- Cisco Community
- Technology and Support
- Security
- Network Security
- Inter-VLAN firewall or routing issues... ping only.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Inter-VLAN firewall or routing issues... ping only.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2013
12:21 PM
- last edited on
03-25-2019
05:50 PM
by
ciscomoderator
Hey folks,
I ran into an issue that I just can't figure out, and need some help. I was brought in to create a new VLAN and install some WiFi APs for guest access. Nothing new. ASA 5510. So I created the new "VLAN 60" as a sub-int on eth0/1, where they already had VLAN 5. Created a dynamic NAT rule to use the outside int. Created a DHCP scope for the new VLAN 60. Made sure all the associated switch ports were trunked with dot1q encap, and allowed VLANs 5,60, etc. Everything on that end works fine. WiFi users get DHCP, get out to the net, etc. But they need to be able to hit their exchange server on VLAN 5. I can ping the server from VLAN 60, but that's it. When I do a port scan, all the major ports (80, 8080,443, 110, etc) get a no reply. Can't RDP or connect with an Outlook client. My immediate thought was inter-vlan routing. But they're on the same security level and I have the same-security-traffic permit inter and intra commands there. So I went to the firewall and put permit ip any any commands in there and disabled all other firewall commands on both of those VLANs... STILL NO GO. Any ideas? Essentially, I just need VLAN 60 to be able to talk to the server on VLAN 5 (10.10.5.19). It's killing me. The config is below. Please browse and see if there is anything that sticks out. I fear it is something so easy that I'm looking right over it. Thank you!
hostname xxxxxxxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 64.199.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/1.5
vlan 5
nameif inside
security-level 100
ip address 10.10.5.1 255.255.255.0
!
interface Ethernet0/1.60
vlan 60
nameif Room206
security-level 100
ip address 10.10.60.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.10.51.1 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif mts
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.10.20.0 255.255.255.0
network-object 10.10.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.201.0 255.255.255.0
network-object 10.10.202.0 255.255.255.0
network-object 10.10.203.0 255.255.255.0
network-object 10.10.204.0 255.255.255.0
network-object 10.10.205.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.10.201.0 255.255.255.0
network-object 10.10.202.0 255.255.255.0
network-object 10.10.203.0 255.255.255.0
network-object 10.10.204.0 255.255.255.0
network-object 10.10.205.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 10.10.201.0 255.255.255.0
network-object 10.10.202.0 255.255.255.0
network-object 10.10.203.0 255.255.255.0
network-object 10.10.204.0 255.255.255.0
network-object 10.10.205.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.10.201.0 255.255.255.0
network-object 10.10.202.0 255.255.255.0
network-object 10.10.203.0 255.255.255.0
network-object 10.10.204.0 255.255.255.0
network-object 10.10.205.0 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object 10.10.201.0 255.255.255.0
network-object 10.10.202.0 255.255.255.0
network-object 10.10.203.0 255.255.255.0
network-object 10.10.204.0 255.255.255.0
network-object 10.10.205.0 255.255.255.0
object-group network DM_INLINE_NETWORK_11
network-object 10.10.201.0 255.255.255.0
network-object 10.10.202.0 255.255.255.0
network-object 10.10.203.0 255.255.255.0
network-object 10.10.204.0 255.255.255.0
network-object 10.10.205.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ssh
port-object eq telnet
object-group network DM_INLINE_NETWORK_6
network-object host 10.10.5.32
network-object host 64.199.xxx.xxx
object-group network DM_INLINE_NETWORK_7
network-object 199.249.xxx.xxx 255.255.255.0
network-object host 208.93.xxx.xxx
access-list acl_inside extended permit ip any any
access-list acl_inside extended deny tcp any any eq 135
access-list acl_inside extended deny udp any any eq 135
access-list acl_inside extended deny udp any any eq tftp
access-list acl_inside extended deny tcp any any eq 137
access-list acl_inside extended deny udp any any eq netbios-ns
access-list acl_inside extended deny tcp any any eq 138
access-list acl_inside extended deny udp any any eq netbios-dgm
access-list acl_inside extended deny tcp any any eq netbios-ssn
access-list acl_inside extended deny udp any any eq 139
access-list acl_inside extended deny tcp any any eq 445
access-list acl_inside extended deny tcp any any eq 593
access-list acl_inside extended permit icmp any any
access-list inbound extended permit tcp any host 10.10.51.29 eq telnet
access-list inbound extended permit tcp any host 206.69.xxx.xxx eq www
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq ftp
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq ftp-data
access-list inbound extended permit tcp host 12.47.xxx.xxx host 64.199.xxx.xxx eq ssh
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq telnet
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq https
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq telnet
access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq ssh
access-list inbound extended permit gre any host 64.199.xxx.xxx
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq pptp
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq 9090
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq 9040
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq smtp
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq https
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq pop3
access-list inbound extended permit tcp any host 64.199.xxx.xxx eq imap4
access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389
access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389
access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389
access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389
access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.202.0 255.255.255.0
access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.203.0 255.255.255.0
access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.204.0 255.255.255.0
access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.205.0 255.255.255.0
access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.201.0 255.255.255.0
access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.202.0 255.255.255.0
access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.203.0 255.255.255.0
access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.204.0 255.255.255.0
access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.205.0 255.255.255.0
access-list inbound extended permit ip 10.10.201.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list inbound extended permit ip 192.168.68.0 255.255.255.0 any
access-list inbound extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_1
access-list inbound extended permit tcp any host 10.10.5.19 eq https
access-list inbound extended permit ip 10.10.60.0 255.255.255.0 any
access-list mts_in extended permit tcp any host 10.10.5.32 eq ssh
access-list mts_in extended permit tcp any host 10.10.5.32 eq telnet
access-list mts_in extended permit icmp any any
access-list mts_in extended permit tcp any host 10.10.5.32 eq ftp
access-list mts_in extended permit tcp any host 10.10.5.32 eq ftp-data
access-list mts_in extended permit tcp any host 10.10.5.32 eq 1001
access-list mts_in extended permit ip any 10.10.20.0 255.255.255.0
access-list mts_in extended permit ip any host 10.10.5.36
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_12
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_11 10.10.5.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.68.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.5.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 10.10.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_5
access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.51.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.68.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list wireless extended permit ip any any
access-list wireless extended permit ip any 10.10.5.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu mts 1500
mtu management 1500
mtu Room206 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 64.199.xxx.xxx
global (outside) 102 64.199.xxx.xxx
global (outside) 103 64.199.xxx.xxx
global (outside) 104 64.199.xxx.xxx
global (outside) 1 interface
global (outside) 105 64.199.xxx.xxx
global (dmz) 1 interface
global (dmz) 105 10.10.51.105
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.255.250.30 255.255.255.255
nat (inside) 1 10.255.250.100 255.255.255.255
nat (inside) 1 10.255.250.144 255.255.255.255
nat (inside) 1 10.255.250.150 255.255.255.255
nat (inside) 1 10.255.250.186 255.255.255.255
nat (inside) 1 10.10.5.0 255.255.255.0
nat (dmz) 1 10.10.51.0 255.255.255.0
nat (Room206) 1 10.10.60.0 255.255.255.0
static (dmz,outside) 206.69.xxx.xxx 10.10.51.31 netmask 255.255.255.255
static (dmz,outside) 64.199.xxx.xxx 10.10.51.12 netmask 255.255.255.255
static (dmz,outside) 64.199.xxx.xxx 10.10.51.40 netmask 255.255.255.255
static (inside,mts) 10.10.5.32 10.10.5.32 netmask 255.255.255.255
static (inside,mts) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (inside,mts) 10.10.5.36 10.10.5.36 netmask 255.255.255.255
static (inside,outside) 64.199.xxx.xxx 10.10.5.21 netmask 255.255.255.255
static (inside,outside) 64.199.xxx.xxx 10.10.5.32 netmask 255.255.255.255
static (inside,outside) 64.199.xxx.xxx 10.10.5.20 netmask 255.255.255.255
static (inside,outside) 64.199.xxx.xxx 10.10.5.14 netmask 255.255.255.255
static (inside,outside) 64.199.xxx.xxx 10.10.5.17 netmask 255.255.255.255
static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0
static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0
access-group inbound in interface outside
access-group acl_inside in interface inside
access-group mts_in in interface mts
access-group wireless in interface Room206
route outside 0.0.0.0 0.0.0.0 64.199.xxx.xxx 1
route mts 10.10.1.0 255.255.255.0 10.10.50.2 1
route mts 10.10.2.0 255.255.255.0 10.10.50.2 1
route inside 10.10.20.0 255.255.255.0 10.10.5.11 1
route mts 10.10.100.0 255.255.255.0 10.10.50.2 1
route mts 10.10.101.0 255.255.255.0 10.10.50.2 1
route mts 10.10.199.0 255.255.255.0 10.10.50.2 1
route inside 10.255.250.0 255.255.255.0 10.10.5.11 1
route inside 192.168.222.0 255.255.255.0 10.10.5.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800
crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RemotSiteVPN1 1 match address outside_cryptomap
crypto dynamic-map RemotSiteVPN1 1 set pfs
crypto dynamic-map RemotSiteVPN1 1 set transform-set ESP-3DES-SHA
crypto dynamic-map RemotSiteVPN1 1 set security-association lifetime seconds 28800
crypto dynamic-map RemotSiteVPN1 1 set security-association lifetime kilobytes 4608000
crypto map dyn-map 1 ipsec-isakmp dynamic RemotSiteVPN1
crypto map dyn-map 2 match address outside_cryptomap_1
crypto map dyn-map 2 set peer 208.93.xxx.xxx
crypto map dyn-map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map dyn-map 2 set security-association lifetime seconds 28800
crypto map dyn-map 2 set security-association lifetime kilobytes 4608000
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 25
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 3600
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 10.10.60.30-10.10.60.250 Room206
dhcpd dns 8.8.8.8 8.8.4.4 interface Room206
dhcpd lease 86400 interface Room206
dhcpd enable Room206
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username xxxxxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group RemotSiteVPN1 type ipsec-l2l
tunnel-group RemotSiteVPN1 ipsec-attributes
pre-shared-key *
tunnel-group 208.93.xxx.xxx type ipsec-l2l
tunnel-group 208.93.xxx.xxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fbe6d8b4e95f180959e5692270b2d9d5
: end
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2013 12:33 PM
Hi,
Can you take the output of a "packet-tracer" command that simulates one of these connections that doesnt go through
For example
packet-tracer input Room206 tcp 10.10.60.100 12345 10.10.5.19 80
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2013 08:29 AM
Sorry it took so long to get back. Here's the output. Maybe I'm blind, but it looks like each phase is allowed.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0
nat-control
match ip inside 10.10.5.0 255.255.255.0 Room206 any
static translation to 10.10.5.0
translate_hits = 0, untranslate_hits = 11040
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.5.0/0 to 10.10.5.0/0 using netmask 255.255.255.0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group wireless in interface Room206
access-list wireless extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0
nat-control
match ip Room206 10.10.60.0 255.255.255.0 inside any
static translation to 10.10.60.0
translate_hits = 14727, untranslate_hits = 0
Additional Information:
Static translate 10.10.60.0/0 to 10.10.60.0/0 using netmask 255.255.255.0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0
nat-control
match ip Room206 10.10.60.0 255.255.255.0 inside any
static translation to 10.10.60.0
translate_hits = 14727, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0
nat-control
match ip inside 10.10.5.0 255.255.255.0 Room206 any
static translation to 10.10.5.0
translate_hits = 0, untranslate_hits = 11040
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0
nat-control
match ip inside 10.10.5.0 255.255.255.0 Room206 any
static translation to 10.10.5.0
translate_hits = 0, untranslate_hits = 11040
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 90518755, packet dispatched to next module
Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.5.19 using egress ifc inside
adjacency Active
next-hop mac address 0023.7ddb.482e hits 0
Result:
input-interface: Room206
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2013 10:27 AM
Hi,
Well it does seem that the "packet-tracer" goes through just fine.
Are you trying to connect specifically using the internal IP address 10.10.5.19? Or is DNS involved?
Would you possibly need some other DNS servers in the DHCP configurations on the ASA? Perhaps some internal DNS server?
I guess if you want to make sure if any traffic is flowing between the 2 LAN networks you could take a capture
access-list WIRELESS-CAP permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list WIRELESS-CAP permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.255.0
capture WIRELESS-CAP type raw-data access-list WIRELESS-CAP interface inside buffer 10000000 circular-buffer
Naturally the capture ACL can be more specific if needed
After test you should be able to use the following commands to see if any traffic is captured
show capture
You should also use the command
show capture WIRELESS-CAP
To see what traffic was actually captured.
You could further copy the whole capture to a TFTP-server as a .pcap file to be opened with Wireshark
copy /pcap capture:WIRELESS-CAP tftp://x.x.x.x/WIRELESS-CAP.pcap
You can remove the capture and its data from the ASA with command
no capture WIRELESS-CAP
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2013 11:44 AM
The end goal is to have it work with DNS, but for now I'm just using a port scanner to the IP of 10.10.5.19 and all ports come up with a no-reply.
I changed one of the DNS servers on the DHCP scope to an internal one, 10.10.5.24.
Set up the capture, opened in wireshark, ran a port scan, and here's a bit from the TCP section of the HTTP scan packet:
Transmission Control Protocol, Src Port: 49981 (49981), Dst Port: http (80), Seq: 2012523545, Len: 0
Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set
How can I copy a whole expanded packet in text from Wireshark? I can't figure it out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2013 12:03 PM
Another little oddity is that I can't ping the interface addresses from the opposing network. So from VLAN 60, I can't ping 10.10.5.1. And from VLAN 5 I can't ping 10.10.60.1.
Devices on VLAN 5 are being given a gateway of 10.10.5.11, which is a L3 switch that the ASA inside interface is plugged into. I have no idea why they have that set that way here, instead of pointing everything at 10.10.5.1 as the default router. But I may be able to get the password to the DHCP server and change that.
And just as an FYI, the switch port that the ASA is plugged into (Cisco 3560G) is configured as follows:
interface GigabitEthernet0/21
description Uplink to ASA 5510 Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005
switchport mode trunk
I configured another port on that same switch as an access port for VLAN 60, plugged in, got a DHCP address from 60, and still can't ping 10.10.5.1 or pass any ports to VLAN 5. I can ping everything else on VLAN 5, except the the interface address. I did this just to eliminate the wireless, and any other hops in the network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2013 12:10 PM
Hi,
The problem with ICMP to the remote interface is how the ASA normally works. You wont be able to do this between the different LAN interfaces. In other words, you cant ping any other interface on the ASA other than the one behind which the host doing the ICMP is. (There are some exceptions with regards to connections coming from VPN)
Would it be possible to see the 3560G configurations?
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2013 12:33 PM
Here it is. And thank you for helping me with this. I really appreciate it!
lstc-3560-core#sh run
Building configuration...
Current configuration : 3351 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname lstc-3560-core
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2,5
!
vlan 20
name voice
!
vlan 51,60,250,260
!
vlan 999
name MTS_DMZ
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
switchport access vlan 60
switchport mode access
!
interface GigabitEthernet0/16
description HP Switch to Room 206
switchport trunk encapsulation dot1q
switchport trunk native vlan 60
switchport trunk allowed vlan 1,2,5,20,50,51,60,206,250,260,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
description Uplink to ASA 5510 Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/22
description Uplink to DMZ
switchport access vlan 51
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
description Connection to MTSDMZ on ASA5510
switchport access vlan 999
!
interface GigabitEthernet0/25
description Uplink to mts-3b329-4006 Port Gi2/4
switchport trunk encapsulation isl
switchport trunk allowed vlan 250,260
switchport mode trunk
!
interface GigabitEthernet0/26
description Uplink to lstc-3548xl-sw1
switchport trunk encapsulation isl
switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/27
description Uplink to lstc-3548xl-sw2 Gi0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/28
description Gigabit Uplink to lstc-3524xl-329 Gi0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
ip address 10.255.255.254 255.255.255.0
!
interface Vlan5
ip address 10.10.5.11 255.255.255.0
!
interface Vlan20
ip address 10.10.20.11 255.255.255.0
!
interface Vlan60
ip address 10.10.60.2 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.5.1
ip http server
!
!
control-plane
!
!
end
lstc-3560-core#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2013 01:29 PM
Hi,
Isnt there asymmetric routing going on here at the moment?
- Host on Vlan60 sends TCP SYN to its default gateway which is ASA
- Host on Vlan 5 receives TCP SYN and sends TCP SYN,ACK to its default gateway which is L3 Switch
- The TCP SYN,ACK is sent from the L3 Switch directly to the host on Vlan60 since the L3 Switch can see it as a directly connected network
- Host on Vlan60 sends TCP ACK to finalize the TCP connection negotiation and it sends it to its default gateway which is ASA
- ASA has never seen the TCP SYN,ACK from the host on Vlan5 and therefore blocks the TCP ACK
- Connection fails
Or this is atleast what came to my mind first. It might also explain why ICMP is working but not the TCP connections.
I guess you could try removing the Vlan60 interface so the L3 switch doesnt see that network as connected network but rather just distributes the Vlan60 throughout the switch network.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2013 08:02 AM
We are seeing the same issue, same scenario, will answer if we resolve.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
