Solved: Re: Internal routing issue (asa 5510 v 8.2.2) - Page 2

GEOFFREY BARKER · ‎08-22-2012

Hello again,

Well, I seem to be getting 'schooled" by these ASA 5510 devices lately. I just had a lot of help resolving an inter-interface communications problem and now I've got a (hopefully small) routing problem on another 5510. I hope the community can help me again.

I have a problem with implementing a route statement on an ASA 5510.

The 5510 has 1 inside and one outside interface. The FW is the default GW for the subnet on the inside interface (192.168.1.1). However, for traffic bound to 192.168.100.x, I need it to route back out onto the inside subnet and send it to another ASA5510 (192.168.1.3).

I've setup a route statement (route inside HQ-inside 255.255.255.0 192.168.1.3 1) but it is not working.

I imagined that since I'm not sending the traffic 'through' the firewall, I wouldn't need to deal with access lists and nat. Am I wrong on that?

I've done a packet trace and it looks like the packets are dropping at the nat rule (nat (inside) 2 0.0.0.0 0.0.0.0.0). I wonder if I need to do something similar in the last problem. Something like a NAT Exemption) but I'm still not fully aware of what I'm doing... (embarassed to say). Sorry to ask you to spoon feed me like this.

As always really appreciate any help.

Geoffrey

Here's my current Conf (edited for security):

Result of the command: "show running-config"

hostname NorthASA

domain-name domain.org

enable password c7Ik4QWNoVuUmbYX encrypted

passwd c7Ik4QWNoVuUmbYX encrypted

names

name 192.168.100.0 HQ-Inside

name 192.168.1.254 NHFDServer2-Inside

name xxxx NHFDServer2-Outside

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address xxxx 255.255.255.248

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name domain.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

port-object eq 3389

object-group service DM_INLINE_TCP_0 tcp

group-object RDP

port-object eq www

port-object eq https

port-object eq smtp

access-list valley_nat0 extended permit ip 10.99.9.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list valley_cryptomap extended permit ip 10.99.9.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list Inside_nat_static extended permit ip host NHFDServer2-Inside any

access-list Outside_access_in extended permit tcp any host NHFDServer2-Outside object-group DM_INLINE_TCP_0

access-list inside_nat_static extended permit ip host NHFDServer2-Inside any

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 172.29.12.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.99.9.1-10.99.9.200 netmask 255.255.255.0

global (outside) 2 interface

global (outside) 3 NHFDServer2-Outside netmask 255.255.255.255

nat (inside) 1 access-list inside_nat_outbound

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) 10.99.9.201 192.168.1.31 netmask 255.255.255.255

static (inside,outside) 10.99.9.202 192.168.1.32 netmask 255.255.255.255

static (inside,outside) NHFDServer2-Outside NHFDServer2-Inside netmask 255.255.255.255

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.92.226.62 1

route inside HQ-Inside 255.255.255.0 192.168.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac

crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map valley_map 1 match address valley_nat0

crypto map valley_map 1 set pfs group5

crypto map valley_map 1 set peer 146.129.253.3

crypto map valley_map 1 set transform-set VALLEY

crypto map valley_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password ra.2Iw6nrBEaHn0M encrypted privilege 15

tunnel-group 146.129.253.3 type ipsec-l2l

tunnel-group 146.129.253.3 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d7f1b5a56370f3a2e2a6afe3c497ff8d

: end

Julio Carvajal · ‎08-22-2012

Hello,

I mean that, sorry I am not checking the diagrams anymore hehe

Yes, as you add more work to the ASA>>>>

Glad I could help man

Have a good one

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎08-22-2012

Hello Geoff,

The diagram you just set it's what I am saying dude jaja

Ok ...why ICMP works?

Because ICMP is stateless for the ASA unless you add the following command and becomes statefull

Fixup Protocol ICMP

I ensure you that as soon as you add the highlated command the ICMP will stop working

Why any other traffic fails.. I would say tcp traffic? Because it is stateful

Again back to my theory

How to solve it:

TCP state bypass

access-list test permit tcp 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

class-map test

match access-list test

policy-map global_policy

class test

set connection advanced-options tcp-state-bypass

Clear local-host

Then give it a try and Keep me posted dude

Remember to rate all the helpful posts

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

GEOFFREY BARKER · ‎08-22-2012

Well, I had high hopes for TCP Bypass but it doesn't appear to be a usable solution. At least not yet.

First, just FYI, It seems to be necessary on both ASAs. If I deactivate the Service Policy on either FW, communications fail.

Worse, although some communication is occuring, Most is failing.

For example, I can map a drive across the connection but cannot browse the content. I can make an RDP connection but mouse and keyboard information does not seem to make it accross the connection. Telneting to the remote FW (from either direction) fails outright.

So, unless, there's some way to improve the performance, I can't call it a working solution at this time.

Note that the connection between HQ and Highline locations is a dedicated fiber connection running at 100Mbps and this is the only traffic running across it. So, I can at least say it's not a bandwidth issue.

Any ideas about how to proceed?

Thanks,

Geoffrey