This is quite a bit of work

j_j624001 · ‎04-24-2016

Hey Everyone;

I'm kinda new to this firewall; but here's the issue i have

1. Unable to ping other ASA ip from different Vlans; Ex: if im on vlan 10, i can ping all my other ip address; its just i can't ping asa vlan 15; its stated "Routing Failed to located next hop for ICMP from Servers or "Routing Failed to located next hop for ICMP from Storage". My ping request gets Timed out and the samething happens if im on Vlan 15 i can't ping ASA Vlan 10, 20, 25.

2. My clients are unable to access the internet/dns. My servers on vlan 15 are able to access the internet; but all my other network Vlan 10, 20, 25 are unable to access the network thru the firewall. There is an issue were the client can't access my Servers/DNS in order to resolve queries.

Please can anyone take a look at my configuration and see what's missing or needed to be added.

I have attached my topology on how my network is setup.

Thanks

Hostname FW

multicast-routing
names
name 10.10.20.0 Backup-Network
name 10.10.0.0 Client-Network
name 192.168.0.0 Outside_Network
name 10.10.25.0 Storage-Network
!
interface Ethernet0/0
speed 100
duplex full
nameif Clients
security-level 0
ip address dhcp
!
interface Ethernet0/1
speed 100
duplex full
nameif Servers

security-level 0

interface Ethernet0/2
speed 100
duplex full
nameif Backup
security-level 0
ip address dhcp
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-onlyinterface Ethernet0/2
speed 100
duplex full
nameif Backup
security-level 0
ip address dhcp
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
interface Redundant1
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Servers
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Internal_Network
network-object 0.0.0.0 0.0.0.0
network-object Client-Network 255.255.255.0
network-object Server-Network 255.255.255.0
network-object Backup-Network 255.255.255.0
network-object Storage-Network 255.255.255.0
object-group network Outside_Network
network-object Outside_Network 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp

access-list Backup_access_in extended permit ip Backup-Network 255.255.255.0 object-group Internal_Network
access-list Backup_access_in extended permit icmp Backup-Network 255.255.255.0 object-group Internal_Network echo-reply
access-list Backup_access_in extended permit tcp Backup-Network 255.255.255.0 object-group Internal_Network eq www
access-list Backup_access_in extended permit tcp Backup-Network 255.255.255.0 object-group Internal_Network eq https
access-list Backup_access_in extended permit udp Backup-Network 255.255.255.0 object-group Internal_Network eq domain
access-list Backup_access_in extended permit object-group TCPUDP Backup-Network 255.255.255.0 object-group Internal_Network eq echo
access-list Backup_access_in extended permit icmp Client-Network 255.255.255.0 Backup-Network 255.255.255.0 echo-reply
access-list Backup_access_in extended permit icmp 10.10.15.0 255.255.255.0 Backup-Network 255.255.255.0 echo-reply

access-list Servers_access_in extended permit ip 10.10.15.0 255.255.255.0 object-group Internal_Network
access-list Servers_access_in extended permit icmp 10.10.15.0 255.255.255.0 object-group Internal_Network
access-list Servers_access_in extended permit tcp 10.10.15.0 255.255.255.0 object-group Internal_Network eq www
access-list Servers_access_in extended permit tcp 10.10.15.0 255.255.255.0 object-group Internal_Network eq https
access-list Servers_access_in extended permit udp 10.10.15.0 255.255.255.0 object-group Internal_Network eq domain
access-list Servers_access_in extended permit object-group TCPUDP 10.10.15.0 255.255.255.0 object-group Internal_Network eq echo
access-list Servers_access_in extended permit icmp Client-Network 255.255.255.0 10.10.15.0 255.255.255.0 echo-reply
access-list Servers_access_in extended permit icmp Backup-Network 255.255.255.0 10.10.15.0 255.255.255.0 echo-reply

access-list Clients_access_in extended permit ip Client-Network 255.255.255.0 object-group Internal_Network
access-list Clients_access_in extended permit icmp Client-Network 255.255.255.0 object-group Internal_Network
access-list Clients_access_in extended permit tcp Client-Network 255.255.255.0 object-group Internal_Network eq www
access-list Clients_access_in extended permit tcp Client-Network 255.255.255.0 object-group Internal_Network eq https
access-list Clients_access_in extended permit udp Client-Network 255.255.255.0 object-group Internal_Network eq domain
access-list Clients_access_in extended permit object-group TCPUDP Client-Network 255.255.255.0 object-group Internal_Network eq echo
access-list Clients_access_in extended permit icmp 10.10.15.0 255.255.255.0 Client-Network 255.255.255.0 echo-reply
access-list Clients_access_in extended permit icmp Storage-Network 255.255.255.0 Client-Network 255.255.255.0 echo-reply

pager lines 24
logging enable
logging monitor informational
logging trap informational
logging asdm informational
mtu Clients 9000
mtu Servers 9000
mtu Backup 9000
mtu management 1500
no failover
mroute 10.10.0.1 255.255.255.255 Clients
mroute 10.10.15.1 255.255.255.255 Servers
mroute 10.10.20.1 255.255.255.255 Backup
icmp unreachable rate-limit 1 burst-size 1
icmp permit Client-Network 255.255.255.0 Clients
icmp permit any Clients
icmp permit host 10.10.15.3 Servers
icmp permit any Servers
icmp permit Backup-Network 255.255.255.0 Backup
icmp permit any Backup
no asdm history enable
arp timeout 14400
nat-control
static (Clients,Clients) Outside_Network Client-Network netmask 255.255.255.0
access-group Clients_access_in in interface Clients
access-group Servers_access_in in interface Servers
access-group Backup_access_in in interface Backup
established tcp 53 0
established tcp 7 0
established tcp 21 0
established tcp 20 0
established tcp 101 0
established tcp 80 0
established tcp 443 0
established tcp 143 0
established tcp 109 0
established tcp 110 0
established tcp 22 0
established tcp 25 0
established udp 53 0
established udp 7 0
established udp 42 0
established udp 2049 0
established udp 161 0
established udp 162 0
established udp 80 0
established tcp 53 53
route Clients 0.0.0.0 0.0.0.0 192.168.0.1 1
route Clients 10.0.0.0 255.255.255.0 Client-Network 1

route Clients 10.10.0.0 255.255.255.255 10.10.15.1 1
route Clients 10.10.0.0 255.255.255.255 10.10.20.1 1

route Servers 10.10.15.0 255.255.255.255 10.10.0.1 1
route Servers 10.10.15.0 255.255.255.255 10.10.20.1 1

route Backup 10.10.20.0 255.255.255.255 10.10.0.1 1
route Backup 10.10.20.0 255.255.255.255 10.10.15.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 30
http Client-Network 255.255.255.0 Clients
http 10.10.15.0 255.255.255.0 Servers
http Outside_Network 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface Clients

service resetinbound interface Servers
service resetinbound interface Backup
no service resetoutbound interface management
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh Client-Network 255.255.255.0 Clients
ssh 10.10.15.0 255.255.255.0 Servers
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn

username JEJ password cX0yeH.p3WpM25f0 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:81c306cec59acd766ce7719b741a65f2
: end

Philip D'Ath · ‎04-24-2016

What subnet is VLAN15, and what are the IP addresses of the DNS servers VLAN15 can not get to?

j_j624001 · ‎04-24-2016

255.255.255.0 /// 10.10.15.4 and 10.10.15.5 are my dns servers my clients can't reach too..

Philip D'Ath · ‎04-24-2016

You seem to have no nat configured on your firewall, and no outside interface. You have a default route going via 192.168.0.1 which is labelled as being on the "Clients" network.

What is 192.168.0.1?

You really need to setup a proper "outside" interface, and it should only have the path to the Internet on it.

j_j624001 · ‎04-24-2016

Here's the confusion I'm getting... The 192.168.0.1 is my only outside interface... I have a nat configuration on my router to translate my internal ip from 10.0.0.0 to 192.168.0.0... Which I had to create a network object for my outside since I don't have a interface to lead to the outside network which is on my clients network.. See topology

Philip D'Ath · ‎04-24-2016

Is there a reason why you did it this way?

Otherwise you need to create a proper outside interface on the firewall, and connect the router via that.

j_j624001 · ‎04-24-2016

Yes to have all my internal clients etc etc behind my router...The only way I knw to create an outside interface is to create an network object using my router outside up address which is 192.168.0.85 that leads to the outside network... Idk what else to do ?? All of the routes are there I'm just lost

Philip D'Ath · ‎04-25-2016

I really don't like your network design.

Can you post your router config? Perhaps we can make this configuration just do the bits you need.

j_j624001 · ‎04-25-2016

Ok; attach is my router configuration

Thanks

Philip D'Ath · ‎04-25-2016

You need to add a router for every network behind the ASA.

I just spotted another issue. You seem to be using DHCP on a lot of the interfaces, yet the ASA needs to be the default gateway for each network.

If the ASA is configured using DHCP, what is the default gateway for these different networks?

j_j624001 · ‎04-25-2016

the default gw is on the router; for ex: vlan 10 uses 10.10.0.1 as gw; same for Vlan 20, 25; the gw would be 10.10.20.1 and 10.10.25.1 those are my gw for my router when using DHCP. it really depends on which vlan i place on my switch when connected.

what do you recommend i do ?? seems like everyone i ask is saying i need an outside interface to the ISP and a inside network to my internal ip address which i don't how to do unless i add an ip address on Fa0/1.

Philip D'Ath · ‎04-25-2016

I see. Basically the firewall is doing nothing.

Would you like to just use the router (in which case we'll resolve any issues using just that device) and remove the firewall, or try and integrate the firewall into the network?

Integrating the firewall into your network will involve a lot of changes.

j_j624001 · ‎04-25-2016

Honestly; i would like to integrate this firewall onto my network; since im new to this firewall and would like to learn the ins and out of it. I would just hate to throw it away or not use it especially how technology is moving forward at a rapid speed.

lol

Philip D'Ath · ‎04-25-2016

This is quite a bit of work to fix everything up. How do you feel about getting a local Cisco partner to get it setup?

https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do

I've had a closer look at the router config. There is no need for both a router and a firewall. The firewall can do everything that the router is currently doing.

Cisco ASA 5510