Solved: Cisco ASA 5515-x multiple public IP address blocks - Page 2

shelleylynn · ‎06-18-2013

Good morning,

I am trying to install a new ASA 5515-x (OS 9.1) firewall in place of our old PIX 515-E (OS 6.4) firewall and I am having some difficulties.

I've been reading through the forum and I have found other people who are having issues with multiple public IP address blocks on their ASA appliances, but I tried adding arp permit-nonconnected as suggested and it didn't fix the problem. I am wondering now if there is something else wrong with my config and I'm hoping that someone here can help me with it.

My two public IP blocks are x.x.131.212 255.255.255.248 and y.y.56.200 255.255.255.248

My internal network is 10.0.0.x

The DMZ is 192.168.40.x

The parts I'm concerned about are the NATing and the ACLs.

Here is my config:

gw(config)# show run

: Saved

:

ASA Version 9.1(1)

!

hostname gw

domain-name ****.ca

enable password **** encrypted

passwd **** encrypted

names

name 10.0.0.3 AS400

name 10.0.0.27 DC-01

name 10.0.0.25 FS-01

name 10.0.0.26 FS-01-26

name 10.0.0.18 Faxserver

name 10.0.0.36 SpamFilter

name 10.0.0.5 WebFilter

name 192.168.40.213 VS-02

name 10.0.0.73 APP-02

name 10.0.0.72 APP-01

name 10.0.0.70 VS-01

name 192.168.40.218 WEB-02

name x.x.131.114 WEB-02_OUTSIDE

ip local pool Remote_Address 10.0.5.10-10.0.5.100 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.131.114 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet0/1.2

vlan 2

nameif VOIP

security-level 100

ip address 10.0.10.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 4

ip address 192.168.40.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone MST -7

dns server-group DefaultDNS

domain-name firstcanadian.ca

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network AS400

host 10.0.0.3

object network FS-01

host 10.0.0.25

object network Exchange

host 10.0.0.35

object network APP-01

host 10.0.0.72

object network SpamFilter

host 10.0.0.36

object network WEB-02

host 192.168.40.218

object network WEB-02_outside

host 67.226.131.114

object network DMZ_IP_RANGE

subnet 192.168.40.0 255.255.255.0

object network inside_IP_RANGE

subnet 10.0.0.0 255.255.255.0

object network VOIP_IP_RANGE

subnet 10.0.10.0 255.255.255.0

object network NETWORK_OBJ_10.0.5.0_25

subnet 10.0.5.0 255.255.255.128

object network Remote_inside_drs

subnet 10.0.1.0 255.255.255.0

object network NETWORK_OBJ_10.0.0.0_24

subnet 10.0.0.0 255.255.255.0

object network Remote_inside_drs_DMZ

subnet 192.168.41.0 255.255.255.0

object-group service Mail tcp

description "Allow Mail Traffic from Outside"

port-object eq https

port-object eq 8080

port-object eq 444

port-object eq 465

port-object eq 995

port-object eq 993

port-object eq 587

port-object eq imap4

port-object eq pop3

object-group service WebAccess tcp

description "Allow Web Traffic to Web Service"

port-object eq www

port-object eq https

object-group service CA400_ODBC tcp

description "Allow traffic from WEB-02 to AS400"

port-object eq 446

object-group service Spamfilter tcp

description "Allow Mail Traffic to the Spamfilter"

port-object eq smtp

port-object eq ssh

object-group service IntWebApp tcp

description "Allow Internal Traffic from WEB-02 to APP-01"

port-object eq 8383

object-group icmp-type PingTraffic

description "Allow Echo Echo-Reply Unreachable and Time-Exceeded Traffic"

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list ACL_OUT remark Allow Echo, Echo-Reply, Unreachable and Time-Exceeded on Outside

access-list ACL_OUT extended permit icmp any x.x.131.0 255.255.255.0 object-group PingTraffic log

access-list ACL_OUT remark Allow Echo, Echo-Reply, Unreachable and Time-Exceeded on Outside

access-list ACL_OUT extended permit icmp any y.y.56.0 255.255.255.0 object-group PingTraffic log

access-list ACL_OUT remark "Allow Ping to WEB-02 on Outside"

access-list ACL_OUT extended permit icmp any object WEB-02 object-group PingTraffic log

access-list ACL_OUT remark "Allow HTTP and HTTPS to WEB-02_outside"

access-list ACL_OUT extended permit tcp any object WEB-02 object-group WebAccess log

access-list ACL_OUT remark "Allow Mail Traffic from Outside to Exchange"

access-list ACL_OUT extended permit tcp any object Exchange object-group Mail log

access-list ACL_OUT remark "Allow Mail Traffic from Outside to SpamFilter"

access-list ACL_OUT extended permit tcp any object SpamFilter object-group Spamfilter log

access-list ACL_OUT remark "Allow Hosts in DMZ to Browse Internet"

access-list ACL_OUT extended permit udp object WEB-02 any eq domain log

access-list ACL_OUT remark "Allow Site to Site VPN Traffic"

access-list ACL_OUT extended permit esp any 10.0.0.0 255.255.255.0

access-list ACL_OUT extended permit udp any eq 4500 10.0.0.0 255.255.255.0 eq 4500

access-list ACL_OUT extended permit udp any eq isakmp 10.0.0.0 255.255.255.0 eq isakmp

access-list ACL_DMZ remark "Allow echo,echo-reply,unreachable and time-exceeded on Outside"

access-list ACL_DMZ extended permit icmp object DMZ_IP_RANGE any object-group PingTraffic log

access-list ACL_DMZ remark "Allow FTP Access from DMZ to FS-01 on Inside"

access-list ACL_DMZ extended permit tcp object WEB-02 object FS-01 eq ftp

access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to AS400"

access-list ACL_DMZ extended permit tcp object WEB-02 object AS400 object-group CA400_ODBC

access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to FCIC-APP-01"

access-list ACL_DMZ extended permit tcp object WEB-02 object APP-01 object-group IntWebApp

access-list ACL_DMZ extended permit udp object DMZ_IP_RANGE any eq domain

access-list ACL_DMZ extended permit tcp object DMZ_IP_RANGE any eq www

access-list ACL_DMZ extended permit tcp object DMZ_IP_RANGE any eq https

access-list Tunnel_Group_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 object Remote_inside_drs

access-list Remote_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list Remote_splitTunnelAcl standard permit 192.168.40.0 255.255.255.0

access-list vpn-access extended permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object Remote_inside_drs

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu VOIP 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static inside_IP_RANGE inside_IP_RANGE destination static NETWORK_OBJ_10.0.5.0_25 NETWORK_OBJ_10.0.5.0_25 no-proxy-arp

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static Remote_inside_drs Remote_inside_drs no-proxy-arp route-lookup

!

object network Exchange

nat (any,any) static y.y.56.204

object network SpamFilter

nat (any,any) static x.x.131.113

object network WEB-02

nat (any,any) static WEB-02_outside

object network DMZ_IP_RANGE

nat (DMZ,outside) dynamic interface

object network inside_IP_RANGE

nat (inside,outside) dynamic interface

object network VOIP_IP_RANGE

nat (VOIP,outside) dynamic interface

access-group ACL_OUT in interface outside

access-group ACL_DMZ in interface DMZ

!

router rip

passive-interface default

arp permit-nonconnected

!

route outside 0.0.0.0 0.0.0.0 y.y.56.206 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

***crypto section removed to save space

telnet 192.168.0.99 255.255.255.255 outside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

split-tunnel-policy tunnelspecified

username test password **** encrypted privilege 15

*removed Tunnel info to save space

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect http

inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

password encryption aes

Cryptochecksum:****

: end

gw(config)#

shelleylynn · ‎06-20-2013

Hi Jouni,

Here is the info I got from our ISP.

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.56.205 0 xxxx.de26.8073 ARPA Vlan

Internet 10.10.56.204 0 yyyy.46e8.c09d ARPA Vlan

Internet 10.10.56.203 0 yyyy.46e8.c09d ARPA Vlan

Internet 10.10.56.202 0 yyyy.46e8.c09d ARPA Vlan

Internet 10.10.56.201 0 yyyy.46e8.c09d ARPA Vlan

Internet 11.11.131.114 0 yyyy.46e8.c09d ARPA Vlan

Internet 11.11.131.113 0 yyyy.46e8.c09d ARPA Vlan

Configs on our router (Access port to the cx)

interface Vlanxxxx

description

ip address 11.11.131.118 255.255.255.248 secondary

ip address 10.10.56.206 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

end

Jouni Forss · ‎06-20-2013

Hi,

Judging by the "show ip arp" output it seems that you have PIX which is using most of the public IP addresses as NAT IP addresses and there also some other device behind the ISPs link (in your network) that is configured with a public IP address.

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.56.205 0 xxxx.de26.8073 ARPA Vlan

Internet 10.10.56.204 0 yyyy.46e8.c09d ARPA Vlan

Internet 10.10.56.203 0 yyyy.46e8.c09d ARPA Vlan

Internet 10.10.56.202 0 yyyy.46e8.c09d ARPA Vlan

Internet 10.10.56.201 0 yyyy.46e8.c09d ARPA Vlan

Internet 11.11.131.114 0 yyyy.46e8.c09d ARPA Vlan

Internet 11.11.131.113 0 yyyy.46e8.c09d ARPA Vlan

Basically the "yyyy.46e8.c09d" should change into something different when the firewall is switched.

Though, I guess there is even a possibility to configure this same MAC address on your ASAs "outside" interface which would mean that even if the old ARP table markings would stay on the ISP side, there should be no problem as the MAC is unchanged.

There is a command "mac-address" which you can use under the interface configuration mode. I have not had to use this myself.

Just as an example, I did this on my home ASA (ASA5505)

ASA(config)# interface vlan 10

ASA(config-if)# mac-address 0000.46e8.c09d

ASA(config)# sh interface vlan 10

Interface Vlan10 "WAN", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

Description: WAN

MAC address 0000.46e8.c09d, MTU 1500

As you can see the interface MAC address is changed and could be for example the MAC of your PIX firewall.

- Jouni

Jouni Forss · ‎06-20-2013

Hi,

So if I understood correctly then theres basically a L3 gateway in the ISP core that holds both public subnets

To use Ciscos configuration format, it might look something like this

interface GigabitEthernet1/1.xxxx

description Customer A

encapsulation dot1q xxxx

ip add 1.1.1.1 255.255.255.248

ip add 2.2.2.1 255.255.255.248 secondary

What the ISP could do to eliminate any ARP problems of using multiple public subnets is

Remove the "secondary" subnet
Add a route for the "secondary" subnet towards the current ASA "outside" interface

For example

interface GigabitEthernet1/1.xxxx

description Customer A

encapsulation dot1q xxxx

ip add 1.1.1.1 255.255.255.248

ip route 2.2.2.0 255.255.255.248 1.1.1.2

Since the Internet works for users after replacing the PIX with the ASA we know that ASA can forward traffic to the ISP and to the Internet. So the problem might be related to either old ARP table markings that arent removed OR there is just something wrong with the ASA even though I am not sure what it could be if its not any of the things I mention already.

Multiple subnets shouldnt be any problem nor should be having the single default route poiting to the gateway address of only one of the public subnet. Just as an example one of our customers, they have around 15-20 public subnets on their ASA used for NAT and some others in their internal network and there is no problem.

I guess its possible that I might be missing something also. Though I have given examples on how to troubleshoot this during the switching of the firewalls.

Hopefully it gets sorted out the next time

- Jouni

shelleylynn · ‎06-26-2013

Hi Jouni,

Your idea about changing the mac address on the new firewall to match the old one worked!! Unfortunately, after working properly for about 2 hours, I suddenly lost access to my web server again. I could ping all of my other IPs, but not the web server IP.

We ended up having to put the old firewall back in place again.

Can you think of any reason why the 5515-x would suddenly stop allowing traffic through for that one IP?

I'm thinking that it may have been the ISP ARP tables again, but if you can think of any other reason it would have suddenly dropped that traffic let me know.

I'm going to mark your last post as the correct answer because it did get me up and running.

Thank you again for all of your help!!

Shelley

Jouni Forss · ‎06-26-2013

Hi,

Well the only thing different between the other servers you have and the Web server having problems is that the server is on the DMZ of the ASA while others are on the INSIDE.

Though if that was somehow related to the problem then it would probably be something on the actual DMZ rather than on the ASA itself.

I guess its possible that there is problems on the ISP side also.

I dont know if I can suggest anything else at this point other than using the before mentioned ways to troubleshoot the problem or rather determine what is happening with connections to your Web server. The first thing during the problem would be to determine if any traffic was coming towards the server from the Internet. This could be done by looking at the ACL hitcounts, monitoring connection logs, doing packet capture on the ASA itself ,etc.

Also as I have said before, the ISP could always remove the "secondary" subnet from their gateway Vlan interface

interface Vlanxxxx

description

ip address 11.11.131.118 255.255.255.248 secondary

ip address 10.10.56.206 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

end

interface Vlanxxxx

no ip address 11.11.131.118 255.255.255.248 secondary

ip route 11.11.131.118 255.255.255.248 10.10.56.201

This would rule out any ARP related problems as the ISP would not need to ARP for the destination IP addresses on network 11.11.131.118/29. ISP gateway device would just send traffic destined to that network to the ASA directly. Currently they would be using ARP to determine the MAC address of the destination since the ISP has that network configured directly on their gateway Vlan interface.

Though it still sounds very strange that only one host from this public network range would be expiriencing these problems and everything else was fine.

It would be so much easier to troubleshoot if I could see the situation during the actual problem. So used to it when I work for an ISP and have access to both the ISP core network and the customer firewalls which I manage.

I guess I could always take a look at the situation on the ASA when you were doing the change and had the problem but somehow I imagine that is not something your boss would want to allow

- Jouni

shelleylynn · ‎06-27-2013

Thanks for the offer Jouni! We tried again last night and made some headway.

I changed one of the NAT rules from:

object network WEB-02

nat (DMZ,any) static 11.11.131.114

to:

object network WEB-02

nat (DMZ,outside) static 11.11.131.114

And suddenly we were able to access the web server from the outside.

The only problem now is that we can't access the https portion of our website from the inside. Sigh...

Thank you very much for your help! I'm sure I wouldn't have gotten this far without you.

Jouni Forss · ‎06-27-2013

Hi,

When you change the NAT configuration to this

object network WEB-02

host 192.168.40.218

nat (DMZ,outside) static 11.11.131.114

Then also add this

object network WEB-02-TO-INSIDE

host 192.168.40.218

nat (DMZ,inside) static 11.11.131.114

This should also enable the DMZ servers translation towards the "inside" network. The reason it didnt work after your change it from "any" to "outside" is naturally because you have not specifically told in the NAT configuration that the translation is between "DMZ" and "outside" and not "DMZ" and "inside" for example.

Notice that you have to configure a completely new "object network" with a new name and under it configure everything the same EXCEPT that now the destination interface is "inside". After this the "inside" host should be able to access the server with the public IP address also if its allowed in the ACL.

Though I dont know why the "any" would cause problems in this case but the above suggested should handle the same in your situation without using the "any" parameter.

Hope this helps

- Jouni

shelleylynn · ‎06-27-2013

Jouni, you are a genius!! Thank you, thank you, thank you!!

I created a new network object and configured it with it's own NAT rule as you suggested above and everything is now working correctly from the inside and the outside.

I did the swap live, with everyone active on the network, and no one even noticed!

I can't thank you enough for your help with this!!

Shelley

Jouni Forss · ‎06-28-2013

Hi Shelley,

Great to hear everything is working now

Dont hesitate to ask here on CSC if something else comes along with the new firewall and its configurations.

Thank you for marking the correct answers

- Jouni