Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1753
Views
0
Helpful
21
Replies

New ASA Install, Inside Networks can't browse eacother

pccareoncall
Level 1
Level 1

‎05-20-2011 10:23 PM - edited ‎03-11-2019 01:36 PM

I just installed a new ASA 5505 for an office with three internal subnets.  The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own.  How do I configure the ASA to allow all traffic between these three inside networks?

192.168.152.0

192.168.152.0

192.168.154.0

Here is the running config:

show run
: Saved
:
ASA Version 8.4(1)
!
hostname ASA
domain-name NETWORK.LOCAL
enable password 9FKvgw.UCVrfUD5M encrypted
passwd 9FKvvDw.UCVrUdDM encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.152.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name NETWORK.LOCAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Net1
subnet 192.168.152.0 255.255.255.0
object network Net2
subnet 192.168.153.0 255.255.255.0
object network Net3
subnet 192.168.154.0 255.255.255.0
object network FD
host 192.168.152.2
access-list global_access extended permit ip object Net1 any
access-list global_access extended permit ip object Net2 any
access-list global_access extended permit ip object Net3 any
access-list global_access extended permit icmp interface inside any
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 192.168.153.0 255.255.255.0 192.168.152.2 1
route inside 192.168.154.0 255.255.255.0 192.168.152.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.152.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 30
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.152.40-192.168.152.80 inside
dhcpd dns 192.168.0.21 interface inside
dhcpd wins 192.168.152.10 interface inside
dhcpd domain NETWORK.LOCAL interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin npassword qiyTRCDITAjP3aZE encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dd70e1358ea2eec7f73ee334j16492bb3
: end

Labels:
0 Helpful
21 Replies 21

pccareoncall
Level 1
Level 1
In response to varrao

‎05-22-2011 04:11 PM

Hopefully the attached diagram will help you understand my network layout, from a logical perspective anyway.
The main network (152.0) is connected to the Internet via the providers router (152.2). The other two networks (153.0 & 154.0) connect through the ASA to the Internet. Therefore I have routes (or thought I did) for the other two networks to connect through the gateway for Internet access.

The Asa is the only device doing the routing for the internal network, and there are no layer 2 or 3 switches. no internal vlans, etc. They are however using a mpls network from the provider. Two networks (153.0 & 154.0) come in through one LAN port on the Asa.

I simply want all the internal subnets to be able to communicate with each other, unrestricted.
Please advise if this view changes your suggestions.


Preview file
61 KB
0 Helpful

pccareoncall
Level 1
Level 1
In response to pccareoncall

‎05-22-2011 10:01 PM

Problem solved! I researched the Firewall log  showing the connection being denied, and found some others having an  issue with asymmetric traffic.  Here's the fix:

http://www.cisco.com/en/US/products/ps6 ... d922.shtml


0 Helpful

varrao
Level 10
Level 10
In response to pccareoncall

‎05-23-2011 01:38 AM

Hi,

Which issue is resolved, the ASA access issue or only 192.168.152.0 not being accessibly issue?? Did you reload the ASA and apply the configuration, did it work after that? Moreover the assymetric routing issue document that you have provided, tcp state bypass is just a confirmation that you have assymetric routing configured, it might be a workaround but not a solution to the issue.

What happens is, whenever a tcp connection is built, first a 3 way handshake is completed between the source and destination. The source send a SYN packet, destination replies back with SYN ACK and source finally send a ACK, after which a session is established.

Now if you have assymetric routing, it means that you have multiple routes in the network to reach the destination apart from the firewall, so the complete SYN, SYN ACK, ACK handshake is not completed through the firewall and it would drop the connection.

Now if you have tcp state bypass configured, firewall would not verify the handshake and just allow th connection, so that verifies routing issue.

So just be sure if you are ok with the workaround.

Let me know if we have any progress on the case, I'll be available for the whole day today.

Reagrds,

Varun

Thanks,
Varun Rao
0 Helpful

pccareoncall
Level 1
Level 1
In response to varrao

‎05-23-2011 05:25 PM

Yes, the TCP State Bypass fox resolved the issue, and did not block telnet or

asdm access.  I believe this is a required workaround for my environment, since the traffic to

Network 2 & 3 take a different return path as compared to the sending path, as per the network diagram I uploaded.  Or is there another way?

0 Helpful

varrao
Level 10
Level 10
In response to pccareoncall

‎05-24-2011 12:06 PM

Hi,

I am not really sure how did that work....did you not put any static statement and just added tcp state bypass???? Or apart from the static statements you added tcp state bypass as well?? Could you throw some light on it.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

pccareoncall
Level 1
Level 1
In response to varrao

‎05-24-2011 12:36 PM

Yes, here are the configs that fixed the problem:

ASA(config)#access-list tcp_bypass extended permit tcp 192.168.152.0 255.255.255.0 any

ASA(config)#class-map tcp_bypass

ASA(config-cmap)#match access-list tcp_bypass

ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-pmap)#class tcp_bypass
ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass
ASA(config-pmap-c)#service-policy tcp_bypass_policy inside

0 Helpful

varrao
Level 10
Level 10
In response to pccareoncall

‎05-24-2011 12:43 PM

Nope I am aware of the config for tcp state bypass and know how its done, i just needed a confirmation that you just added the bypass commands. Well this definitely sees to be asymmetric routing in the network, otherwise no way this could have worked. But state bypass is not very recommended thing but it depends from network to network. If you are ok with the resolution, no prblem.

Thanks for the update.

Cheers!!!

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card