VLAN tagging to ISP through ASA to remote site

jlesa2457 · ‎10-26-2012

Hi All,

we have a base license ASA 5510, and been trying to get ICMP working to check that we're routing and not hitting any NAT translation. We have a VLAN280 setup to ISP for VPN link to remote site and another VLAN281 for internet access for internal users.

Users can browse internet from (name _inside interface e0/1 access port) which is fine. When I do a ping to remote office through the VPN I get a response pinging from VLAN280 name VPN_Link. When I do a ping from name inside interface I don't get a response both are security level 100 with

same-security-traffic permit inter-interface configured.

I'm sure I'm missing something here any expertise would be very grateful as been at this for a few days now!!! I have just included the config that probably needs to be looked at for NAT exempt and routing issues.

Config:

!

interface Ethernet0/0

speed 100

no nameif

no security-level

no ip address

!

interface Ethernet0/0.280

vlan 280

nameif vpn_link

security-level 100

ip address 10.11.xx.xx 255.255.255.252

!

interface Ethernet0/0.281

vlan 281

nameif outside

security-level 0

ip address 203.xx.xx.xx 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

------extracted for brievity--------

same-security-traffic permit inter-interface

access-list outside-in extended permit ip 192.168.10.0 255.255.255.0 Inside_Network 255.255.255.0

access-list outside-in extended permit tcp any host 203.xx.xx.xx eq www

access-list outside-in extended permit tcp any host 203.xx.xx.xx eq https

access-list outside-in extended permit tcp any host 203.xx.xx.xx eq 3389

access-list outside-in extended permit tcp any host 203.xx.xx.xx eq https

access-list Tunnel_Traffic standard permit 192.168.0.0 255.255.255.0

access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list split remark Traffic to Remote site NAT exempt

access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list vpn_link_access_in remark Test

access-list vpn_link_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list vpn_link_access_in remark test

access-list vpn_link_access_in extended permit ip any any

access-list inside_access_in remark Allow access from remote office

access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

!

nat (inside) 0 access-list split

nat (inside) 5 0.0.0.0 0.0.0.0

!

access-group vpn_link_access_in in interface vpn_link

access-group inside_access_in in interface inside

access-group outside-in in interface outside

!

route outside 0.0.0.0 0.0.0.0 203.xx.xx.xx 1

route vpn_link 192.168.10.0 255.255.255.0 10.11.xx.xx 1

Please let me know other config u may want to see.

appreciate the assist.

jlesa2457 · ‎10-26-2012

The remote office range is 192.168.10.xx/24 which is reachable via interface VPN_link as mentioned but not via inside interface 192.168.0.xx

thanks

Julio Carvajal · ‎10-26-2012

Hello Joseph,

Please add the following:

access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

Let me know if this works.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jlesa2457 · ‎10-26-2012

Hi Julio,

added:

access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 Inside_Network 255.255.255.0

to the above config.

still no luck:

ASA# ping inside 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

but again with vpn_link:

ALTUS-ASA# ping vpn_link 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

!!!!!

any other thoughts. I know by default this behaviour is not allowed, however I would of thought applying an access-list should overide this. Only inside_interface is NAT for internal users to web browsing which is working for some reason yesterday it broke, I had to do a permit any any??? to make it work though!

jlesa2457 · ‎10-26-2012

Julio,

did you mean to add to extended ACL?

access-list inside_access_in extended

Thanks.

Julio Carvajal · ‎10-27-2012

Hello

Do the following and share the output you get ( full output)

packet-tracer input inside icmp 192.168.0.10 8 0 192,168.10.10

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jlesa2457 · ‎10-27-2012

Hey,

please see below, I've only edit the dynamic NAT ip 203.xx.xx.xx, I see allow but still can't ping from ASA cmd line.

packet-tracer input inside icmp 192.168.0.10 8 0 192.168.10.10packet-tracer input inside icmp 192.168.0.10 8 0 192.168.10.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.10.0 255.255.255.0 vpn_link

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit icmp any any

access-list inside_access_in remark Allow access from Erina

<--- More --->

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

<--- More --->

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list inside_nat0_outbound outside

match ip inside Inside_Network 255.255.255.0 vpn_link 192.168.10.0 255.255.255.0

NAT exempt

translate_hits = 5, untranslate_hits = 0

Additional Information:

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp 203.xx.xx.xx smtp 192.168.0.10 smtp netmask 255.255.255.255

match tcp inside host 192.168.0.10 eq 25 outside any

static translation to 203.149.75.177/25

translate_hits = 1122, untranslate_hits = 3497

Additional Information:

Phase: 11

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 5 0.0.0.0 0.0.0.0

match ip inside any vpn_link any

dynamic translation to pool 5 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 12

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 163663, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: vpn_link

output-status: up

output-line-status: up

Action: allow

ASA# ping inside 192.168.10.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA# ping vpn_link 192.168.10.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:

!!!!!

Julio Carvajal · ‎10-27-2012

Hello Joseph,

Packet tracer looks good...

That can't be done. Ping from the ASA itself to a host on vlan x sourced from vlan y... You need to do it from a real host... And that my fried based on the packet tracer should work.

Remember to rate all of the helpful posts If you need any assitance on that just let me know

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jlesa2457 · ‎10-28-2012

Hi Julio,

you are correct. I was mislead by my friends in systems team. Who logged into the remote router and advised they could not ping the inside_network. I logged in via VPN (had to change the tunnel_traffic to allow me to reach all internal traffic)and was able to!!!! My guess is they didn't do a source ping from 192.168.10.xx.

So it was always working and I've been sent on a wild goose chase!!

So the obvious question is why is it not possible to ping from ASA? how would you test this unless your on a real host?

also sorry for the many questions is there a command I can use like above to test if web(http traffic) from remote end to 192.168.10.xx to internet is working?

thanks!

this turned out to be a melodrama!

Julio Carvajal · ‎10-28-2012

Hello Joseph,

For security reasons, the asa was created to provide as much security as possible, it is intended that will be used to restrict and monitor traffic not to test connectivity across different broadcast domains.

Now how to test this stuff?

Simple, using packet-tracer. Please get used to that command, I ensure that will help you a LOT on future cases where you thing there is no where to go..

Example: How to know if an inside user can go to the internet?

packet-tracer input inside tcp 192.168.0.10 1026 4.2.2.2 80

Hope this helps,

Remember to rate all of the helpful posts, If you do not know how to rate a post, let me know. I will help you on that as well

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jlesa2457 · ‎10-31-2012

Sorry for late reply. Yes the posts has been very helpful for troublshooting. Please show how to rate post.

Thanks Hulio.

Joseph

Julio Carvajal · ‎10-31-2012

Hello Joseph.

Do not worry Glad that I could see that I helped.

You can go to every reply and on the bottom you can see 5 stars, you can click them ( 1 being a bad answer and 5 being a great answer)

Let me know if you have any other question..

Also you can mark the question as answered ( as you open the discussion you are the only allowed to mark it as answered)

Julio

Have a great night!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC