ASA traffic issue

jose cortes · ‎11-11-2010

Hi, I'm working right now on a project implementing an ASA this way:

1. One interface of the ASA (Eth0/0) is connected to a Server (PHD Server) and the IPs are: 192.168.4.1/24 for the ASA-if Eth0/0 and 192.168.4.2/24 for the server.

2. Another interface of the ASA (Eth0/1) is connected to a Layer-2 Switch (VLAN 1) the switch can´t be manageable. The switch, at the other hand, connects with a Router interface (Gi0/0). The IP addresses are 172.17.21.250/24 for the ASA-if Eth0/1 and 172.17.21.1/24 for the Router-if Gi0/0.

3. Finally, the router connects to the last network through the Gi0/1 interface to a Switch (or for lab purposes to a Single PC). The IP addresses are: 172.17.20.50/24 for the Router-if Gi0/1 and 172.17.20.33 or .18 or 112 to the PC.

The PCs at the network 172.17.20.0/24 should have bidirectional communication with the Server at the network 192.168.4.0/24.

I configure all the interfaces at the ASA and at the Router and Switch.

The two ASA interfaces has the same security level (100) and the traffic between same security level interfaces is allowed.

All kind of traffic between the interfaces is permitted.

I created Static Routes at the ASA and at the Router to the remote networks knows each other.

I can ping the ASA (192.168.4.1) from the Server (192.168.4.2) and vice versa

I can ping the Router (172.17.21.1) from the ASA (172.17.21.250) and vice versa

I can ping the Router (172.17.20.50) from the PC (172.17.20.33;18 or 112) and vice versa

I can ping the ASA (172.17.21.250) from the PC (172.17.20.33;18 or 112) and vice versa

but when I try

ping ASA (172.17.21.250) from server (192.168.4.2) it fails

ping Router (172.17.21.1) fromo server (192.168.4.2) it fails

ping ASA (192.168.4.1) from PC (172.17.20.33;18 or 112) it fails

ping server (192.168.4.2) form PC (172.17.20.33;18 or 112) it fails.

If I connect a PC with the IP: 172.17.21.1/24 at the ASA interface Eth0/1 (instead of the switch or router) all the pings pass from the Server to the PC and from the PC to the server.

I try also with tftp protocol, but the same happens.

I'm attanching the ASA configuration in case someone could see anything I cannot.

Thanks

Magnus Mortensen · ‎11-11-2010

Jose,

One of the tests you mention is pinging ASA interfaces that are not facing you... For example, from a Server on the DMZ, the *only* interface IP of the ASA you can ping is the DMZ interface, this is by design. From hosts off the inside interface (the router or the PC's), the *only* interface IP of the ASA they can ping on the ASA is the inside interface. Traffic passing through the box is another story....

I would suggest checking the routing table on the router. Make sure it points to the ASA (172.17.21.250) as its default gateway.

- Magnus

Maykol Rojas · ‎11-11-2010

Inside .112 80------20.50Router 21.1-----.250 ASA 4.1----4.2Server

Saludos Jose !!!

Take a look at the information that I wrote.

ping ASA (172.17.21.250) from server (192.168.4.2) it fails
Default behavior

ping Router (172.17.21.1) fromo server (192.168.4.2) it fails
Make sure default gateway is the ASA and that the router has the default gateway to the ASA or at
least a route telling him where 192.168.4.2 is

ping ASA (192.168.4.1) from PC (172.17.20.33;18 or 112) it fails
Default Behavior

ping server (192.168.4.2) form PC (172.17.20.33;18 or 112) it fails.
Route on the Router to tell him where 4.2 is.

For the default behavior ones, the explanation is on the link below, you cannot ping an interface of the firewall
besides the one that you are facing.

"For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network"

Link

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/trouble.html#wp1059645

Hope it helps

Magnus!!! We are waiting for the New Podcast !!!!!!

Cheers

Mike

jose cortes · ‎11-11-2010

Thanks for the early answer.

I create an static route at the router ( ip route 192.168.4.0 255.255.255.0 172.17.21.250). At the other hand, I tried to do a TFTP transfer between the two PCs using TFTP32. And the transfer don´t even start. when I look at the ASDM debugging monitor there was no events related with the transfer, so I don't know if I have to turn some feature on or off.

Thanks.

Maykol Rojas · ‎11-11-2010

Lets make it the easy way then.. Do the following

Packet-tracer input inside tcp 192.168.4.2 1025 172.17.20.112 80

This is going to tell me if the packet is allowed through the firewall coming from an inside host and going to the 192.168.4.2

Now to the same for the "return traffic"

packet-tracer input outside udp 172.17.20.112 1025 192.168.4.2 69

Will be waiting for the outputs..

Cheers.

Mike

jose cortes · ‎11-12-2010

Hi Maykol,

these are the prompts of the packet-tracer command

ASA-LAB# packet-tracer input LOCAL_PHD tcp 192.168.4.2 1025 172.17.20.33 http

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in RED-STMS 255.255.255.0 INTERNAL

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ECI-TO-PETRO in interface LOCAL_PHD

access-list ECI-TO-PETRO extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 7, packet dispatched to next module

Result:

input-interface: LOCAL_PHD

input-status: up

input-line-status: up

output-interface: INTERNAL

output-status: up

output-line-status: up

Action: allow

ASA-LAB# packet-tracer input INTERNAL udp 172.17.20.33 1034 192.168.4.2 tftp

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.4.0 255.255.255.0 LOCAL_PHD

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group PETRO-TO-ECI in interface INTERNAL

access-list PETRO-TO-ECI extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-tftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect tftp

service-policy global_policy global

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8, packet dispatched to next module

Result:

input-interface: INTERNAL

input-status: up

input-line-status: up

output-interface: LOCAL_PHD

output-status: up

output-line-status: up

Action: allow

thanks for your help.