Solved: ASA 5510 Multiple Interfaces routing issue,

jackyli1031 · ‎07-24-2013

Hi

I have routing issue on ASA 5510. I have 1 interface for outside , 2 interface for inside.

The issue is 2 inside interface can't route .

inside 1 - 10.206.0.0 255.255.252.0

inside 2 - 10.207.0.0 255.255.255.0

10.207.0.X subnet can't reach 10.206.0.X subnet , but 2 inside subnet can access outside.

Hope you can help me . Many thanks

Here is config

!

interface Ethernet0/0

nameif BB

security-level 0

ip address 100.100.100.2 255.255.255.0

!

interface Ethernet0/1

description 206

nameif 206

security-level 100

ip address 10.206.0.253 255.255.252.0

!

interface Ethernet0/2

description 207

nameif 207

security-level 100

ip address 10.207.0.253 255.255.255.0

!

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.32.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Internal_net

network-object 10.200.0.0 255.255.0.0

network-object 10.201.0.0 255.255.0.0

network-object 10.202.0.0 255.255.0.0

network-object 10.204.0.0 255.255.0.0

network-object 10.205.0.0 255.255.0.0

network-object 10.210.0.0 255.255.0.0

network-object 10.206.0.0 255.255.252.0

network-object 10.207.0.0 255.255.255.0

object-group network mk206

network-object 10.206.0.0 255.255.252.0

object-group network mk207

network-object 10.207.0.0 255.255.255.0

access-list 206_inside extended permit ip any any

access-list 207_inside extended permit ip any any

access-list BB_outside extended permit ip any any

access-list nonat207 extended permit ip object-group mk207 object-group Internal_net

access-list nonat206 extended permit ip object-group mk206 object-group Internal_net

pager lines 24

logging asdm informational

mtu BB 1500

mtu 206 1500

mtu 207 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (BB) 1 interface

nat (206) 0 access-list nonat206

nat (206) 1 10.206.0.0 255.255.252.0

nat (207) 0 access-list nonat207

nat (207) 1 10.207.0.0 255.255.255.0

access-group BB_outside in interface BB

access-group mk206_inside in interface 206

access-group mk207_inside in interface 207

route BB 0.0.0.0 0.0.0.0 100.100.100.1 1

route 206 10.0.0.0 255.0.0.0 10.206.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

ssh 10.0.0.0 255.0.0.0 management

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:f18d859412bc8bed5c8a9d25cca60adb

: end

Jouni Forss · ‎07-24-2013

Hi,

Can you issue the command

packet-tracer input 207 tcp 10.207.0.100 12345 10.206.0.100 80

Dont mind about the IP addresses and ports used. This command is just supposed to tell us which NAT rules and other configurations the connections match.

You do seem to have NAT0 configurations on both interfaces for the traffic between the network.

I would however suggest NOT using the "object-group network Internal_net" on the NAT0 ACL configurations as it contains destination networks which are actually source networks for the interface used.

Some people might do a following NAT for the traffic between the interfaces

static (207,206) 10.207.0.0 10.207.0.0 netmask 255.255.255.0

There is naturally also the possibility that somewhere behind the "206" interface you have another interface which has a wrong network mask that contains even the 10.207.0.0/24 network in it and therefore connections never form between these 2 networks.

- Jouni

View solution in original post

Jouni Forss · ‎07-24-2013

Hi,

Can you issue the command

packet-tracer input 207 tcp 10.207.0.100 12345 10.206.0.100 80

Dont mind about the IP addresses and ports used. This command is just supposed to tell us which NAT rules and other configurations the connections match.

You do seem to have NAT0 configurations on both interfaces for the traffic between the network.

I would however suggest NOT using the "object-group network Internal_net" on the NAT0 ACL configurations as it contains destination networks which are actually source networks for the interface used.

Some people might do a following NAT for the traffic between the interfaces

static (207,206) 10.207.0.0 10.207.0.0 netmask 255.255.255.0

There is naturally also the possibility that somewhere behind the "206" interface you have another interface which has a wrong network mask that contains even the 10.207.0.0/24 network in it and therefore connections never form between these 2 networks.

- Jouni

jackyli1031 · ‎07-24-2013

Hi Jouni

Thank for your support. But same not work after issue this

static (207,206) 10.207.0.0 10.207.0.0 netmask 255.255.255.0

Do you any idea ?

Thanks

Julio Carvajal · ‎07-24-2013

Hello Jacky,

You said:

but 2 inside subnet can access outside.

access-list 206_inside extended permit ip any any

access-list 207_inside extended permit ip any any

access-group mk206_inside in interface 206

access-group mk207_inside in interface 207

As you can see there is a missmatch in the configuration, I do not see the access-list 206_inside...

Not sure if you copy/paste the configuration wrong or if there is an issue with the actual configuration..

Can you double check that,

Also check into consideration Jouni advise, make sure you have changed the NAT as required.

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎07-25-2013

Hi,

Didnt even notice the missmatch with the actual ACLs configured on the firewall and the names used in the "access-group" commands.

To my understanding the ASA wont allow using an ACL in the "access-group" command that does not exist. On the Cisco routers I think it was possible to attach some ACL to an interface which didnt exist but this caused all traffic through that interface to be blocked.

Could you give us the "packet-tracer" command output which I suggest earlier? This would atleast tell which rules the connection attempt would match on the firewall.

- Jouni

jackyli1031 · ‎07-28-2013

Thank All support and help.

Ths issue is solve.

Thanks Again

Jacky