Solved: Problem accessing FW device in special configuration (with telnet)

fregeus.ca · ‎03-18-2013

Hello all

I have a special problem I would like to introduce to you all. If you can help me, all the better.

We have a customer that has a PIX firewall in his network which a supplier uses to access their product. There is actually four product in house. Each product has its own firewall. Because we could not create multiple vpn tunnels through the single external IP of the customer, we had to put three product with their firewall behing the fourth. That way, there is only one firewall that does a VPN tunnel with the supplier VPN and it covers all four product.

The problem is as follows;

Firewall one is the firewall that does the VPN tunneling for all product. It is a PIX 506E and it has the pix firewall version 6.3(5).

Firewall two is an ASA device that is connected to the Internal network of firewall one. It's a 5505 and runs version 8.2(5)

Firewall three is also an ASA device that is connected to the internal network of firewall one. It is also a 5505 and runs version 7.2(4)

Firewall four is a PIX connected to the internal network of firewall one. It runs version 6.3(5) of the Pix firewall software.

Now, the supplier can, through the VPN tunnel, access all of the product it supports. What the supplier cannot do is access the firewalls that are behind the first. The supplier can access firewall one without a problem, but they cannot access the others.

the three firewall behind the first are configured without NAT and without VPN. They are just firewalling.

From the internal interface of say, firewall two, I cannot ping the supplier, but I can from the outside. The supplier cannot telnet to the inside interface of firewall two, but can on the inside interface of firewall one. The supplier can ping the inside interface of firewall one, its product and the outside interface of all three firewalls, but not the inside. When I look at the logs of one of the FW, all I see is the following:

%ASA-7-710005: UDP request discarded from 10.103.xxx.xxx/137 to outside:10.103.xxx.xxx/137

%ASA-7-710005: UDP request discarded from 10.104.xxx.xxx/1025 to inside:255.255.255.255/1947

%ASA-7-710005: TCP request discarded from 142.xxx.xxx.xxx/4020 to outside:10.104.xxx.xxx/23

%ASA-7-710005: UDP request discarded from 10.104.xxx.xxx/1025 to inside:255.255.255.255/1947

%ASA-7-710005: UDP request discarded from 10.103.xxx.xxx/138 to outside:10.103.xxx.xxx/138

Here are some configs from firewall two

interface Vlan100

nameif outside

security-level 0

ip address 10.103.xxx.xxx 255.255.255.0

!

interface Vlan101

nameif inside

security-level 100

ip address 10.104.xxx.xxx 255.255.255.0

!

access-list acl_inside_access extended permit icmp any any

access-list acl_inside_access extended permit ip any any

access-list acl_outside_access extended permit ip any any

access-list acl_outside_access extended permit icmp any any

access-list nonat extended permit ip 10.104.xxx.0 255.255.255.0 any

nat (inside) 0 access-list nonat

access-group acl_outside_access in interface outside

access-group acl_inside_access in interface inside

route outside 0.0.0.0 0.0.0.0 10.103.xxx.xxx 1

telnet 142.xxx.xxx.xxx 255.255.0.0 inside

I'm missing something, but I don't know what. Can anyone help?

Thanks in advance

Jouni Forss · ‎03-18-2013

Hi,

I am not sure if I understood everything correctly but here goes

You have 4 firewalls
One firewall handles the Internet connectivity of all and also the L2L VPN to the Supplier
Supplier can only connect to the firewall doing the L2L VPN and Internet connectivity
Supplier cant connect to any of the 3 firewall behind the main firewall

You can use Telnet to manage the Main firewall because you either

Have "management-access inside" configured on the firewall to enable to access the "inside" interface IP
Or you use the "outside" interface IP address through L2L VPN to manage the firewall

The only way to connect to an firewall "outside" inteface with "security-level 0" with Telnet is to do it through a VPN connection.

Now if all the 3 firewalls behind have "security-level 0" on their interface facing the Main firewall on the edge of the network then it wont simply accept Telnet connections.

Simplest solution is to use SSH and not Telnet.

If that for some odd reason aint an option you can always consider changing the "security-level" values of the 3 firewalls so they will accept even Telnet. This might naturally have effect on firewall operation if you have not enabled the configuration "same-security-traffic permit inter-interface"

- Jouni

View solution in original post

Jouni Forss · ‎03-18-2013

Hi,

I am not sure if I understood everything correctly but here goes

You have 4 firewalls
One firewall handles the Internet connectivity of all and also the L2L VPN to the Supplier
Supplier can only connect to the firewall doing the L2L VPN and Internet connectivity
Supplier cant connect to any of the 3 firewall behind the main firewall

You can use Telnet to manage the Main firewall because you either

Have "management-access inside" configured on the firewall to enable to access the "inside" interface IP
Or you use the "outside" interface IP address through L2L VPN to manage the firewall

The only way to connect to an firewall "outside" inteface with "security-level 0" with Telnet is to do it through a VPN connection.

Now if all the 3 firewalls behind have "security-level 0" on their interface facing the Main firewall on the edge of the network then it wont simply accept Telnet connections.

Simplest solution is to use SSH and not Telnet.

If that for some odd reason aint an option you can always consider changing the "security-level" values of the 3 firewalls so they will accept even Telnet. This might naturally have effect on firewall operation if you have not enabled the configuration "same-security-traffic permit inter-interface"

- Jouni

fregeus.ca · ‎03-19-2013

I am not sure if I understood everything correctly but here goes

You have 4 firewalls
One firewall handles the Internet connectivity of all and also the L2L VPN to the Supplier
Supplier can only connect to the firewall doing the L2L VPN and Internet connectivity
Supplier cant connect to any of the 3 firewall behind the main firewall

You understood correctly.

You can use Telnet to manage the Main firewall because you either

Have "management-access inside" configured on the firewall to enable to access the "inside"interface IP

Correct, that is what I have on ALL firewalls.

The only way to connect to an firewall "outside" inteface with "security-level 0" with Telnet is to do it through a VPN connection.

I raised the security level of the outside interface of firewall two to 50 and the supplier still cannot get a connection to the inside interface, although I am getting a different message in the logs;

%ASA-7-609001: Built local-host outside:142.xxx.xxx.xxx

%ASA-7-609001: Built local-host identity:10.106.xxx.xxx

%ASA-6-302013: Built inbound TCP connection 29742 for outside:142.xxx.xxx.xxx/1135 (142.xxx.xxx/1135) to identity:10.106.xxx.xxx/23 (10.106.xxx.xxx/23)

%ASA-6-302014: Teardown TCP connection 29742 for outside:142.xxx.xxx.xxx/1135 to identity:10.106.xxx.xxx/23 duration 0:00:00 bytes 0 TCP Reset by appliance

%ASA-7-609002: Teardown local-host outside:142.xxx.xxx.xxx duration 0:00:00

It's the first time I see this 'to identity' in log files. I tried to do a search on it but I get billlions of hits that don't apply.

What is the lowest security level I need to accept telnet from the outside to the inside ?

Simplest solution is to use SSH and not Telnet.

That is another battle going on in another battlefield.

-Marty

Jouni Forss · ‎03-19-2013

Hi,

The "management-access inside" command wont help with the firewalls behind the Main Firewall if I have understood the Cisco documentation correctly.

This will only work with the firewall that is terminating the VPN connection.

As the other 3 firewalls arent terminating any VPN connection (the Telnet connection isnt coming from a VPN connection terminated to the specific firewall) the "management-access" wont work with them.

You should change your configuration so that you connect to the "outside" interface IP of the 3 firewalls and not the "inside" interface.

This is why I suggested playing around with the "security-level" value of the "outside" interface of the 3 Firewalls. Perhaps even changing it to "security-level 100" in which case you WILL NEED the "same-security-traffic" command so that "inside" to "outside" traffic wont stop.

EDIT: Corrected typos and added some text

- Jouni

fregeus.ca · ‎03-19-2013

Thanks JourniForss

Decided to try the ssh configuration on the outside interface. A breeze.

jocamare · ‎03-18-2013

This is what i got, correct me if i'm wrong.

The supplier is remote, on the othe side of the VPN is a PIX firewall, behind it, two ASAs and one PIX.

---From the internal interface of say, firewall two, I cannot ping the supplier, but I can from the outside.

This sounds like a problem with the Access-lists or NAT.

---The supplier cannot telnet to the inside interface of firewall two, but can on the inside interface of firewall one.

The reason for this is because the inside interface of FW2 is seeing the traffic coming from the outside going to the inside interface, this is not allowed on Cisco firewalls.

The same applies for when we want to access the outside interface of the ASA from an internal host.

The reason why the supplier can reach the inside of FW1 is because of the "management-access inside" command, this makes this traffic look like it's coming form the inside network, not the outside.

---The supplier can ping the inside interface of firewall one, its product and the outside interface of all three firewalls, but not the inside.

Same answer as before.

fregeus.ca · ‎03-19-2013

The supplier is remote, on the othe side of the VPN is a PIX firewall, behind it, two ASAs and one PIX.

---From the internal interface of say, firewall two, I cannot ping the supplier, but I can from the outside.

This sounds like a problem with the Access-lists or NAT.

Well, the commands are there. Do you see where I went wrong? Do you wish to see the access list and Nat commands from firewall one?

-Marty

jocamare · ‎03-19-2013

I assume that when you say that you are "testing from the internal interface of firewall two" it means that you are testing from a host behind FW2.

If not, i assume you are using a customized version of the "ping" command on the ASA. This won't work.

If yes, please provide the config form FW1 and the IP addressing information of the involved devices. Src & Dst adresses.

fregeus.ca · ‎03-20-2013

Thanks Jocamare for your assistance, but I followed the suggestion of JouniFross and configured the access through SSH instead and use the external interface. Its all configured and it works.

Take care

-Marty.