Re: Cisco 5510 ASA

jasonschelert · ‎04-26-2011

Hello,

I am having an issue where I can't be my farside router 10.2.1.0 /24 to ping anything on 10.1.1.0 or any outside IP address (4.2.2.2). I can ping 10.1.1.2 the other side of the router and I can also ping from any client on 10.1.1.0 /24 or the ASA its self. This is something that I have inherited therefore I am just trying to muddle through it at this time.

ISP1 ---- ISR-----ASA .1 ----Core Switch----10.1.1.0 / 24 Segment

| | |
| | .2

ISP2 DMZ Router2

|

Router3----- 10.2.1.0 /24 Segment

ASA Version 8.3(2)
!
hostname ASAOne
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address x.x.x.1 255.255.255.0
!
interface Ethernet0/2
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif Failover
security-level 100
no ip address
!
interface Management0/0
nameif Management
security-level 0
ip address 10.22.22.2 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object network CHMail002
host 10.1.1.6
object network InternalNetwork
subnet 10.1.1.0 255.255.255.0
object network NatPool
range x.x.x.24 x.x.x.28
object network DatabaseServer
host 10.1.1.24
object network MailGateway
host x.x.x.x
object network FWEdge
host x.x.x.30
object network CHFinance001
host 10.1.1.50
object network ViewConnectionServer
host x.x.x.x
object network InternalNetwork2
subnet 10.2.1.0 255.255.255.0
object-group service SQLService tcp
description SQL Service
port-object eq 1433
object-group service CustomRDP tcp
port-object eq 3389
access-list global_access extended permit tcp any object CHMail002 eq www log disable
access-list global_access extended permit tcp any object CHMail002 eq https log disable
access-list Inside_access_in extended permit ip object InternalNetwork any log disable
access-list Inside_access_in extended permit tcp object InternalNetwork object FWEdge eq https log disable
access-list Inside_access_in extended permit icmp any any log disable
access-list Outside_access_in extended permit icmp any any log disable
access-list Outside_access_in extended permit tcp object MailGateway object CHMail002 eq smtp log disable
access-list Outside_access_in extended permit tcp any object DatabaseServer object-group SQLService log disable
access-list Outside_access_in extended permit tcp any object CHFinance001 object-group CustomRDP log disable
access-list Outside_access_in extended permit tcp any object CHFinance001 object-group CustomRDP log disable
access-list DMZ_access_in extended permit ip any object MailGateway log disable
pager lines 24
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu Failover 1500
mtu Management 1500
ip verify reverse-path interface Outside
ip verify reverse-path interface DMZ
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
!
object network CHMail002
nat (Inside,Outside) static x.x.x.20 dns
object network InternalNetwork
nat (Inside,Outside) dynamic NatPool interface
object network DatabaseServer
nat (Inside,Outside) static x.x.x.22 dns
object network CHFinance001
nat (Inside,Outside) static x.x.x.x service tcp 3389 7753
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
access-group Inside_access_in in interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Inside 10.2.1.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.116 255.255.255.255 Management
http 10.22.22.5 255.255.255.255 Management
http 10.1.1.92 255.255.255.255 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6795f20bf3fd84d59eed13903f5da44a
: end

Syed Usaid K · ‎04-26-2011

Hi Jason,

I saw from the config that Natting for the 10.2.1.0/24 to go internet is missing, so please go ahead and create another Object network as shown below.

object netowrk 10.2.1.0-network

subnet 10.2.1.0 255.255.255.0

nat (Inside,Outside) dynamic NatPool interface

And try accessing the internet again.

To access the 10.1.1.0/24 netowrk you need to configure U-turning on the ASA, please read the document below to do the same.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Please note that while configuring U-turning ensure that the service-policy is applied on the inside interface and also place this command.

same-security-traffic permit intra-interface

P.S please mark this issue as resolved if the solution helps you.

jasonschelert · ‎04-27-2011

Hi Syed,

I did implement both of the changes and I am still having issues.

I can ping from the 10.1.1.0/24 segment to the 10.2.1.0/24 segment but not vice versa as the packets are getting dropped off.

I can receive DHCP offers on 10.2.1.0 /24 from 10.1.1.40 but I can not ship any IP, ICMP data thru the router to the outside or the 10.1.1.0/24 segment

Thanks Again!

Jason

Syed Usaid K · ‎04-27-2011

I guess you are not able to ICMP from 10.2.1.0/24 because, when you ping to 10.1.1.0/24 subnet, the echo-request packet goes straight via the switch to the machine, but the reply packet comes through the firewall and the firewall drops it.

What you can do is create a Policy Based Routing on the Core router. By following the below steps.

ip access-list extended pbr

permit ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255

route-map pbr permit 10

match ip address pbr

set ip next-hop 10.1.1.1

Then on the routers interface which has the ip address in the subnet 10.2.1.X

please apply the route-map by issuing the below command on the interface.

ip policy route-map pbr

Now this ensures that the echo-request packet goes to the ASA and the reply packet also comes back to the ASA making the ASA not dropping the packet.

After doing the above configuration, please test the connectivity between the subnets.

If it fails again please send me the output of the below command on the ASA

packet-tracer input inside icmp 10.2.1.2 8 0 10.1.1.3 detailed

You did not tell me about the connectivity to the from the 10.2.1.0/24 subnet to the Internet.

P.S mark the question as answered if this solution Helps you.

Regards,

Syed Usaid.K

jasonschelert · ‎04-27-2011

I suspect you are correct as the default gateway for the host is set to the ASA

I can get to the internet from 10.2.1.0 with an outside DNS server.

I did add the changes to the 10.1.1.2 router but that didnt seem to resolve the issue.

I am wondering since there isnt a core router (just the ASA and the edge) in place if I should try to utilize the f0/3 port on the firewall as the connection for the network segment versus the switch. I am not an expert on this and the previous person did not leave a lot of documentation.

Here is the output: It looks like it is fine to me

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacd167b8, priority=1, domain=permit, deny=false
        hits=438650, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.0 255.255.255.0 Inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit icmp any any log disable
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacd83d00, priority=13, domain=permit, deny=false
        hits=0, user_data=0xa90e0440, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacd19128, priority=0, domain=inspect-ip-options, deny=true
        hits=20049, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad344320, priority=70, domain=inspect-icmp, deny=false
        hits=7, user_data=0xad343610, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad345d80, priority=70, domain=inspect-icmp-error, deny=false
        hits=7, user_data=0xad3451e8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xacd19128, priority=0, domain=inspect-ip-options, deny=true
        hits=20051, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Inside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 19511, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

Syed Usaid K · ‎04-27-2011

Thanks for the output, I dont understand why it is not working, everything seems to be in place, lets have the packet-tracer from the other away around now.

packet-tracer input inside icmp 10.1.1.4 8 0 10.2.1.4 detailed

If the result for the output as well is Allow, I would request you to open TAC SR, so that we can place captures and some in depth troubleshooting or as you put the 10.2.1.0/24 segment on the available interface of the ASA.

Regards,

Syed Usaid.K