08-05-2012 10:08 PM - edited 03-11-2019 04:38 PM
Hello all!
I am new to the forum, and new to the world of Cisco, so please go easy on me!
I have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.
I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue. I am hoping that a quick look at my network layout and ASA config will reveal the answer to one of you more experienced guys.
Here is the network layout:
ASA: 192.168.0.2 (Primary Gateway)
192.168.0.0 (Primary facility, ASA is the gateway)
192.168.2.0 (Second facility, connected via Verizon point-to-point)
192.168.3.0 (Third facility, connected via Verizon point-to-point)
Internal DNS Servers: 192.168.0.3, 192.168.2.231
External DNS Servers: 216.86.207.2, 216.86.207.3
Exchange Server: 192.168.0.8
I do not want the traffic separated on the subnets, I should be able to ping any of the workstations on any subnet from any other subnet I am on, and they should be able to reach each other on any port for file/printer sharing, etc. This being the case, I do not need to configure separate VLANs for each subnet do I? I’d rather keep things as simple as possible.
Here is the ASA Config:
ASA Version 8.2(5)
!
hostname Firewall
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 216.86.214.58 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 216.86.207.2
name-server 216.86.207.3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outbound extended permit tcp any any eq www
access-list outbound extended permit tcp any any eq ftp
access-list outbound extended permit tcp any any eq domain
access-list outbound extended permit tcp any any eq https
access-list outbound extended permit udp any any eq domain
access-list outbound extended permit tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.0.60-192.168.0.65 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.0.15 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.8 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.86.214.1 1
route inside 192.168.2.0 255.255.255.0 192.168.0.1 1
route inside 192.168.3.0 255.255.255.0 192.168.0.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 216.86.207.2
If anyone can help me get this going I would be greatly appreciative!
Thanks in advance for your time and efforts!
Solved! Go to Solution.
08-05-2012 11:06 PM
A relevant part of your config is missing. On the end there should be the following part:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp ! <------ Is this line there?
!
service-policy global_policy global
The line "inspect icmp" is needed to ping through the ASA.
Should the subnets 192.168.2.0/24 and 192.168.3.0/24 go through the ASA to the internet? Then the NAT has to be expanded:
nat (inside) 10 192.168.0.0 255.255.252.0
And now the real challenge:
The ASA should not be the default-gateway for the devices in the 192.168.0.0/24 subnet. That is possible, but makes your network overcomplicated and you will have problems to troubleshoot it.
If you can't separate the ASA with a Layer3-switch from the main network it's best to put the static routes for 192.168.2.0/24 and 192.168.3.0/24 on every device in the 192.1668.0.0/24 network.
The reason for that is that the ASA by default doesn't allow hairpinning where traffic enters and leaves through the same interface (inside in your case). That can be configured, but the ASA is not the device that is designed for that task.
08-05-2012 10:33 PM
From the ASA are you able to ping an public ip address?
08-06-2012 08:43 AM
John,
Yes, I am able to ping public addresses, but only from workstations connected to the 192.168.0.0/24 subnet.
08-05-2012 11:06 PM
A relevant part of your config is missing. On the end there should be the following part:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp ! <------ Is this line there?
!
service-policy global_policy global
The line "inspect icmp" is needed to ping through the ASA.
Should the subnets 192.168.2.0/24 and 192.168.3.0/24 go through the ASA to the internet? Then the NAT has to be expanded:
nat (inside) 10 192.168.0.0 255.255.252.0
And now the real challenge:
The ASA should not be the default-gateway for the devices in the 192.168.0.0/24 subnet. That is possible, but makes your network overcomplicated and you will have problems to troubleshoot it.
If you can't separate the ASA with a Layer3-switch from the main network it's best to put the static routes for 192.168.2.0/24 and 192.168.3.0/24 on every device in the 192.1668.0.0/24 network.
The reason for that is that the ASA by default doesn't allow hairpinning where traffic enters and leaves through the same interface (inside in your case). That can be configured, but the ASA is not the device that is designed for that task.
08-06-2012 08:42 AM
Karsten,
Thank you very much for replying so quickly! I have made the suggested configuration changes, but before I put it in place for a live test, could you please clarify something for me?
Very interesting about the hairpinning situation I have going on... Now, when you say separate the ASA with a Level-3 switch, how exactly do I go about doing that? I have a Cisco SG 300-28 switch that all of the subnets converge to, and the ASA is directly connected to it as well. What kind of configuration changes do I need to make on the switch and ASA to have everything operating properly?
08-06-2012 09:16 AM
You L3 setup should look like that:
Internet - ASA- IP.1 -new subnet a.b.c.d- IP.2-SG300 - internal subnet1
- internal subnet2
- internal subnet3
What you need:
1a) Reconfigure the ASA inside IP to one of the new subnet (a.b.c.1)
1b) Reconfigure all static routes to internal networks to an IP in that new subnet (a.b.c.2)
2a) create a new VLAN on the SG300 with the new subnet with the IP a.b.c.2
2b) the Port connecting the ASA is configured to that VLAN
2c) The old VLAN of the SG300 gets the old IP (192.168.0.2) of the ASA so that the clients and servers can use their old Default-Gateway
2d) Add Routes to the remote-nets on the SG300
08-10-2012 12:43 PM
Karsten,
I apologize for the delay in getting back to you, but I finally had a chance to kick everyone off of the network this morning and re-configure the main switch.
THANK YOU SOOO MUCH!!! Everything is working as it should now, and I couldn't have done it without your help. You are truly a great asset to this forum!!
08-10-2012 01:34 PM
Fine that it worked! So keep on learning and start to contribute to this forum as well ... ;-)
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide