Solved: Re: ASA cannot ping from one subnet to another? No access to Ex

weedtarded · ‎08-05-2012

Hello all!

I am new to the forum, and new to the world of Cisco, so please go easy on me!

I have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.

I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue. I am hoping that a quick look at my network layout and ASA config will reveal the answer to one of you more experienced guys.

Here is the network layout:

ASA: 192.168.0.2 (Primary Gateway)

192.168.0.0 (Primary facility, ASA is the gateway)

192.168.2.0 (Second facility, connected via Verizon point-to-point)

192.168.3.0 (Third facility, connected via Verizon point-to-point)

Internal DNS Servers: 192.168.0.3, 192.168.2.231

External DNS Servers: 216.86.207.2, 216.86.207.3

Exchange Server: 192.168.0.8

I do not want the traffic separated on the subnets, I should be able to ping any of the workstations on any subnet from any other subnet I am on, and they should be able to reach each other on any port for file/printer sharing, etc. This being the case, I do not need to configure separate VLANs for each subnet do I? I’d rather keep things as simple as possible.

Here is the ASA Config:

ASA Version 8.2(5)

!

hostname Firewall

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 216.86.214.58 255.255.255.0

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 216.86.207.2

name-server 216.86.207.3

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outbound extended permit tcp any any eq www

access-list outbound extended permit tcp any any eq ftp

access-list outbound extended permit tcp any any eq domain

access-list outbound extended permit tcp any any eq https

access-list outbound extended permit udp any any eq domain

access-list outbound extended permit tcp any any eq smtp

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq https

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.0.60-192.168.0.65 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.0.0 255.255.255.0

static (inside,outside) tcp interface smtp 192.168.0.15 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.0.8 https netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 216.86.214.1 1

route inside 192.168.2.0 255.255.255.0 192.168.0.1 1

route inside 192.168.3.0 255.255.255.0 192.168.0.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 216.86.207.2

If anyone can help me get this going I would be greatly appreciative!

Thanks in advance for your time and efforts!

Karsten Iwen · ‎08-05-2012

A relevant part of your config is missing. On the end there should be the following part:

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp ! <------ Is this line there?

!

service-policy global_policy global

The line "inspect icmp" is needed to ping through the ASA.

Should the subnets 192.168.2.0/24 and 192.168.3.0/24 go through the ASA to the internet? Then the NAT has to be expanded:

nat (inside) 10 192.168.0.0 255.255.252.0

And now the real challenge:

The ASA should not be the default-gateway for the devices in the 192.168.0.0/24 subnet. That is possible, but makes your network overcomplicated and you will have problems to troubleshoot it.

If you can't separate the ASA with a Layer3-switch from the main network it's best to put the static routes for 192.168.2.0/24 and 192.168.3.0/24 on every device in the 192.1668.0.0/24 network.

The reason for that is that the ASA by default doesn't allow hairpinning where traffic enters and leaves through the same interface (inside in your case). That can be configured, but the ASA is not the device that is designed for that task.

View solution in original post

John Peterson · ‎08-05-2012

From the ASA are you able to ping an public ip address?

weedtarded · ‎08-06-2012

John,

Yes, I am able to ping public addresses, but only from workstations connected to the 192.168.0.0/24 subnet.

Karsten Iwen · ‎08-05-2012

A relevant part of your config is missing. On the end there should be the following part:

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp ! <------ Is this line there?

!

service-policy global_policy global

The line "inspect icmp" is needed to ping through the ASA.

Should the subnets 192.168.2.0/24 and 192.168.3.0/24 go through the ASA to the internet? Then the NAT has to be expanded:

nat (inside) 10 192.168.0.0 255.255.252.0

And now the real challenge:

The ASA should not be the default-gateway for the devices in the 192.168.0.0/24 subnet. That is possible, but makes your network overcomplicated and you will have problems to troubleshoot it.

If you can't separate the ASA with a Layer3-switch from the main network it's best to put the static routes for 192.168.2.0/24 and 192.168.3.0/24 on every device in the 192.1668.0.0/24 network.

The reason for that is that the ASA by default doesn't allow hairpinning where traffic enters and leaves through the same interface (inside in your case). That can be configured, but the ASA is not the device that is designed for that task.

weedtarded · ‎08-06-2012

Karsten,

Thank you very much for replying so quickly! I have made the suggested configuration changes, but before I put it in place for a live test, could you please clarify something for me?

Very interesting about the hairpinning situation I have going on... Now, when you say separate the ASA with a Level-3 switch, how exactly do I go about doing that? I have a Cisco SG 300-28 switch that all of the subnets converge to, and the ASA is directly connected to it as well. What kind of configuration changes do I need to make on the switch and ASA to have everything operating properly?

Karsten Iwen · ‎08-06-2012

You L3 setup should look like that:

Internet - ASA- IP.1 -new subnet a.b.c.d- IP.2-SG300 - internal subnet1

- internal subnet2

- internal subnet3

What you need:

1a) Reconfigure the ASA inside IP to one of the new subnet (a.b.c.1)

1b) Reconfigure all static routes to internal networks to an IP in that new subnet (a.b.c.2)

2a) create a new VLAN on the SG300 with the new subnet with the IP a.b.c.2

2b) the Port connecting the ASA is configured to that VLAN

2c) The old VLAN of the SG300 gets the old IP (192.168.0.2) of the ASA so that the clients and servers can use their old Default-Gateway

2d) Add Routes to the remote-nets on the SG300

weedtarded · ‎08-10-2012

Karsten,

I apologize for the delay in getting back to you, but I finally had a chance to kick everyone off of the network this morning and re-configure the main switch.

THANK YOU SOOO MUCH!!! Everything is working as it should now, and I couldn't have done it without your help. You are truly a great asset to this forum!!

Karsten Iwen · ‎08-10-2012

Fine that it worked! So keep on learning and start to contribute to this forum as well ... ;-)

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA cannot ping from one subnet to another? No access to Exchange?