01-06-2012 07:06 AM - edited 03-11-2019 03:11 PM
I need to connect two internal LANs each of which has ASA as a firewall to outside. One has ASA 5505 with two interfaces and another - ASA 5510 with three interfaces. I managed to pass echo packets from one internal LAN to another, but not the TCP packets. It must be something simple that I missed. Any help will be highly appreciated! Here is the network diagram:
Here is Config from ASA 5510 (i removed obvious settings to save space):
interface Ethernet0/0 nameif outside security-level 0 ip address YY.YY.YY.YY 255.255.255.224 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.35.1 255.255.255.0 ! interface Ethernet0/2 nameif a-02 security-level 100 ip address 192.168.30.250 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name latista.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in extended permit icmp any any inactive access-list a-02_access_in extended permit ip any any access-list a-02_access_in extended permit icmp any any inactive access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any inactive access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit icmp any any inactive access-list inside_nat0_outbound_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list a-02_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0 access-list a-02_nat0_outbound_1 extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu a-02 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 access-list inside_nat0_outbound_1 outside nat (a-02) 0 access-list a-02_nat0_outbound nat (a-02) 0 access-list a-02_nat0_outbound_1 outside access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group a-02_access_in in interface a-02 ! router rip version 1 ! route outside 0.0.0.0 0.0.0.0 205.251.79.33 1 route inside 192.168.30.0 255.255.255.0 192.168.30.250 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management http 192.168.35.0 255.255.255.0 inside http 67.208.89.64 255.255.255.224 outside http 4.26.115.0 255.255.255.240 outside http 192.168.30.0 255.255.255.0 a-02 http 192.168.20.0 255.255.255.0 a-02 http 96.255.26.199 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect http ! service-policy global_policy global
On another ASA (ASA 5505) I only configured the Routing and NAT Exemption. Here is that portion:
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip NET_COLO_INT 255.255.255.0 192.168.35.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 NET_COLO_INT 255.255.255.0
route inside 192.168.35.0 255.255.255.0 192.168.30.250 1
Please help!
Solved! Go to Solution.
01-06-2012 01:14 PM
Hello,
based on the ASA ASP capture, we can see that the ASA is only dropping packets on port 209 and 50 UPD between those two hosts, so no packets being dropped for the RDP or telnet traffic..
Now on the other captures, we can see the host 192.168.30.2 sends a SYN packet, then the 192.168.35.2 responds with a SYN ACK, and the 192.168.30.2 never responds with the ACK so the three way handshake never happens and the connection does not get stablished, this regarding the RDP connection.
On the Telnet connection, we can see that the host 192.168.30.2 sends a SYN packet, and the host 192.168.35.2 responds with a RST ACK so the connection gets closed due to this message from 192.168.35.2
We can see the same packets on both interfaces so that means the ASA is only traversing the traffic at it should in this case..
01-06-2012 01:27 PM
In other words you are saying that from ASA standpoint it works. Then what else can be not working? Why I still can't do RDP or SSH between these two networks? Any suggestions?
01-06-2012 02:21 PM
Hello,
Correct the ASA is sending the traffic on both interfaces.
Why I still can't do RDP or SSH between these two networks?
Becuase the host are refusing this connection.
You can do a capture on each of the hosts while you send the traffic.
Please install wireshark on both servers and catch the traffic, so then we will see if there is any difference between the traffic capture on the ASA.
Julio
01-06-2012 02:48 PM
01-06-2012 02:53 PM
Hello,
We are missing the capture on the 192.168.30.2!
On these ones I can tell you that there is just a syn, and syn ack. the host 192.168.30.2 is not sending a syn ack. If on the capture on that host we do not see that packet, it will mean the Server (30.2) is not working as properly unless on that particular connection because he is not establishing the connection.
Regards,
Julio
01-06-2012 03:09 PM
OK. I am going to use another host instead of 30.2 - it is Linux computer and it will be pain to install Wireshark there. I will re-configure capture on ASA to use another host in 30.x network and re-do the whole capturing thing. Will take a few minutes...
01-06-2012 03:22 PM
01-06-2012 04:01 PM
Hello,
I just need it the one on the 30.x network..
As you can see on wireshark.
The host sends a syn packet to the destination, he receives a syn ack.
Then he closes the connection with a RST packet (Reset), that is why we see another SYN ACK from the other site, because the host on the other site is waiting for the final ACK.
Then we see another Syn packet , so the connection is gona be built again until the same happens one more time.
Issue is on host 30.x network. Why are they sending the RST packet, why are they not sending the ACK so the connection get established is not an ASA issue.
Regards,
Julio
01-06-2012 05:11 PM
Julio,
Do you think it is ASA 5505 which governs 30.x network? It has quite hairy setup - it manages two site-to-site VPNs as well as L2TP-IPsec Remove Access VPN. I can attach its setup - but it is quite lengthy. Another point might be - the license on that 5505 - it says it only support two interfaces - do you think it might specifically kill TCP packets for the third network? Here is "show version" from ASA 5505:
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
asa-colo up 67 days 23 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 0021.a0b4.eecb, irq 11
1: Ext: Ethernet0/0 : address is 0021.a0b4.eec3, irq 255
2: Ext: Ethernet0/1 : address is 0021.a0b4.eec4, irq 255
3: Ext: Ethernet0/2 : address is 0021.a0b4.eec5, irq 255
4: Ext: Ethernet0/3 : address is 0021.a0b4.eec6, irq 255
5: Ext: Ethernet0/4 : address is 0021.a0b4.eec7, irq 255
6: Ext: Ethernet0/5 : address is 0021.a0b4.eec8, irq 255
7: Ext: Ethernet0/6 : address is 0021.a0b4.eec9, irq 255
8: Ext: Ethernet0/7 : address is 0021.a0b4.eeca, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
01-06-2012 05:28 PM
Hello,
What is the default gateway of the server on the 30.x network. I do not think is the ASA 5505 as we are seeing the packets arriving to the ASA 5510. I do think the problem its on the server as ICMP is working properly between two networks.
I mean we saw the TCP RST being generated on the Server, that is all we need it to know to be 100 % is the Server not any of the ASAs.
As ICMP is working, other protocols are going to work, do not know why that server is sending that reset but you could try to use FTP,SSH,TFTP just to confirm that the connection is okay.
Regards,
Julio
01-06-2012 05:35 PM
Julio,
I tried SSH and telnet - neither work with the same result. On 30.x network's ASA (5505) when I initiate connection on 30.3 server in ASA 5505 log I see it builds TCP connection and then almost immediately tears it down (LEELA is a 192.168.30.3 server):
6 Jan 06 2012 20:24:53 302013 LEELA 53370 192.168.35.2 3389 Built inbound TCP connection 19053911 for inside:LEELA/53370 (LEELA/53370) to inside:192.168.35.2/3389 (192.168.35.2/3389)
6 Jan 06 2012 20:24:53 302014 LEELA 53370 192.168.35.2 3389 Teardown TCP connection 19053911 for inside:LEELA/53370 to inside:192.168.35.2/3389 duration 0:00:00 bytes 0 TCP Reset-O
Does this make sense?
30.3 server has 192.168.30.1 as a default gateway (which is "inside" interface of that ASA 5505 in 30.x network).
- Anatoliy
01-06-2012 05:40 PM
Hello,
Good to know that! that is new info, but the thing is that we still see the reset packet being created on the Server so of course the connection is going to be dropped, the ASA will see the reset and he will drop the connection because he received a Reset packet from the ssh or telnet client.
What if you set the default gateway to be the 5510, can you do it just as a test.
Julio
01-06-2012 05:41 PM
Ha! It looks like I solved the problem. I manually added route path on that 30.3 server to route 35.0 traffic to 30.250 ip and it started working like charm. Apparently ASA 5505 even it had static route - it ignored it and was not routing packets.
Now another big question - how should I manage that routing? I cannot manually add static route to all servers in 30.0 network...
01-06-2012 05:47 PM
Hello,
Can I see the ASA 5505 configuration, you can take some information we do not need to make it shorter (VPN,etc)
Edit: Time to troubleshoot the 5505 Think I know what is happening here
Regards,
Julio
01-06-2012 06:06 PM
Here is the most of the config (I took out some sensitive lines - mostly object definitions) - I hope I didn't take lines which are relevant to this problem we are trying to solve :
: Saved
:
ASA Version 8.2(2)
!
!
interface Vlan1
nameif inside
security-level 100
ip address ASA-COLO 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address ASA-COLO_EXT 255.255.255.224
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_25 any
access-list outside_access_in remark trusted services
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group TRUSTED any
access-list outside_access_in remark Just in case
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_9 any
access-list outside_access_in remark Web apps front-end apache
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_TCP_7
access-list outside_access_in remark Extranet and Project Server 2010
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_23 eq www
access-list outside_access_in remark Client Hosting HTTP front-end
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_24 object-group DM_INLINE_TCP_11
access-list outside_access_in remark Incoming Mail (spam-filter)
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_12 eq smtp
access-list outside_access_in remark Incoming Mail (spam-filter)
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_20 eq smtp
access-list outside_access_in remark External DNS
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_13
access-list outside_access_in remark FTP
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_29 object-group DM_INLINE_TCP_12 inactive
access-list outside_access_in remark FTP
access-list outside_access_in extended permit udp any object-group DM_INLINE_NETWORK_30 range 30000 30100 inactive
access-list outside_access_in remark FTP temporary
access-list outside_access_in remark Linux SSH access
access-list outside_access_in extended permit tcp object-group TRUSTED object-group DM_INLINE_NETWORK_18 eq ssh
access-list outside_access_in remark All mail services
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_14 object-group DM_INLINE_TCP_8
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_22 any
access-list outside_access_in extended permit icmp any any
access-list global_access extended permit ip host TISHIN_HOME any
access-list inside_nat0_outbound extended permit ip NET_COLO_INT 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list inside_nat0_outbound extended permit ip NET_COLO_INT 255.255.255.0 192.168.35.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 NET_COLO_INT 255.255.255.0
access-list outside_cryptomap_1 extended permit ip NET_COLO_INT 255.255.255.0 NET_OFFICE_INT 255.255.255.0
access-list outside_cryptomap_2 extended permit ip NET_COLO_INT 255.255.255.0 NET_OBN_INT 255.255.255.0
access-list outside_cryptomap_3 extended permit ip NET_COLO_INT 255.255.255.0 NET_LT_INT 255.255.255.0
access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_16 NET_COLO_INT 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
pager lines 24
flow-export destination inside NIBBLER 6343
mtu inside 1500
mtu outside 1500
ip local pool l2tp_pool 192.168.30.176-192.168.30.192 mask 255.255.255.224
ip local pool l2tp_pool2 192.168.30.193-192.168.30.209
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 NET_COLO_INT 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) WWWWWWWW WWWWWWWW netmask 255.255.255.255
static (inside,outside) WWWWWWWW2 WWWWWWWW netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
!
router rip
version 1
!
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
route inside 192.168.35.0 255.255.255.0 192.168.30.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host LEELA
key *****
radius-common-pw *****
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication http console LOCAL
http server enable
http NET_COLO_INT 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer OB_EXT
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer LT_EXT
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.30.129-192.168.30.163 inside
dhcpd dns NIBBLER LISA interface inside
dhcpd wins NIBBLER LISA interface inside
dhcpd enable inside
!
threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server LISA
webvpn
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec svc
password-storage enable
re-xauth enable
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy L2TP_Policy internal
group-policy L2TP_Policy attributes
wins-server value 192.168.30.14
dns-server value 192.168.30.14
vpn-tunnel-protocol l2tp-ipsec
password-storage enable
split-tunnel-network-list none
address-pools value l2tp_pool
tunnel-group DefaultRAGroup general-attributes
address-pool l2tp_pool
authentication-server-group RADIUS
default-group-policy L2TP_Policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX ipsec-attributes
pre-shared-key *****
tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX ipsec-attributes
pre-shared-key *****
tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX ipsec-attributes
pre-shared-key *****
no tunnel-group-map enable peer-ip
!
class-map global-class
match default-inspection-traffic
class-map type inspect ftp match-all FTP-class-map
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect ftp
inspect http
!
service-policy global-policy global
smtp-server 192.168.30.23 192.168.30.2
prompt hostname context
service call-home
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide