cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4620
Views
25
Helpful
12
Replies

Site to Site access through 5505 FWs

haidar_alm
Level 1
Level 1

Hi guys,


I've setup a lab with 2 x 5505 ASAs and 2 laptops trying to improve my understanding of ASAs and security

I've attached a diagram...

I'm trying to get Laptop A (192.168.10.2 /24) ping/access IIS on laptop B (192.168.20.2 /24)

Unfortunately I cannot.

From corporate ASA I can ping Laptop A, and outside interface of Community ASA.
From Community ASA I can ping Laptop B and outside interface of Corporate ASA.

Is this a routing or a NAT issue?

Once I achieve that, I will try and take this to the next level and configure a site to site IPSec VPN.

2 Accepted Solutions

Accepted Solutions

gaowen
Level 1
Level 1

Hi there,

You have configured a dynamic nat statement on both firewalls, this is fine outbound but if the first packet is inbound on the outside interface of either firewall, there will be no translation in the state table. i.e The ping goes from laptop A through corporate firewall and gets natted just fine, but when it reaches community firewall, the firewall is not expecting any packet inbound on its outside interface on the destined to 192.168.20.2 address because it is configured as the inside local address for this interface.

on the community firewall in this example if you enter the config:

static (inside,outside) interface 192.168.20.2 netmask 255.255.255.255

then on the corporate firewall

static (inside,outside) interface 192.168.10.2 netmask 255.255.255.255

Think that should work :)

Gareth

View solution in original post

Remember that you are now pinging the 10.181 addresses and not the 192.168 addresses. If you're already doing that then please do the following on the corp firewall:

packet-tracer input outside icmp 10.181.10.2 8 0 10.181.10.1 detailed

and let me see the output please :)

also please paste the community firewall config like you did above for corp

View solution in original post

12 Replies 12

Chris Izatt
Level 1
Level 1

As a first step do a packet tracer on both sides to check for any processing issues.

always a good place to start. 

Hi Chris,

The ACLs and NAT are in the attached image.

I've used the ASDM packet trace feature and I got denied on the implicit deny rule.

This is pre 8.2

can you post the command? 

Also denied on which side?

Your default route statements are wrong.

You have -

route outside 0.0.0.0 255.0.0.0 10.181.10.x

but it should be -

route outside 0.0.0.0 0.0.0.0 10.181.10.x

and you do not need the "route inside ..." statements on either firewall.

Jon

Hi Jon,


Well spotted.. not sure how that got in there!


I have amended the routing statements.. unfortunately I still cannot ping or access IIS on the remote laptops.

:(

From FWs I can ping local laptop on inside, and interface on other ASA. But cannot ping laptop on remote ASA.

I've attached config files.

Also, on logging I'm getting the below message when I try a ping from 192.168.10.2 to 192.168.20.2

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.181.10.1/19239 dst inside:192.168.20.2/80 denied due to NAT reverse path failure.

I can't see anything wrong with your configuration now.

Can you run this and post results -

"packet-tracer input inside icmp 192.168.10.2 8 192.168.20.2 detailed"

Jon

gaowen
Level 1
Level 1

Hi there,

You have configured a dynamic nat statement on both firewalls, this is fine outbound but if the first packet is inbound on the outside interface of either firewall, there will be no translation in the state table. i.e The ping goes from laptop A through corporate firewall and gets natted just fine, but when it reaches community firewall, the firewall is not expecting any packet inbound on its outside interface on the destined to 192.168.20.2 address because it is configured as the inside local address for this interface.

on the community firewall in this example if you enter the config:

static (inside,outside) interface 192.168.20.2 netmask 255.255.255.255

then on the corporate firewall

static (inside,outside) interface 192.168.10.2 netmask 255.255.255.255

Think that should work :)

Gareth

Gareth

Of course, why did I not see that !

Great spot.

Jon

cheers for the rating :D

Hi Gaowen,

Many thanks for your reply.

I've applied the recommended above but it's still not working.

:(

sh nat on corporate shows:


NAT policies on Interface inside:
match ip inside host 192.168.10.2 outside any
static translation to 10.181.10.1
translate_hits = 20, untranslate_hits = 0

FW relevant output is:

interface Ethernet0/0
 description OUTSIDE
 switchport access vlan 2
!
interface Ethernet0/1
 description INSIDE
!
interface Vlan1
 description Torbay Corp
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 10.181.10.1 255.255.0.0

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit icmp any any 

static (inside,outside) interface 192.168.10.2 netmask 255.255.255.255
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.181.10.2 1

Remember that you are now pinging the 10.181 addresses and not the 192.168 addresses. If you're already doing that then please do the following on the corp firewall:

packet-tracer input outside icmp 10.181.10.2 8 0 10.181.10.1 detailed

and let me see the output please :)

also please paste the community firewall config like you did above for corp

haidar_alm
Level 1
Level 1

Hi Gaowen and thanks for your assistance.

My next step in this scenario is to set up an IPSec site to site VPN between both ASA's.  fingers crossed.

:)

Review Cisco Networking for a $25 gift card