ASA Multiple contexts accessing outside interface

snowmizer · ‎09-23-2011

I am setting up a new ASA and I have configured it for multiple contexts. I created subinterfaces for each physical interface (including the inside and outside). All physical interfaces have been plugged into trunk ports. I have configured all with VLANs in the system context and have assigned the appropriate subinterfaces to my contexts. Each subinterface has an IP address appropriate for the network it is attached to. On one of my contexts I have setup ACLs and NAT to allow traffic from my inside network to my test network, DMZ and outside. I have configured a NAT rule for inside to outside access that PATs the IP address to a public IP address. I have set up a PC with the IP address of my inside interface on one of my contexts as the default gateway.

When I try to access my DMZ and my test network I have no issues. However when I try to access the Internet it's like nothing is getting routed out. I have set up the default route to our ISP's router (which is the same way we have the existing ASA setup). If I run through the packet tracer the ASA says that the packet is allowed out.

I've been trying to figure out what I'm missing that would prevent traffic from accessing the Internet. Can anyone help?

Thanks.

Kureli Sankar · ‎09-23-2011

Watch what the logs say.

conf t

logging on

logging buffered 7

exit

sh logg | i x.x.x.x (where x.x.x.x is the ip of the inside host that is trying to go outside)

Are you able to ping the outside router from an inside host?

When you say internet traffic not working - what kind of traffic is this? http traffic?

Do you know if DNS is working? Have you tried to load a page using its IP address and not name?

-KS

snowmizer · ‎09-26-2011

No I can't ping the outside router. I've tried ICMP and HTTP traffic neither works. Here's what I'm seeing in the logs when I run an ICMP:

Note: PC IP is 1.1.1.1, NATd IP address is 2.2.2.2 and Router IP is 3.3.3.3

%ASA-6-302013: Built outbound TCP connection 7753 for outside:216.243.197.245/80 (216.243.197.245/80) to inside:1.1.1.1/54057 (2.2.2.2/38382)

%ASA-6-305011: Built dynamic TCP translation from inside:1.1.1.1/54060 to outside:2.2.2.2/58481

%ASA-6-302013: Built outbound TCP connection 7754 for outside:216.243.197.246/80 (216.243.197.246/80) to inside:1.1.1.1/54060 (2.2.2.2/58481)

%ASA-6-302014: Teardown TCP connection 7753 for outside:216.243.197.245/80 to inside:1.1.1.1/54057 duration 0:00:30 bytes 0 SYN Timeout

%ASA-6-302014: Teardown TCP connection 7754 for outside:216.243.197.246/80 to inside:1.1.1.1/54060 duration 0:00:30 bytes 0 SYN Timeout

%ASA-6-305012: Teardown dynamic TCP translation from inside:1.1.1.1/54057 to outside:2.2.2.2/38382 duration 0:01:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:1.1.1.1/54060 to outside:2.2.2.2/58481 duration 0:01:00

%ASA-6-305011: Built dynamic TCP translation from inside:1.1.1.1/54068 to outside:2.2.2.2/15120

%ASA-6-302013: Built outbound TCP connection 7755 for outside:209.84.29.126/80 (209.84.29.126/80) to inside:1.1.1.1/54068 (2.2.2.2/15120)

%ASA-6-305011: Built dynamic TCP translation from inside:1.1.1.1/54071 to outside:2.2.2.2/35195

%ASA-6-302013: Built outbound TCP connection 7756 for outside:209.84.24.126/80 (209.84.24.126/80) to inside:1.1.1.1/54071 (2.2.2.2/35195)

%ASA-6-302014: Teardown TCP connection 7755 for outside:209.84.29.126/80 to inside:1.1.1.1/54068 duration 0:00:30 bytes 0 SYN Timeout

%ASA-6-302014: Teardown TCP connection 7756 for outside:209.84.24.126/80 to inside:1.1.1.1/54071 duration 0:00:30 bytes 0 SYN Timeout

%ASA-6-305012: Teardown dynamic TCP translation from inside:1.1.1.1/54068 to outside:2.2.2.2/15120 duration 0:01:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:1.1.1.1/54071 to outside:2.2.2.2/35195 duration 0:01:00

%ASA-6-305011: Built dynamic ICMP translation from inside:1.1.1.1/1 to outside:2.2.2.2/59170

%ASA-6-302020: Built outbound ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-302021: Teardown ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-302020: Built outbound ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-302021: Teardown ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-302020: Built outbound ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-302021: Teardown ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-302020: Built outbound ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-302021: Teardown ICMP connection for faddr 3.3.3.3/0 gaddr 2.2.2.2/59170 laddr 1.1.1.1/1

%ASA-6-305012: Teardown dynamic ICMP translation from inside:1.1.1.1/1 to outside:2.2.2.2/59170 duration 0:00:46

%ASA-6-305011: Built dynamic ICMP translation from inside:1.1.1.1/1 to outside:2.2.2.2/38808

%ASA-6-302020: Built outbound ICMP connection for faddr 74.125.225.83/0 gaddr 2.2.2.2/38808 laddr 1.1.1.1/1

%ASA-6-302021: Teardown ICMP connection for faddr 74.125.225.83/0 gaddr 2.2.2.2/38808 laddr 1.1.1.1/1

%ASA-6-302020: Built outbound ICMP connection for faddr 74.125.225.83/0 gaddr 2.2.2.2/38808 laddr 1.1.1.1/1

%ASA-6-302021: Teardown ICMP connection for faddr 74.125.225.83/0 gaddr 2.2.2.2/38808 laddr 1.1.1.1/1

snowmizer · ‎09-26-2011

I'm also wondering about the VLAN on the outside interface. I've got the outside interface plugged into a trunk port on my switch so that should route any VLAN traffic appropriately. I also noticed that if I do a "show arp" I see entries for all of my interfaces except my outside interface.

Kureli Sankar · ‎09-26-2011

This is not a complete sh run that you have attached so I am unable to review the interface config. If you are not using sub-interfaces on the firewall, you should not be configuring the switch end as a trunk port.

Pls. configure the switch side as an access port on the outside vlan.

According to the logs the firewall is working fine. There is no reponse from the outside and so we are logging SYN timeout - this is to be expected.

-KS

snowmizer · ‎09-26-2011

I am using sub-interfaces on my outside interface of my firewall. So in that case I should be using a trunk port correct? The more I think about it the more I'm convinced that it has to do with something on my switch since the ASA can't even get out.

Jon Marshall · ‎09-26-2011

From the ASA itself can you ping the relevant subinterface IP default-gateway (presumably on your L3 switch). So in the context that is not working from the ASA can you ping the L3 switch IP default-gateway and can you ping internet destination addresses ?

Jon

snowmizer · ‎09-26-2011

On the ASA in the context I'm working with I can ping the IP address of the sub-interface associated with the outside interface but I cannot ping the IP address of the ISPs router (which is the default gateway in my route statement) from the ASA. It's like it isn't processing the route.

What's wierd is that if I run the packet capture tracking traffic that's going out the inside interface and into the outside interface I don't get anything on the outside interface. I can see the packet from my PC to the public IP of the site I'm trying to access in the inside interface. The same holds true if I set the packet capture to monitor traffic into the inside interface and out the outside interface.

Unfortunately the switch I'm connected to is a Catalyst Express 500 series switch so I'm limited in what I can do from a diagnostic standpoint.

Jon Marshall · ‎09-26-2011

So per context you have different default-gateways pointing to the relevant ISP router subinterface ?

Presumably you don't have config access to the ISP router ? If you do you could either do a debug ICMP or use an acl to log an ICMP packets received.

Can you also confirm that you don't have shared interfaces between your contexts ?

Finally can you confirm that this context is not using the native vlan that is on the trunk link with the Express 500 switch.

Jon

snowmizer · ‎09-26-2011

Basically what I need to do is to set up two firewall contexts on our ASA. One context is for the internal network and the other is for what will become our guest network. My idea was to split the outside interface into two sub-interfaces and then assign one interface a public IP and allocate that interface to the internal network's outside interface. I would then use the other outside sub-interface and allocate a different public IP address to that interface and allocate it to the guest network's context. In both cases the default gateway is the ISPs router IP address (1.2.3.4).

As far as the VLANs associated with the contexts...one is assigned VLAN 101 and the other is assigned VLAN 102. I have added VLAN 101 and VLAN 102 to my Catalyst Express 500 switch. The trunk port the ASA is plugged into is set to the native vlan 1.

I do not have config access to the ISP router.

Jon Marshall · ‎09-26-2011

How can both contexts use the same default-gateway ? If each context is in a different vlan then you would need equivalent subinterfaces on the ISP router for it to work.

If you create a trunk with Express 500 then what is the connection to the ISP router ? - i assumed another trunk with subinterfaces. If it isn't then i can't see how this would work.

Note i'm not familiar with Express 500 switches but i am assuming they are not L3 devices ?

Jon

snowmizer · ‎09-26-2011

So basically I need to scrap the idea of sub-interfaces on my outside interface and just use the same outside interface between contexts? Then I wouldn't need separate VLANs. Or how do I achieve what I'm trying to do?

Is it possible that I won't be able to really test my Internet connection until I unplug the current production ASA and install the new one?

Jon Marshall · ‎09-26-2011

You can use the same vlan for the 2 outside interfaces which then have a public IP each (different) but in the same subnet as the ISP default-gateway IP address. (if you have 3 addresses in the same subnet).

This would work as i have done this setup (although with private IPs but the principle is the same). The one thing you need to be aware of with a shared vlan is how the classifier works. If you look at the relevant docs for your ASA version there will be a section on the classifier. Worth having a read.

Jon

snowmizer · ‎09-26-2011

Ok so let me make sure I understand what you're saying. I have 3 public IPs in the same subnet as the default gateway address we're using for our ISP now. Assume they are as follows:

ISP router: 1.2.3.4

Insidenet outside sub-interface IP: 1.2.3.5

Guestnet outside sub-interface IP: 1.2.3.6

What you're saying is that I can assign vlan 101 to both of the outside sub-interfaces? I've got the vlans assigned to the interfaces in the system context. When I try to assign the same vlan it tells me that I've already assigned vlan 101 to another interface. And if I try to create the sub-interfaces without VLANs I get a message that I have to specify a VLAN.

Here's an example of what I've got:

System Context:

interface Ethernet0/0

description outside interface

speed 100

duplex full

!

interface Ethernet0/0.1

description outside interface for insidenet

vlan 101

!

interface Ethernet0/0.2

description outside interface for guestnet

vlan 102

context insidenet

allocate-interface Ethernet0/0.1

context guestnet

allocate-interface Ethernet0/0.2

*************************************************

InsideNet context:

interface Ethernet0/0.1

description InsideNet outside interface

nameif outside

security-level 0

ip address 1.2.3.5 255.255.255.224

route outside 0.0.0.0 0.0.0.0 1.2.3.4 1

Jon Marshall · ‎09-26-2011

Can you just clarify -

1) the model of ASA

2) the IOS version you are running

Jon