside,inside) 10.52.121.3 10.52.121.3
global (inside) 1* interface *Assume you are using number one
same-security-traffic permit intra-interface
03-04-2013 08:02 AM
There might not be a need to enabel TCP-state bypass.
Can you enable the inspection for ICMP traffic?
Here is the command:
fixup protocol ICMP
03-04-2013 06:47 AM
Hi, take a look at intr-interface config
The following example shows how to enable traffic to enter and exit the same interface:
hostname(config)# same-security-traffic permit intra-interface
taken from here
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html
 
					
				
		
03-04-2013 06:50 AM
There's a little thing called Hairpinning aka U-turn.
static (inside,inside) 10.52.121.3 10.52.121.3
global (inside) 1* interface *Assume you are using number one
same-security-traffic permit intra-interface
 
					
				
		
03-04-2013 07:32 AM
I tried enabling just the intra inteface for same-security-traffic and I also tried setting up the inside NAT. Neither of these solutions appear to have worked. I still cannot ping across my MPLS. I also setup a second static NAT for a remote server so I could try a remote desktop connection incase it was something specifically with ping (icmp) that was causing the problem. I could not establish a remote desktop connection either. I checked the translation and I do see where it is trying to translate internal MPLS traffic to the inside interface address, but that does not seem to have corrected the problem.
Here's the config as it stands now:
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.1.10.3 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
enable password xxxxx encrypted
passwd xxxxxxx encrypted
hostname ciscoasa
domain-name default.domain.invalid
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
monitor-interface management
monitor-interface inside
monitor-interface outside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 10.52.120.0 255.255.255.0
static (inside,inside) 10.52.121.3 10.52.121.3 netmask 255.255.255.255
static (inside,inside) 10.52.122.10 10.52.122.10 netmask 255.255.255.255
route inside 10.52.121.0 255.255.255.0 10.52.120.1 1
route inside 10.52.127.0 255.255.255.0 10.52.120.1 1
route inside 10.52.126.0 255.255.255.0 10.52.120.56 1
route inside 10.52.125.0 255.255.255.0 10.52.120.56 1
route inside 10.52.124.0 255.255.255.0 10.52.120.56 1
route inside 10.52.123.0 255.255.255.0 10.52.120.56 1
route inside 10.52.122.0 255.255.255.0 10.52.120.1 1
route inside 172.16.0.0 255.240.0.0 10.52.120.1 1
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username wbenson password xxxxxxx encrypted privilege 15
aaa authentication telnet console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 management
http 10.52.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet 10.52.120.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
management-access inside
Cryptochecksum:f8981027b0ffc75ae22266a3835461ae
: end
03-04-2013 08:02 AM
There might not be a need to enabel TCP-state bypass.
Can you enable the inspection for ICMP traffic?
Here is the command:
fixup protocol ICMP
 
					
				
		
03-04-2013 07:50 AM
I found the write-up I've been looking for I think.
It was titled "The Woes of Using an ASA as a Default Gateway"
http://www.packetu.com/2011/10/17/the-woes-of-using-an-asa-as-a-default-gateway/
In this write-up the author is describing exactly the problem I'm running into in my environment.
I'm going to have to upgrade the IOS on my ASA though. I found this one in a closet and it's running 7.2 the write-up says a new command was added in 8.2 "TCP State Bypass", this will prevent the ASA from trying to control TCP sessions.
I appreciate the feed back, hopefully I will have this thing figured out soon.
03-04-2013 07:58 AM
Hi,
Personally I have never run into a situation where I would have to use "TCP State Bypass".
But then again we have always setup the network so that this doesnt happen.
I read the above posts through quickly and I presume that the problem here is that the traffic is entering and leaving the same interface on the ASA. I would avoid these situations.
I would also look into the possibility of bringing the MPLS connections to the ASA on their own interface so you wouldnt get this situation where the ASA would have to even try forwarding the traffic back from the same interface it came from.
As it stands now the routing is assymetric as LAN hosts forward traffic to ASA but the return traffic is forwarded by the MPLS router directly to the hosts and not to the ASA.
- Jouni
03-04-2013 08:14 AM
And to further add to my above post
In most of the cases I've seen on these forums where people have added the TCP State bypass it has been to simply bypass an actual problem in the network topology and not really correcting the problem. More like bypassing an actual important operation of the firewall.
As I said, if possible, I would look into bringing the connection from the MPLS router to the ASA so your LAN host would simply have one gateway (ASA) and the ASA would have links to all the network segments needed (inside,outside,mpls and so on)
Dont know if this helps but thought I'd still comment.
- Jouni
 
					
				
		
03-04-2013 11:34 AM
I upgraded the IOS on my ASA 5510 to 8.2 and BAM it all started working. I did not impliment the TCP Bypass recommended in the thread I read online. There must be something in the newer IOS that corrected the problem I was having. I'm pretty sure it was the intra-interface statement on the same traffic policy but I can't swear to it since I tried everyone's recommendations up to the point that I updated the IOS software. Thank you everyone for your time!
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide