Ok, not sure if I should be posting this in the Routing section or Firewalls, but since it involves 2 firewalls I'm going to start here.
Here's what I got. I have 1 network that I'm trying to make secure, and it needs to access 2 seperate networks. I tried using an ASA5505 that I had on the shelf to accomplish this but discovered that I had the basic license and that was prohibiting me from getting my connection to my 3rd network. I scrapped that idea and grabbed an old pix 501 off the shelf to bring my connectivity to my 3rd network online since the 3rd network is only passing ip traffic to a small group of servers on the outside I figure the 501 should be just fine.
So, here's the problem I am running into:
My internal network is 10.10.16.0/16, I have a new domain controller with DHCP on it handing out addresses in the 10.10.16.0/24 range.
External Network 1 is 192.168.16.0/24. The services I need from that network are primarily in 192.168.0.0 range, however there is a comcast router 22.214.171.124 (Changed of course) that provides high speed internet I need for my www traffic.
External Network 2 is 10.1.1.0/16 I have about 4 servers I need to access on this network and that's it. This network has it's own domain and DHCP controller and I've been given a range of ip's to use on this network of 10.1.3.180-10.1.3.189
My switch is just a plane jane 3com switch with minimal management so I am attempting to use my ASA5505 to handle my layer 3 routing.
So here's my issue:
ASA5505 (IN:10.10.16.1, OUT: 192.168.16.6): Passes traffic to External Network 1 and to the comcast router, no problem. All my computers on my 10.10.16.0/16 network have access to everything on 192.168.0.0/24 as well as getting full name resolution and www traffic across the comcast router. Can NOT access 10.1.1.0/16 no matter what. From inside the ASA or from on the inside LAN ports. It CAN ping the PIX 501
PIX 501 (IN:10.10.16.3, OUT: 10.1.3.180) Can ping EVERYTHING. Can ping 192.168.0.0/24, can ping 10.10.16.0/16 and can ping 10.1.1.0/16. Set to globally assign the other IP's in my range as addresses for outgoing traffic.
Workstations (IN: 10.10.16.XXX DHCP, using 10.10.16.1 as gateway) Can only access everything on External Network 1. ZERO access to External Network 2.
ATM I have both INSIDE and OUTSIDE ACL's wide open for both firewalls just to get connectivity going. I will be tightening it up after it is operational.
Attached find a log file (Sensetive data removed of course) that contains the sh run and sh ver for both the ASA5505 and the PIX 501.
Any help with getting this final leg of access would be really appreciated as I'm not able to figure out why this isn't working.
Hosts on the inside of the ASA cannot access the 10.1.0.0/16 network because it is also behind the inside interface (according to 'route inside 10.1.0.0 255.255.0.0 10.10.16.3 1'). By default, the ASA will not allow traffic to ingress and egress the same interface. This is called hairpinning or u-turning traffic.
You can allow hairpinning with the 'same-security-traffic permit intra-interface' command. You just need to make sure that when the 10.1.0.0/16 hosts respond back to the inside hosts that they send their traffic back to the ASA's inside interface as well. Since the ASA keeps track of the state of a connection, it needs to see both sides of the traffic.
Since you have a PAT setup for hosts on the inside interface, you should also setup NAT 0 for this traffic so the ASA doesn't try to translate the traffic.
What is SecureX?
Cisco SecureX is included with all Secure Endpoint (formerly AMP for Endpoints) subscriptions. SecureX is a cloud-native platform that aggregates capabilities across your security environment. It’s designed to simplify your environment, ...
Cisco ISE Secure Wired Access Prescriptive Deployment Guide
Authors: Hariprasad Holla (until June 2018), Mahesh Nagireddy (until Dec 2018)
For an offline or printed copy of this document, simply choose ⋮ Options > Printer ...
Meet the Authors Slides- SecureX and the Evolution of Security Orchestration Automation and Response
(Live event – Wednesday, 20th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris)
This event had place on Wednesday 20th, January 202...
The following guide goes over the in and out of the Cisco Endpoints Security Analytics Dashboard as an overview and faq page
For more information on the product offering, licensing, support, and how to solution (TAC) guide links and more please visit the...
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.
As a security expert, you are tasked with protecting your environment. You see the value of...