cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1586
Views
0
Helpful
9
Replies
Highlighted
Beginner

Inter-VLAN firewall or routing issues... ping only.

Hey folks,

I ran into an issue that I just can't figure out, and need some help. I was brought in to create a new VLAN and install some WiFi APs for guest access. Nothing new. ASA 5510. So I created the new "VLAN 60" as a sub-int on eth0/1, where they already had VLAN 5. Created a dynamic NAT rule to use the outside int. Created a DHCP scope for the new VLAN 60. Made sure all the associated switch ports were trunked with dot1q encap, and allowed VLANs 5,60, etc. Everything on that end works fine. WiFi users get DHCP, get out to the net, etc. But they need to be able to hit their exchange server on VLAN 5. I can ping the server from VLAN 60, but that's it. When I do a port scan, all the major ports (80, 8080,443, 110, etc) get a no reply. Can't RDP or connect with an Outlook client. My immediate thought was inter-vlan routing. But they're on the same security level and I have the same-security-traffic permit inter and intra commands there. So I went to the firewall and put permit ip any any commands in there and disabled all other firewall commands on both of those VLANs... STILL NO GO. Any ideas? Essentially, I just need VLAN 60 to be able to talk to the server on VLAN 5 (10.10.5.19). It's killing me. The config is below. Please browse and see if there is anything that sticks out. I fear it is something so easy that I'm looking right over it. Thank you!

hostname xxxxxxxxxxxxxxxxxxxxxx

domain-name xxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 64.199.xxx.xxx 255.255.255.240

!

interface Ethernet0/1

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/1.5

vlan 5

nameif inside

security-level 100

ip address 10.10.5.1 255.255.255.0

!

interface Ethernet0/1.60

vlan 60

nameif Room206

security-level 100

ip address 10.10.60.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.10.51.1 255.255.255.0

!

interface Ethernet0/3

speed 100

duplex full

nameif mts

security-level 100

ip address 10.10.50.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxxxxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object 10.10.20.0 255.255.255.0

network-object 10.10.5.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.10.201.0 255.255.255.0

network-object 10.10.202.0 255.255.255.0

network-object 10.10.203.0 255.255.255.0

network-object 10.10.204.0 255.255.255.0

network-object 10.10.205.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 10.10.201.0 255.255.255.0

network-object 10.10.202.0 255.255.255.0

network-object 10.10.203.0 255.255.255.0

network-object 10.10.204.0 255.255.255.0

network-object 10.10.205.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 10.10.201.0 255.255.255.0

network-object 10.10.202.0 255.255.255.0

network-object 10.10.203.0 255.255.255.0

network-object 10.10.204.0 255.255.255.0

network-object 10.10.205.0 255.255.255.0

object-group network DM_INLINE_NETWORK_5

network-object 10.10.201.0 255.255.255.0

network-object 10.10.202.0 255.255.255.0

network-object 10.10.203.0 255.255.255.0

network-object 10.10.204.0 255.255.255.0

network-object 10.10.205.0 255.255.255.0

object-group network DM_INLINE_NETWORK_12

network-object 10.10.201.0 255.255.255.0

network-object 10.10.202.0 255.255.255.0

network-object 10.10.203.0 255.255.255.0

network-object 10.10.204.0 255.255.255.0

network-object 10.10.205.0 255.255.255.0

object-group network DM_INLINE_NETWORK_11

network-object 10.10.201.0 255.255.255.0

network-object 10.10.202.0 255.255.255.0

network-object 10.10.203.0 255.255.255.0

network-object 10.10.204.0 255.255.255.0

network-object 10.10.205.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq ssh

port-object eq telnet

object-group network DM_INLINE_NETWORK_6

network-object host 10.10.5.32

network-object host 64.199.xxx.xxx

object-group network DM_INLINE_NETWORK_7

network-object 199.249.xxx.xxx 255.255.255.0

network-object host 208.93.xxx.xxx

access-list acl_inside extended permit ip any any

access-list acl_inside extended deny tcp any any eq 135

access-list acl_inside extended deny udp any any eq 135

access-list acl_inside extended deny udp any any eq tftp

access-list acl_inside extended deny tcp any any eq 137

access-list acl_inside extended deny udp any any eq netbios-ns

access-list acl_inside extended deny tcp any any eq 138

access-list acl_inside extended deny udp any any eq netbios-dgm

access-list acl_inside extended deny tcp any any eq netbios-ssn

access-list acl_inside extended deny udp any any eq 139

access-list acl_inside extended deny tcp any any eq 445

access-list acl_inside extended deny tcp any any eq 593

access-list acl_inside extended permit icmp any any

access-list inbound extended permit tcp any host 10.10.51.29 eq telnet

access-list inbound extended permit tcp any host 206.69.xxx.xxx eq www

access-list inbound extended permit icmp any any

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq ftp

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq ftp-data

access-list inbound extended permit tcp host 12.47.xxx.xxx host 64.199.xxx.xxx eq ssh

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq telnet

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq https

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq telnet

access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq ssh

access-list inbound extended permit gre any host 64.199.xxx.xxx

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq pptp

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq 9090

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq 9040

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq smtp

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq www

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq https

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq pop3

access-list inbound extended permit tcp any host 64.199.xxx.xxx eq imap4

access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389

access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389

access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389

access-list inbound extended permit tcp host 199.249.xxx.xxx host 64.199.xxx.xxx eq 3389

access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.202.0 255.255.255.0

access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.203.0 255.255.255.0

access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.204.0 255.255.255.0

access-list inbound extended permit ip 10.10.5.0 255.255.255.0 10.10.205.0 255.255.255.0

access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.201.0 255.255.255.0

access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.202.0 255.255.255.0

access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.203.0 255.255.255.0

access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.204.0 255.255.255.0

access-list inbound extended permit ip 10.10.20.0 255.255.255.0 10.10.205.0 255.255.255.0

access-list inbound extended permit ip 10.10.201.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list inbound extended permit ip 192.168.68.0 255.255.255.0 any

access-list inbound extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0

access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_1

access-list inbound extended permit tcp any host 10.10.5.19 eq https

access-list inbound extended permit ip 10.10.60.0 255.255.255.0 any

access-list mts_in extended permit tcp any host 10.10.5.32 eq ssh

access-list mts_in extended permit tcp any host 10.10.5.32 eq telnet

access-list mts_in extended permit icmp any any

access-list mts_in extended permit tcp any host 10.10.5.32 eq ftp

access-list mts_in extended permit tcp any host 10.10.5.32 eq ftp-data

access-list mts_in extended permit tcp any host 10.10.5.32 eq 1001

access-list mts_in extended permit ip any 10.10.20.0 255.255.255.0

access-list mts_in extended permit ip any host 10.10.5.36

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_12

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_11 10.10.5.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.68.0 255.255.255.0 10.10.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.5.0 255.255.255.0 object-group DM_INLINE_NETWORK_2

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 10.10.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 10.10.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_5

access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.51.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.51.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.5.0 255.255.255.0 192.168.68.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.68.0 255.255.255.0 10.10.5.0 255.255.255.0

access-list wireless extended permit ip any any

access-list wireless extended permit ip any 10.10.5.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu mts 1500

mtu management 1500

mtu Room206 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 101 64.199.xxx.xxx

global (outside) 102 64.199.xxx.xxx

global (outside) 103 64.199.xxx.xxx

global (outside) 104 64.199.xxx.xxx

global (outside) 1 interface

global (outside) 105 64.199.xxx.xxx

global (dmz) 1 interface

global (dmz) 105 10.10.51.105

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.255.250.30 255.255.255.255

nat (inside) 1 10.255.250.100 255.255.255.255

nat (inside) 1 10.255.250.144 255.255.255.255

nat (inside) 1 10.255.250.150 255.255.255.255

nat (inside) 1 10.255.250.186 255.255.255.255

nat (inside) 1 10.10.5.0 255.255.255.0

nat (dmz) 1 10.10.51.0 255.255.255.0

nat (Room206) 1 10.10.60.0 255.255.255.0

static (dmz,outside) 206.69.xxx.xxx 10.10.51.31 netmask 255.255.255.255

static (dmz,outside) 64.199.xxx.xxx 10.10.51.12 netmask 255.255.255.255

static (dmz,outside) 64.199.xxx.xxx 10.10.51.40 netmask 255.255.255.255

static (inside,mts) 10.10.5.32 10.10.5.32 netmask 255.255.255.255

static (inside,mts) 10.10.20.0 10.10.20.0 netmask 255.255.255.0

static (inside,mts) 10.10.5.36 10.10.5.36 netmask 255.255.255.255

static (inside,outside) 64.199.xxx.xxx 10.10.5.21 netmask 255.255.255.255

static (inside,outside) 64.199.xxx.xxx 10.10.5.32 netmask 255.255.255.255

static (inside,outside) 64.199.xxx.xxx 10.10.5.20 netmask 255.255.255.255

static (inside,outside) 64.199.xxx.xxx 10.10.5.14 netmask 255.255.255.255

static (inside,outside) 64.199.xxx.xxx 10.10.5.17 netmask 255.255.255.255

static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0

static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0

access-group inbound in interface outside

access-group acl_inside in interface inside

access-group mts_in in interface mts

access-group wireless in interface Room206

route outside 0.0.0.0 0.0.0.0 64.199.xxx.xxx 1

route mts 10.10.1.0 255.255.255.0 10.10.50.2 1

route mts 10.10.2.0 255.255.255.0 10.10.50.2 1

route inside 10.10.20.0 255.255.255.0 10.10.5.11 1

route mts 10.10.100.0 255.255.255.0 10.10.50.2 1

route mts 10.10.101.0 255.255.255.0 10.10.50.2 1

route mts 10.10.199.0 255.255.255.0 10.10.50.2 1

route inside 10.255.250.0 255.255.255.0 10.10.5.11 1

route inside 192.168.222.0 255.255.255.0 10.10.5.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map cisco 1 set transform-set myset

crypto dynamic-map cisco 1 set security-association lifetime seconds 28800

crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map RemotSiteVPN1 1 match address outside_cryptomap

crypto dynamic-map RemotSiteVPN1 1 set pfs

crypto dynamic-map RemotSiteVPN1 1 set transform-set ESP-3DES-SHA

crypto dynamic-map RemotSiteVPN1 1 set security-association lifetime seconds 28800

crypto dynamic-map RemotSiteVPN1 1 set security-association lifetime kilobytes 4608000

crypto map dyn-map 1 ipsec-isakmp dynamic RemotSiteVPN1

crypto map dyn-map 2 match address outside_cryptomap_1

crypto map dyn-map 2 set peer 208.93.xxx.xxx

crypto map dyn-map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map dyn-map 2 set security-association lifetime seconds 28800

crypto map dyn-map 2 set security-association lifetime kilobytes 4608000

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 25

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption des

hash md5

group 2

lifetime 3600

telnet 10.10.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 10.10.60.30-10.10.60.250 Room206

dhcpd dns 8.8.8.8 8.8.4.4 interface Room206

dhcpd lease 86400 interface Room206

dhcpd enable Room206

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username xxxxxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group RemotSiteVPN1 type ipsec-l2l

tunnel-group RemotSiteVPN1 ipsec-attributes

pre-shared-key *

tunnel-group 208.93.xxx.xxx type ipsec-l2l

tunnel-group 208.93.xxx.xxx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 1024

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:fbe6d8b4e95f180959e5692270b2d9d5

: end

9 REPLIES 9
Highlighted
Mentor

Hi,

Can you take the output of a "packet-tracer" command that simulates one of these connections that doesnt go through

For example

packet-tracer input Room206 tcp 10.10.60.100 12345 10.10.5.19 80


- Jouni

Highlighted

Sorry it took so long to get back. Here's the output. Maybe I'm blind, but it looks like each phase is allowed.

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0

nat-control

  match ip inside 10.10.5.0 255.255.255.0 Room206 any

    static translation to 10.10.5.0

    translate_hits = 0, untranslate_hits = 11040

Additional Information:

NAT divert to egress interface inside

Untranslate 10.10.5.0/0 to 10.10.5.0/0 using netmask 255.255.255.0

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group wireless in interface Room206

access-list wireless extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0

nat-control

  match ip Room206 10.10.60.0 255.255.255.0 inside any

    static translation to 10.10.60.0

    translate_hits = 14727, untranslate_hits = 0

Additional Information:

Static translate 10.10.60.0/0 to 10.10.60.0/0 using netmask 255.255.255.0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Room206,inside) 10.10.60.0 10.10.60.0 netmask 255.255.255.0

nat-control

  match ip Room206 10.10.60.0 255.255.255.0 inside any

    static translation to 10.10.60.0

    translate_hits = 14727, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0

nat-control

  match ip inside 10.10.5.0 255.255.255.0 Room206 any

    static translation to 10.10.5.0

    translate_hits = 0, untranslate_hits = 11040

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,Room206) 10.10.5.0 10.10.5.0 netmask 255.255.255.0

nat-control

  match ip inside 10.10.5.0 255.255.255.0 Room206 any

    static translation to 10.10.5.0

    translate_hits = 0, untranslate_hits = 11040

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 90518755, packet dispatched to next module

Phase: 12

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.5.19 using egress ifc inside

adjacency Active

next-hop mac address 0023.7ddb.482e hits 0

Result:

input-interface: Room206

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Highlighted

Hi,

Well it does seem that the "packet-tracer" goes through just fine.

Are you trying to connect specifically using the internal IP address 10.10.5.19? Or is DNS involved?

Would you possibly need some other DNS servers in the DHCP configurations on the ASA? Perhaps some internal DNS server?

I guess if you want to make sure if any traffic is flowing between the 2 LAN networks you could take a capture

access-list WIRELESS-CAP permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0

access-list WIRELESS-CAP permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.255.0

capture WIRELESS-CAP type raw-data access-list WIRELESS-CAP interface inside buffer 10000000 circular-buffer

Naturally the capture ACL can be more specific if needed

After test you should be able to use the following commands to see if any traffic is captured

show capture

You should also use the command

show capture WIRELESS-CAP

To see what traffic was actually captured.

You could further copy the whole capture to a TFTP-server as a .pcap file to be opened with Wireshark

copy /pcap capture:WIRELESS-CAP tftp://x.x.x.x/WIRELESS-CAP.pcap

You can remove the capture and its data from the ASA with command

no capture WIRELESS-CAP

- Jouni

Highlighted

The end goal is to have it work with DNS, but for now I'm just using a port scanner to the IP of 10.10.5.19 and all ports come up with a no-reply.

I changed one of the DNS servers on the DHCP scope to an internal one, 10.10.5.24.

Set up the capture, opened in wireshark, ran a port scan, and here's a bit from the TCP section of the HTTP scan packet:

Transmission Control Protocol, Src Port: 49981 (49981), Dst Port: http (80), Seq: 2012523545, Len: 0

Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set

How can I copy a whole expanded packet in text from Wireshark? I can't figure it out.

Highlighted

Another little oddity is that I can't ping the interface addresses from the opposing network. So from VLAN 60, I can't ping 10.10.5.1. And from VLAN 5 I can't ping 10.10.60.1.

Devices on VLAN 5 are being given a gateway of 10.10.5.11, which is a L3 switch that the ASA inside interface is plugged into. I have no idea why they have that set that way here, instead of pointing everything at 10.10.5.1 as the default router. But I may be able to get the password to the DHCP server and change that.

And just as an FYI, the switch port that the ASA is plugged into (Cisco 3560G) is configured as follows:

interface GigabitEthernet0/21

description Uplink to ASA 5510 Inside

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005

switchport mode trunk

I configured another port on that same switch as an access port for VLAN 60, plugged in, got a DHCP address from 60, and still can't ping 10.10.5.1 or pass any ports to VLAN 5. I can ping everything else on VLAN 5, except the the interface address. I did this just to eliminate the wireless, and any other hops in the network.

Highlighted

Hi,

The problem with ICMP to the remote interface is how the ASA normally works. You wont be able to do this between the different LAN interfaces. In other words, you cant ping any other interface on the ASA other than the one behind which the host doing the ICMP is. (There are some exceptions with regards to connections coming from VPN)

Would it be possible to see the 3560G configurations?

- Jouni

Highlighted

Here it is. And thank you for helping me with this. I really appreciate it!

lstc-3560-core#sh run

Building configuration...

Current configuration : 3351 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

!

hostname lstc-3560-core

!

no aaa new-model

system mtu routing 1500

vtp mode transparent

ip subnet-zero

ip routing

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 2,5

!

vlan 20

name voice

!

vlan 51,60,250,260

!

vlan 999

name MTS_DMZ

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/3

!

interface GigabitEthernet0/4

!

interface GigabitEthernet0/5

!

interface GigabitEthernet0/6

!

interface GigabitEthernet0/7

!

interface GigabitEthernet0/8

!

interface GigabitEthernet0/9

!

interface GigabitEthernet0/10

!

interface GigabitEthernet0/11

!

interface GigabitEthernet0/12

!

interface GigabitEthernet0/13

!

interface GigabitEthernet0/14

!

interface GigabitEthernet0/15

switchport access vlan 60

switchport mode access

!

interface GigabitEthernet0/16

description HP Switch to Room 206

switchport trunk encapsulation dot1q

switchport trunk native vlan 60

switchport trunk allowed vlan 1,2,5,20,50,51,60,206,250,260,1002-1005

switchport mode trunk

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

description Uplink to ASA 5510 Inside

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005

switchport mode trunk

!

interface GigabitEthernet0/22

description Uplink to DMZ

switchport access vlan 51

!

interface GigabitEthernet0/23

!

interface GigabitEthernet0/24

description Connection to MTSDMZ on ASA5510

switchport access vlan 999

!

interface GigabitEthernet0/25

description Uplink to mts-3b329-4006 Port Gi2/4

switchport trunk encapsulation isl

switchport trunk allowed vlan 250,260

switchport mode trunk

!

interface GigabitEthernet0/26

description Uplink to lstc-3548xl-sw1

switchport trunk encapsulation isl

switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005

switchport mode trunk

!

interface GigabitEthernet0/27

description Uplink to lstc-3548xl-sw2 Gi0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 20

switchport trunk allowed vlan 1,2,5,20,51,60,250,260,999,1002-1005

switchport mode trunk

!

interface GigabitEthernet0/28

description Gigabit Uplink to lstc-3524xl-329 Gi0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

ip address 10.255.255.254 255.255.255.0

!

interface Vlan5

ip address 10.10.5.11 255.255.255.0

!

interface Vlan20

ip address 10.10.20.11 255.255.255.0

!

interface Vlan60

ip address 10.10.60.2 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.5.1

ip http server

!

!

control-plane

!

!

end

lstc-3560-core#

Highlighted

Hi,

Isnt there asymmetric routing going on here at the moment?

  • Host on Vlan60 sends TCP SYN to its default gateway which is ASA
  • Host on Vlan 5 receives TCP SYN and sends TCP SYN,ACK to its default gateway which is L3 Switch
  • The TCP SYN,ACK is sent from the L3 Switch directly to the host on Vlan60 since the L3 Switch can see it as a directly connected network
  • Host on Vlan60 sends TCP ACK to finalize the TCP connection negotiation and it sends it to its default gateway which is ASA
  • ASA has never seen the TCP SYN,ACK from the host on Vlan5 and therefore blocks the TCP ACK
  • Connection fails

Or this is atleast what came to my mind first. It might also explain why ICMP is working but not the TCP connections.

I guess you could try removing the Vlan60 interface so the L3 switch doesnt see that network as connected network but rather just distributes the Vlan60 throughout the switch network.

- Jouni

Highlighted

We are seeing the same issue, same scenario, will answer if we resolve.

Content for Community-Ad