Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4198
Views
25
Helpful
12
Replies

Site to Site access through 5505 FWs

Go to solution
haidar_alm
Level 1
Level 1

‎01-21-2016 03:18 AM - edited ‎03-12-2019 12:10 AM

Hi guys,


I've setup a lab with 2 x 5505 ASAs and 2 laptops trying to improve my understanding of ASAs and security

I've attached a diagram...

I'm trying to get Laptop A (192.168.10.2 /24) ping/access IIS on laptop B (192.168.20.2 /24)

Unfortunately I cannot.

From corporate ASA I can ping Laptop A, and outside interface of Community ASA.
From Community ASA I can ping Laptop B and outside interface of Corporate ASA.

Is this a routing or a NAT issue?

Once I achieve that, I will try and take this to the next level and configure a site to site IPSec VPN.

Labels:
Preview file
68 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
gaowen
Level 1
Level 1

‎01-22-2016 07:49 AM

Hi there,

You have configured a dynamic nat statement on both firewalls, this is fine outbound but if the first packet is inbound on the outside interface of either firewall, there will be no translation in the state table. i.e The ping goes from laptop A through corporate firewall and gets natted just fine, but when it reaches community firewall, the firewall is not expecting any packet inbound on its outside interface on the destined to 192.168.20.2 address because it is configured as the inside local address for this interface.

on the community firewall in this example if you enter the config:

static (inside,outside) interface 192.168.20.2 netmask 255.255.255.255

then on the corporate firewall

static (inside,outside) interface 192.168.10.2 netmask 255.255.255.255

Think that should work :)

Gareth

View solution in original post

0 Helpful

Go to solution
gaowen
Level 1
Level 1
In response to haidar_alm

‎01-22-2016 08:52 AM

Remember that you are now pinging the 10.181 addresses and not the 192.168 addresses. If you're already doing that then please do the following on the corp firewall:

packet-tracer input outside icmp 10.181.10.2 8 0 10.181.10.1 detailed

and let me see the output please :)

also please paste the community firewall config like you did above for corp

View solution in original post

12 Replies 12

Go to solution
Chris Izatt
Level 1
Level 1

‎01-21-2016 07:32 AM

As a first step do a packet tracer on both sides to check for any processing issues.

always a good place to start. 

Go to solution
haidar_alm
Level 1
Level 1
In response to Chris Izatt

‎01-21-2016 08:25 AM

Hi Chris,

The ACLs and NAT are in the attached image.

I've used the ASDM packet trace feature and I got denied on the implicit deny rule.

This is pre 8.2

0 Helpful

Go to solution
Chris Izatt
Level 1
Level 1
In response to haidar_alm

‎01-21-2016 08:56 AM

can you post the command? 

Also denied on which side?

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to haidar_alm

‎01-21-2016 01:39 PM

Your default route statements are wrong.

You have -

route outside 0.0.0.0 255.0.0.0 10.181.10.x

but it should be -

route outside 0.0.0.0 0.0.0.0 10.181.10.x

and you do not need the "route inside ..." statements on either firewall.

Jon

Go to solution
haidar_alm
Level 1
Level 1
In response to Jon Marshall

‎01-22-2016 05:21 AM

Hi Jon,


Well spotted.. not sure how that got in there!


I have amended the routing statements.. unfortunately I still cannot ping or access IIS on the remote laptops.

:(

From FWs I can ping local laptop on inside, and interface on other ASA. But cannot ping laptop on remote ASA.

I've attached config files.

Also, on logging I'm getting the below message when I try a ping from 192.168.10.2 to 192.168.20.2

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.181.10.1/19239 dst inside:192.168.20.2/80 denied due to NAT reverse path failure.

Preview file
8 KB
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to haidar_alm

‎01-22-2016 07:26 AM

I can't see anything wrong with your configuration now.

Can you run this and post results -

"packet-tracer input inside icmp 192.168.10.2 8 192.168.20.2 detailed"

Jon

0 Helpful

Go to solution
gaowen
Level 1
Level 1

‎01-22-2016 07:49 AM

Hi there,

You have configured a dynamic nat statement on both firewalls, this is fine outbound but if the first packet is inbound on the outside interface of either firewall, there will be no translation in the state table. i.e The ping goes from laptop A through corporate firewall and gets natted just fine, but when it reaches community firewall, the firewall is not expecting any packet inbound on its outside interface on the destined to 192.168.20.2 address because it is configured as the inside local address for this interface.

on the community firewall in this example if you enter the config:

static (inside,outside) interface 192.168.20.2 netmask 255.255.255.255

then on the corporate firewall

static (inside,outside) interface 192.168.10.2 netmask 255.255.255.255

Think that should work :)

Gareth

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to gaowen

‎01-22-2016 07:56 AM

Gareth

Of course, why did I not see that !

Great spot.

Jon

0 Helpful

Go to solution
gaowen
Level 1
Level 1
In response to Jon Marshall

‎01-22-2016 08:22 AM

cheers for the rating :D

Go to solution
haidar_alm
Level 1
Level 1
In response to gaowen

‎01-22-2016 08:44 AM

Hi Gaowen,

Many thanks for your reply.

I've applied the recommended above but it's still not working.

:(

sh nat on corporate shows:


NAT policies on Interface inside:
match ip inside host 192.168.10.2 outside any
static translation to 10.181.10.1
translate_hits = 20, untranslate_hits = 0

FW relevant output is:

interface Ethernet0/0
 description OUTSIDE
 switchport access vlan 2
!
interface Ethernet0/1
 description INSIDE
!
interface Vlan1
 description Torbay Corp
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 10.181.10.1 255.255.0.0

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit icmp any any 

static (inside,outside) interface 192.168.10.2 netmask 255.255.255.255
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.181.10.2 1

0 Helpful

Go to solution
gaowen
Level 1
Level 1
In response to haidar_alm

‎01-22-2016 08:52 AM

Remember that you are now pinging the 10.181 addresses and not the 192.168 addresses. If you're already doing that then please do the following on the corp firewall:

packet-tracer input outside icmp 10.181.10.2 8 0 10.181.10.1 detailed

and let me see the output please :)

also please paste the community firewall config like you did above for corp

Go to solution
haidar_alm
Level 1
Level 1

‎01-25-2016 12:39 AM

Hi Gaowen and thanks for your assistance.

My next step in this scenario is to set up an IPSec site to site VPN between both ASA's.  fingers crossed.

:)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card