Routing Using ASA5505 and Pix 501.

liskoe · ‎06-17-2011

Ok, not sure if I should be posting this in the Routing section or Firewalls, but since it involves 2 firewalls I'm going to start here.

Here's what I got. I have 1 network that I'm trying to make secure, and it needs to access 2 seperate networks. I tried using an ASA5505 that I had on the shelf to accomplish this but discovered that I had the basic license and that was prohibiting me from getting my connection to my 3rd network. I scrapped that idea and grabbed an old pix 501 off the shelf to bring my connectivity to my 3rd network online since the 3rd network is only passing ip traffic to a small group of servers on the outside I figure the 501 should be just fine.

So, here's the problem I am running into:

My internal network is 10.10.16.0/16, I have a new domain controller with DHCP on it handing out addresses in the 10.10.16.0/24 range.

External Network 1 is 192.168.16.0/24. The services I need from that network are primarily in 192.168.0.0 range, however there is a comcast router 75.123.123.123 (Changed of course) that provides high speed internet I need for my www traffic.

External Network 2 is 10.1.1.0/16 I have about 4 servers I need to access on this network and that's it. This network has it's own domain and DHCP controller and I've been given a range of ip's to use on this network of 10.1.3.180-10.1.3.189

My switch is just a plane jane 3com switch with minimal management so I am attempting to use my ASA5505 to handle my layer 3 routing.

So here's my issue:

ASA5505 (IN:10.10.16.1, OUT: 192.168.16.6): Passes traffic to External Network 1 and to the comcast router, no problem. All my computers on my 10.10.16.0/16 network have access to everything on 192.168.0.0/24 as well as getting full name resolution and www traffic across the comcast router. Can NOT access 10.1.1.0/16 no matter what. From inside the ASA or from on the inside LAN ports. It CAN ping the PIX 501

PIX 501 (IN:10.10.16.3, OUT: 10.1.3.180) Can ping EVERYTHING. Can ping 192.168.0.0/24, can ping 10.10.16.0/16 and can ping 10.1.1.0/16. Set to globally assign the other IP's in my range as addresses for outgoing traffic.

Workstations (IN: 10.10.16.XXX DHCP, using 10.10.16.1 as gateway) Can only access everything on External Network 1. ZERO access to External Network 2.

ATM I have both INSIDE and OUTSIDE ACL's wide open for both firewalls just to get connectivity going. I will be tightening it up after it is operational.

Attached find a log file (Sensetive data removed of course) that contains the sh run and sh ver for both the ASA5505 and the PIX 501.

Any help with getting this final leg of access would be really appreciated as I'm not able to figure out why this isn't working.

Thanks a ton.

mirober2 · ‎06-18-2011

Hi Eli,

Hosts on the inside of the ASA cannot access the 10.1.0.0/16 network because it is also behind the inside interface (according to 'route inside 10.1.0.0 255.255.0.0 10.10.16.3 1'). By default, the ASA will not allow traffic to ingress and egress the same interface. This is called hairpinning or u-turning traffic.

You can allow hairpinning with the 'same-security-traffic permit intra-interface' command. You just need to make sure that when the 10.1.0.0/16 hosts respond back to the inside hosts that they send their traffic back to the ASA's inside interface as well. Since the ASA keeps track of the state of a connection, it needs to see both sides of the traffic.

Since you have a PAT setup for hosts on the inside interface, you should also setup NAT 0 for this traffic so the ASA doesn't try to translate the traffic.

More info on hairpinning can be found here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814

Hope that helps.

-Mike