Solved: That's wonderful. I am glad I

riderfaiz · ‎11-30-2016

Hi everyone,

Hope you can help. I thought it was very easy but turned out I was stuck for half day. I have a old new ASA 5505 (unused) and the license is only basic (etc: I could not create 3rd vlan). I tried to set it up so that it be the security between two networks that were totally separate. No routing or internet in between two networks.

The two physical networks are with 192.168.200.0 (16 bit mask) and 172.20.0.0 (24 bit mask). I like to put the 192 network as a security 0 (outside interface) while the 172 network as security 100 (inside interface). And I want the traffic from 192.168.200 only be able to access only one server with IP 172.20.0.54 in the 172 network.

But I failed to make it to work. I cannot ping from inside to outside. And certainly I could not access the 172 server from the 192 network.

I attached my configuration here...and may you help what I did miss? I am not very good at ASA and hop you can help...

Thank you for your help in advance.

Takami Chiro

#########
# ASA Config

##########

ASA Version 7.2(2)

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 172.20.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.200.1 255.255.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

........

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit ip 192.168.200.0 255.255.255.0 172.20.0.0 255.255.255.0

access-list outside_access_in extended permit tcp 192.168.200.0 255.255.255.0 172.20.0.0 255.255.255.0

access-list outside_access_in extended permit udp 192.168.200.0 255.255.255.0 172.20.0.0 255.255.255.0

access-list outside_access_in extended permit icmp 192.168.200.0 255.255.255.0 172.20.0.0 255.255.255.0

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 172.20.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

<--- More --->

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7c6180ad5b5215cdbc84e9a0f028ccd7

:

cofee · ‎12-02-2016

Sure, you can use the first NAT rule that I sent. As long as you have ASA 5505 , 5585 and server on the same segment and 5585 pointing to internet when 5505 is directly connected to 192.168.0.0, adding a static route on 5585 will not solve your issue or adding a default route on 5505 pointing to 172.20.0.1 (5585).

Firewall will simply not allow this flow, if these were routers you wouldn't have had any issue. But yes if you add a static route on the server for 192.168.x.x/16 and set 172.20.0.254 as next hop then server will definitely be able to access internet and 192.168.x.x network. I don't see any problem with that.

Let me know how it goes with static route on the server, if you decide to go that route. That should definitely work,

View solution in original post

cofee · ‎11-30-2016

Are you using any switch in between? if so please make sure they are assigned to right vlans as specified on firewall interfaces. Are you able to ping inside interface from inside server and also from outside server to outside firewall interface (even though you didn't specify if you have any device connected to the outside network)?

Also try this nat to ping from outside to inside server:

static (inside,outside) 172.20.0.54 172.20.0.54 netmask 255.255.255.255

riderfaiz · ‎12-01-2016

Hi coffee@0400, thank you for your response! It works! After I typing in that NAT statement... it just works... I did not change the vlan membership on the fw ports...even they did not match our core switch..but still work... Now...may I ask further.... :)

On the 172.20.0 network... I have 172.20.0.1 on a enterprise ASA fw. This is the gateway for DMZ to get out to internet And the 172.20.0.254 is still on the fw between the two networks I been talking about.

If the gw on the 172.20.0.54 is pointing to 172.20.0.254... I could still ping to 192 network..but no internet. But if I put 172.20.0.1, the other way around.

So on the new small ASA fw, what do I need to type so the internet traffic can route to 172.20.0.1 while the traffic to 192 can still be access? Do I need another NAT statement? Or my thoughts is wrong?

Thank you very much again! I know I am getting close~~

Takami

cofee · ‎12-01-2016

Hi there,

Sorry I am not very clear on your requirement.

I have following questions:

* Are we talking about two separate firewalls?

* You mentioned that you can't access internet, but all the networks you specified are private and not routable over public internet? what is your public facing interface/device?

I will try to answer your questions based on my understanding:

You have 2 networks

Inside - 172.20.0.254 255.255.255.0

Inside server - 172.20.0.54 (you only want this server to be accessed from outside network)

Outside - 192.168.200.1 255.255.0.0

Sample configuration for inside user to access internet via PAT-

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.255.0

Sample NAT config. so inside server can be accessed from outside:

static (inside,outside) 192.168.200.54 172.20.0.54 netmask 255.255.255.255 (You can also use this NAT rule and remove the identity NAT that I mentioned earlier and you should still be able to access it from outside network. I just picked a random outside address from 192.168.x.x block. For internet access as long as your ASA has the right default gateway configured your server should be able to access the internet. All access/permissions can be managed using ACLs)

Let me know if this answers your question.

riderfaiz · ‎12-01-2016

Hi Cofee, thank you again for your time... I am sorry if I confused you. I already uploaded a hand-made network diagram so I hope it helps little. The two network, 172 and 192...both have internet access. The question I am asking is on the 172 network.

1.) Yes, I am talking about two networks, which is separate by the 5505 ASA...and you helped to solve the problem by the NAT statement so now the hosts on each end can communicate correctly.

2.) The 192 and 172 each has its own internet. I am more on the 172 network now. The 172 is in DMZ of another of my corporate asa 5585. The gateway is on the 5585 which is 172.20.0.1

The gateway on the 5505 for the 172 network is 172.20.0.254. If I put down the 172.20.0.254, my 172.20.0.54 host can access to the 192 netwrk, but I will not be able to access to the internet. If I put down 172.20.0.1 instead, I can go to the internet. .But I cannot access 192 network.

Afterwards, on the 5585 ASA, I added a static route so the network will use DMZ as interface to route the 192.168.200.0 255.255.255.0 to the 172.20.0.254, which is on the 5505 ASA. I did not do any other NAT settings... The result still the same as the last paragraph. What did I miss? The DMZ on the 5585 is using 172.20.0.1 as the gateway.

So should I need what you told (( static (inside,outside) 192.168.200.54 172.20.0.54 network mask 255.255.255.255? I add it on the 5505 right?

Also, do I need the static route statement on the 5585 asa I mentioned?

I tried to reduce the words here...please bear with me as I know sometimes too wordy is no good. Hope you do not mind. Thank you for your help.

Takami

cofee · ‎12-02-2016

For now you can leave the NAT rule the way it is. Sorry to say but your network design is sort of strange for following reason:
* You have your inside network (172.20.0.x/24) behin inside interface on ASA 5505 and then 5585 is also on the same LAN segment and 5585 (172.20.0.1) is the gateway for inside network to the internet. Is there a reason it was designed this way? when you set the defaut gatway on your server as 172.20.0.254 it can acces 192.168.x.x/16 because it's sending the packet to it's default gateway 172.20.0.254 and asa 5505 is directly connected or you can say it has a route to the destination, but when the destination is outside your network/internet it's still sending those packets to 172.20.0.254 which is a normal behaviour since it's configured as default gateway but asa 5505 doesn't have a route to internet. I am not sure if your 5505 has a default gateway configured.

I understand that you put a static route on 5585 for 192.168.0.0/16 pointing to 172.20.0.254, hoping it would be able to reach 192.168 network with its default gateway set as 172.20.0.1 but it's not happening. Did you check asa 5585 logs what is it doing with the packet orginated by 172.20.0.54 destined to 192.168.x.x? you can also do packet tracer command to simulate traffic.
I wonder if traffic is getting dropped by 5585 as ingress/egress traffic is on the same interface. Not sure, so please either check logs or packet tracer utility on 5585.

At this point I would recommend following steps to resolve this issue:
a) if server's default gateway set as 172.20.0.254, put a default route on asa 5505 -
route inside 0.0.0.0 0.0.0.0 172.20.0.1 ( I am not sure how the ASA will behave, but you can give it a shot)
b) if server's default gateway set as 172.20.0.1, so you already have a static route configured on 5585 for 192.168.0.0/16 towards 172.20.0.254. Check 5585 what it's doing with that packet (we need to find out if this traffic is actually making it to 5505) and if you don't see any issue there then hop on to 5505 to check if it's dropping that packet for some reason.
c) you can set server's default gateway as 172.20.0.1 and you can try to put a static route on the server for 192.168.0.0/16 with 172.20.0.254 as next hop. But this may not be feasible because as you add more devices all of them will need the same set up if requirements are similar or may be at last, if possible, change your inside network subnet on 5505 to something else.

cofee · ‎12-02-2016

a) if server's default gateway set as 172.20.0.254, put a default route on asa 5505 -
route inside 0.0.0.0 0.0.0.0 172.20.0.1 ( I am not sure how the ASA will behave, but you can give it a shot)
b) if server's default gateway set as 172.20.0.1, so you already have a static route configured on 5585 for 192.168.0.0/16 towards 172.20.0.254

Configuration above is not going to work with the firewall because of the traffic flow.

To my understanding step below is the only way to make it work the way your network is designed (if this set up is only needed for 172.16.0.54 than putting a static route on server is the best option:

c) you can set server's default gateway as 172.20.0.1 and you can try to put a static route on the server for 192.168.0.0/16 with 172.20.0.254 as next hop. But this may not be feasible because as you add more devices all of them will need the same set up if requirements are similar or may be at last, if possible, change your inside network subnet on 5505 to something else.

Let me know if you have any questions.

riderfaiz · ‎12-02-2016

Hi Cofee

Thank you very much once again with your detail info :) So should I just keep the NAT statement that you told me to add from the beginning..not others?

I agree! The network is kind of strange. Long story. Originally we have the 172 and 192 networks are totally separate. No relationship at all. The 172 is a DMZ of one of our VLANs in our corporate.

Now "they" have a project to want me to have a server to setup in 172 (for security and for LAN access) to collect the data which will send from the 192 network!

This is the background. To me, I really like to restrict all traffic from 192 to access only the server in 172 network. SO I put a firewall in between. At the same time, the server needs to access by LAN users and need to access the internet. So I think to put it in our DMZ is best deal. The server is VM so it needs to be in the corporate too.

Man...tough to work with all the constraints :) But I like all this but getting things to work is another topic. The 5505 is a very old firmware firewall...it does not let me to create any new vlan so I can only work with 1 and 2...technically

I will try to change my route on the 5585 from 192.168 24 bits to 16 bits. I will also try to play around the default and see how it goes.

I am not very good at the 5585 ASA so I also contact Cisco TAC to get more ideas if "the static" routes will work.

For sure you help me resolve the NAT issue.... I will also try to add a static route on the server to see if it will work.

I will keep you posted to see how it is. I really sincerely appreciate all your words and effort here.

Thank you very much again> will keep you posted. Arigaidou gozaimasu!!

Takami

cofee · ‎12-02-2016

Sure, you can use the first NAT rule that I sent. As long as you have ASA 5505 , 5585 and server on the same segment and 5585 pointing to internet when 5505 is directly connected to 192.168.0.0, adding a static route on 5585 will not solve your issue or adding a default route on 5505 pointing to 172.20.0.1 (5585).

Firewall will simply not allow this flow, if these were routers you wouldn't have had any issue. But yes if you add a static route on the server for 192.168.x.x/16 and set 172.20.0.254 as next hop then server will definitely be able to access internet and 192.168.x.x network. I don't see any problem with that.

Let me know how it goes with static route on the server, if you decide to go that route. That should definitely work,

riderfaiz · ‎12-06-2016

Hi Cofee..

THank you again for all your responses here.... I am off today as I am sick :(

Yesterday I went back to office for couple hours... And what I did was first to try the static route on the server. IT did not work however, which not make sense to me. I was not feeling well yesterday already but still like to do couple more things for this problem before going home... THe first thing is too redo the fw. And create the two vlans that will match my corporate and the toc networks (the old fw can only allow me to create two no matter what).

You know what happened...a good sign to me!! From the FW, I could ping my corporate ASA 5585 dmz interface, same from the other side too...which this did not happen before.

THen I put the NAT statement you show me...boom... now I could pick from my server to the 192 network (the opposite side as well) by using the corporate ASA interface. Certainly I needed to add the static route on the server by the way.So you are correct!!

1.) I need the NAT statement

2.) The vlan on the fw also need to meet the vlans for the two networks I have.

If the above were not working, I had been planning to setup a router as well..which I thought it must have worked...anyway..no need now.

Case now is totally resolved :) Thank you very much again for your help. Happy Holidays to you!

Takami

cofee · ‎12-06-2016

That's wonderful. I am glad I was able to assist.

Wish you safe and relaxing holidays!

riderfaiz · ‎12-01-2016

HI Cofee....other than my response in below of this message...I also like to ask... if I should still use "static (inside,outside) 172.20.0.54 172.20.0.54 netmask 255.255.255.255" ... or "nat (inside) 1 172.20.0.0 255.255.255.0" you provided in the last post?

Thank you very much again.

Takami

question on setup two physical networks by using a old ASA 5505