Solved: Re: Routing problems on ASA5510 and 5505.

Lybra1983 · ‎02-08-2011

Hi everybody,

I've attached an image in order to better explain the situation.

Each one of the ASA5505 is connected to the ASA5510 via VPN (there's no connection between the two 5505).
My PC (10.1.1.2) is on the INSIDE network of the FW AAA (ASA5510) and I can ping the ORION host.

hostname AAA

!

interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.3.1 255.255.248.0 standby 10.1.3.2
!
interface Ethernet0/2
nameif voip
security-level 100
ip address 10.245.0.1 255.255.255.0 standby 10.245.0.2
!
access-list VPN extended permit ip 10.245.0.0 255.255.0.0 host 10.1.1.2
!
nat (voip) 0 access-list VPN

The problem is that I cannot reach from my pc FW BBB and CCC and neither host SIRIO and PEGASUS.

What kind of configuration do I have to implement in order to do this? I think is something about the routing but I'm not really sure of it.

If you need more configuration parameters just ask.

Thanks in advance for your help.

Regards,

Luca

Praveena Shanubhogue · ‎02-09-2011

Alright, the interesting traffic for the VPN between AAA and BBB (or AAA and CCC) does not include the traffic between 10.1.0.0/22 and 10.245.4.0/24 (or 10.245.8.0/24). Please add the following config:

on AAA:

access-list BBB-VoIP extended permit ip 10.1.0.0 255.255.252.0 BBB 255.255.255.0

on BBB:

access-list AAA-VoIP extended permit ip 10.245.4.0 255.255.255.0 10.1.0.0 255.255.252.0

Do the same on CCC. Let us know if it works

Regards,

Praveen

View solution in original post

PAUL GILBERT ARIAS · ‎02-08-2011

ok, if your PC is on the inside and you want to reach ORION on the interface called VOIP both interfaces with security levl 100 you will need this command:

same-security-traffic permit inter-interface

If you want to pass traffico from the inside of FW AAA then you will need some type of NAT in order to move from the inside to the outside interface.

If you want to keep the real IP all the way to the destination you will need another NAT 0 with ACL (nat exempt). Also you will need ACLs allowing the traffic from outside to inside on the FW BBB and FW CCC, don't forget about the proper NAT on those two FWs.

Please try that

Lybra1983 · ‎02-08-2011

Hi Paul,

thanks for the reply.

I'm already able to ping ORION from my pc, the problem is pinging from my pc to another subnet that's on a different fw (BBB and CCC).

If you want to pass traffico from the inside of FW AAA then you will need some type of NAT in order to move from the inside to the outside interface.

What do you mean with some kind of NAT? What kind of NAT? I'm not so keen with natting and similar.

If you want to keep the real IP all the way to the destination you will need another NAT 0 with ACL (nat exempt).

I already have a nat (voip) 0 access-list VPN on the AAA fw, on which interface do I have to add the other nat?

I tried to add on the BBB fw the following commands...

access-list inside extended permit ip 10.245.4.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list VPN extended permit ip 10.245.4.0 255.255.255.0 10.1.0.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 10.245.4.0 255.255.255.0

... but I still cannot ping to the SIRIO host from my pc.

Thanks for your help.

Luca

PAUL GILBERT ARIAS · ‎02-08-2011

you can try on FW AAA the following NAT

nat (inside) 1 0 0

global (outside) 1 interface

and add the following

fixup protocol icmp

This will allow you pings from inside to outside

Try to ping from inside to the outside interface of FW BBB and CCC

Lybra1983 · ‎02-08-2011

Did it, but it's not working!

Concerning the ping I tried to ping my pc from BBB fw CLI; I tried both:

ping outside 10.1.1.2

ping inside 10.1.1.2

There's no reply!!!

Luca

bmcginn · ‎02-08-2011

Hi there,

I'm unsure if you've got this working. In case you don't though and in order to get a better idea of your setup, I've a question or two:

Q. Are you VPN tunnels up?

If yes, on FW AAA and the other end (I assume FW BBB) can you see traffic being encrypted and decrypted in the IPSEC SA? (show crypto ipsec sa)

Brad

Lybra1983 · ‎02-08-2011

Hi Brad,

yes of course, these are productive appliances, everything is working except for the issue I'm here trying to solve.

VPN tunnels are up, people can call via phone each other from branch offices to HQ without any problem.

Luca

Praveena Shanubhogue · ‎02-09-2011

Hi Luca,

Assuming 10.1.0.0 is a part of interesting traffic for the VPN in question,

Do you have nat exemption [ nat (inside) 0 ] configured on all ASAs inside interfaces?

on AAA:

access-list inside_nat0 perm ip 10.1.0.0 255.255.255.0 10.245.4.0 255.255.255.0

access-list inside_nat0 perm ip 10.1.0.0 255.255.255.0 10.245.8.0 255.255.255.0

nat (inside) 0 access-list inside_nat0

on BBB:

access-list inside_nat0 perm ip 10.245.4.0 255.255.255.0 10.1.0.0 255.255.255.0

nat (inside) 0 access-list inside_nat0

on CCC:

access-list inside_nat0 perm ip 10.245.8.0 255.255.255.0 10.1.0.0 255.255.255.0

nat (inside) 0 access-list inside_nat0

And then on AAA, try:

ping inside 10.245.4.x

ping inside 10.245.8.x

HTH

regards,

Praveen

Lybra1983 · ‎02-09-2011

Hi Praveen,

Yes, I think I made all you are asking, but isn't working... maybe it's easier for you all if I post the configurations.

FW AAA:

!
ASA Version 8.2(2)
!
hostname AAA
names
name 10.245.8.0 CCC
name 10.245.4.0 BBB
name 10.245.0.0 AAA
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224 standby xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2
!
interface Ethernet0/2
nameif voip
security-level 100
ip address 10.245.0.1 255.255.255.0 standby 10.245.0.2
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name aaa.com
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip host 10.1.1.2 AAA 255.255.0.0
access-list inside_access_in extended deny ip any any
access-list voip extended permit ip AAA 255.255.255.0 CCC 255.255.255.0
access-list voip extended permit ip AAA 255.255.255.0 BBB 255.255.255.0
access-list voip extended permit ip host 10.245.0.9 any
access-list voip extended permit ip host 10.245.0.10 any
access-list voip extended permit icmp any any
access-list voip extended permit ip host 10.245.0.200 any
access-list voip extended permit ip host 10.245.0.100 any
access-list voip extended permit ip host 10.245.0.101 any
access-list voip extended permit ip host 10.245.0.102 any
access-list voip extended permit ip AAA 255.255.0.0 host 10.1.1.2
access-list voip extended deny ip any any
access-list VPN extended permit ip AAA 255.255.255.0 CCC 255.255.255.0
access-list VPN extended permit ip AAA 255.255.255.0 BBB 255.255.255.0
access-list VPN extended permit ip AAA 255.255.0.0 host 10.1.1.2
access-list CCC-VoIP extended permit ip AAA 255.255.255.0 CCC 255.255.255.0
access-list BBB-VoIP extended permit ip AAA 255.255.255.0 BBB 255.255.255.0
access-list MNGMT extended perm ip 10.1.1.2 255.255.255.255 CCC 255.255.255.0
access-list MNGMT extended perm ip 10.1.1.2 255.255.255.255 BBB 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu voip 1500
ip local pool vpnpool1 10.245.255.1-10.245.255.3 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover interface ip failover 10.1.254.1 255.255.255.252 standby 10.1.254.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list MNGMT
nat (voip) 0 access-list VPN
nat (voip) 1 AAA 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group voip in interface voip
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxc 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set aaaset esp-3des esp-none
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map aaamap 1 match address CCC-VoIP
crypto map aaamap 1 set peer ttt.ttt.ttt.ttt
crypto map aaamap 1 set transform-set aaaset
crypto map aaamap 3 match address BBB-VoIP
crypto map aaamap 3 set peer eee.eee.eee.eee
crypto map aaamap 3 set transform-set aaaset
crypto map aaamap interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet AAA 255.255.255.0 inside
telnet 10.1.1.1 255.255.255.255 inside
telnet 10.1.1.2 255.255.255.255 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.224 outside
ssh timeout 5
console timeout 0
management-access voip
dhcpd dns 10.245.0.250
dhcpd ping_timeout 750
!
dhcpd address 10.245.0.105-10.245.0.110 voip
dhcpd enable voip
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group eee.eee.eee.eee type ipsec-l2l
tunnel-group eee.eee.eee.eee ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
tunnel-group ttt.ttt.ttt.ttt type ipsec-l2l
tunnel-group ttt.ttt.ttt.ttt ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map LIMIT_BAND
description Bandwidth Limits on VPNs
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
service-policy LIMIT_BAND interface outside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7ce4c0a321d47e9d0055903ae96f3511
: end

FW BBB: (this fw has also a video vlan used for videoconferencing)

!
ASA Version 7.2(4)
!
hostname BBB
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.245.4.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif video
security-level 90
ip address 192.168.0.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list outside extended permit icmp any any
access-list outside extended permit ip any host vvv.vvv.vvv.vvv
access-list outside extended deny ip any any
access-list video extended permit icmp any any
access-list video extended permit ip host 192.168.0.2 any
access-list video extended deny ip any any
access-list inside extended permit icmp any any
access-list inside extended permit ip 10.245.4.0 255.255.255.0 10.245.0.0 255.255.255.0
access-list inside extended permit ip 10.245.4.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list inside extended deny ip any any
access-list VPN extended permit ip 10.245.4.0 255.255.255.0 10.245.0.0 255.255.255.0
access-list VPN extended permit ip 10.245.4.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list AAA-VoIP extended permit ip 10.245.4.0 255.255.255.0 10.245.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu video 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 10.245.4.0 255.255.255.0
nat (video) 1 192.168.0.0 255.255.255.248
static (video,outside) ppp.ppp.ppp.ppp 192.168.0.2 netmask 255.255.255.255
access-group inside in interface inside
access-group outside in interface outside
access-group video in interface video
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxxy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set bbbset esp-3des esp-none
crypto map outside_map 2 match address AAA-VoIP
crypto map outside_map 2 set peer uuu.uuu.uuu.uuu
crypto map outside_map 2 set transform-set bbbset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp am-disable
telnet 10.245.4.0 255.255.255.0 inside
telnet 10.245.0.0 255.255.255.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.bbb 255.255.255.224 outside
ssh timeout 15
console timeout 0
management-access inside
!
!
tunnel-group uuu.uuu.uuu.uuu type ipsec-l2l
tunnel-group uuu.uuu.uuu.uuu ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f95ffe47399d8922c46ccc038a1d9039
: end

FW CCC is similar to BBB.

Many thanks for your help.

Best regards.

Luca

Praveena Shanubhogue · ‎02-09-2011

Alright, the interesting traffic for the VPN between AAA and BBB (or AAA and CCC) does not include the traffic between 10.1.0.0/22 and 10.245.4.0/24 (or 10.245.8.0/24). Please add the following config:

on AAA:

access-list BBB-VoIP extended permit ip 10.1.0.0 255.255.252.0 BBB 255.255.255.0

on BBB:

access-list AAA-VoIP extended permit ip 10.245.4.0 255.255.255.0 10.1.0.0 255.255.252.0

Do the same on CCC. Let us know if it works

Regards,

Praveen

Lybra1983 · ‎02-09-2011

Praveen you are great!!! You got the point, now it's working!!! many many thanks...

I've also another problem... from my pc I can ping host ORION that's on the AAA voip interface (and now also FW BBB, CCC and respective hosts) but I cannot ping 10.245.0.1 (voip interface of fw AAA)... do you have any guess about this?

Thanks again.

Luca

Praveena Shanubhogue · ‎02-09-2011

Glad that worked.

As per ASA architecture, you are not allowed to ping any other interface apart from the one you are logically connected to. (in this case it is inside).

The only exception made is over the VPN. i.e. from your PC you should be able to ping remote ASA-BBB's inside interface, if , on ASA-BBB, you have defined "management-access inside". With this you will alos be able to manage (ASDM/telnet/ssh) the ASA, if you have rules allowing it (show run http/telnet/ssh).

HTH

Regards,

Praveen

Lybra1983 · ‎02-09-2011

Got it Praveen, thanks again, I gave you the "RIGHT ANSWER"!!!

Thanks also to the other guys.

Regards,

Luca

Praveena Shanubhogue · ‎02-09-2011

hope i earned it.

Have a good one.