Solved: Connecting two subnets - Page 3

dataIP · ‎11-13-2012

I have a problem with linking two seperate subnets which contain a individual small business networks.

Setup is each network has an ASA5505 and a 887 to provide internet connectivity. A variety of Cisco small business and one enterprise switch provide the switching. Each network contains its own servers and clients.

As a temporary measure I need to be able to access resources 'cross subnets'. (It is one business that has split in to two business units, so no privacy/security issues). The router will be removed once all relevant data has been migrated between networks.

Networks are 192.168.88.0 and 192.168.0.0, both with netmasks of 255.255.255.0

So, as a simple example a server on the .88 network needs to access information on a server at 192.168.0.128

We have the two segments linked with a Cisco E1000 router (was using a 871, but that seemed to cause more issues). IPs are 88.253 and 0.253 on each side.

I have enabled RIP on the E1000 and both ASA.

Both ASA have same-security-traffic permit intra-interface

From the 88.128 server, I can ping everything on the .88 network plus the far side of the E1000 (at 0.253) and the far side ASA (at 0.254), but not the far side server (at 0.128).

Maybe going back to the 871 may be a good plan, at least I should be able to debug things a bit easier from the command line?

I am sure there is something fundamental I am missing here.

dataIP · ‎11-14-2012

I had actaully tried not using the Vlan1, but as far as I understand it, this router must be configured with the fa0-3 ports under a vlan???

Trying to set an ip adress on fa0 for instance gives me;

router1(config)#interface fastethernet0

router1(config-if)#ip address 192.168.88.253 255.255.255.0

% IP addresses may not be configured on L2 links.

router1(config-if)#exit

I have now tried the static routes to the ASA's... interesting.

I am about to do more investigating but I do get responses from SOME devices on the other network.

UPDATE:

Adding those static routes to the ASA seems to have improved things.

Looks like I can now ping devices on the opposite network... and as far as I can tell, all of them not just a select few.

However, looks like I maybe only have ICMP connectivity. Can't access common ports like 80 and 25, where I know services are running.

If my understanding is correct, traffic from network A which is destined for network B, will travel to the default gateway which is ASA1, this will then have a route for network B via the 871.... return traffic will go via ASA2 then back via 871.... So either ASA could be blocking the TCP traffic?

However, as far as I can tell, both are enabled to pass traffic by using same-security-traffic permit intra-interface

dataIP · ‎11-14-2012

No it is worse than before!

With the E1000, it was mostly right but some IP addresses weren't reachable where as the adjacent one was. This made no sense to me at all.

The 871 seems to give me 100% consistant non-connectivity.... which in some ways is better.

Getting to be able to see the 'far side' of the 871 would be a start.

i.e. pinging (871 fa4) 192.168.0.253 from the server at 192.168.88.128

ARP table looks okay... it sees devices on both sides.

router1#sho arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.0.253 - 0017.0e82.8fff ARPA FastEthernet4

Internet 192.168.88.128 0 0022.19b7.39d6 ARPA Vlan1

Internet 192.168.88.253 - 0017.0e82.8ff5 ARPA Vlan1

Internet 192.168.0.128 0 18a9.0562.da8a ARPA FastEthernet4

router1#

dataIP · ‎11-14-2012

Tried adding a static route on the server B.... accepted the command, but no change in connectivity.

dataIP · ‎11-14-2012

Having carefully gone through the tests again, I find that the static routes back to the ASA were a red herring.

I have removed those routes, a wr mem and a reload.

No now have what appears to be pingable (ICMP) devices cross-network, but nothing by IP.

No port 80, port 25 etc.

There is no acl on the 871.

No firewalls are on, on either of the servers.

I am looking at the ASA's but as the inside networks shouldn't come in to the filtering rules, I don't see the issue there either.

SATISH KATTIKA · ‎11-14-2012

remove, C871 try to Interconnect HP Switch and Other Switch , this way also work.

dataIP · ‎11-14-2012

Just had a contact on site, disconnect from the C871 and link the HP and Cisco swicthes together...

Not successful, no reply to a ping.

Reversed that change back to the router method.

kcnajaf · ‎11-14-2012

Could you please provide the ASA and Router config after reload? I assume you now have end to end reachablility between each host on A and B networks.

Also please let us know what which device to which device you are tying to access through 80 and 25?

Regards

Najaf

dataIP · ‎11-14-2012

Hi Najaf,

It appears that we have connectivity using ping between hosts on both networks.

From Network A, I can't access any of the hosts on B, that have a web service runing (port 80)

Nor from Network B can I access port 80 on A.

I have tried telnetting to port 25 also. No problems on the same network (so we know the service is running) but can't do it cross network.

Just tried adding some rules on the ASAs to allow traffic for those internal networks on the inside interface, but that doesn't make any difference.

Configs attached.

The config for ASA2 would take some work... I have to hide all the customer data in there.

Thanks again for your help.

kcnajaf · ‎11-14-2012

Thanks..

It think i know what the issue is now but unfortunatly i dont have a solution as i have not much worked on ASA. I will check with our security team and find out solution for this.

Regards

Najaf

kcnajaf · ‎11-14-2012

Hi,

May i know what is the version of ASA which you are running?

Regards

Najaf

dataIP · ‎11-14-2012

Hi Najaf,

Both ASAs are 8.4(4)

dataIP · ‎11-15-2012

Had a small issue yesterday in that the on-site contact restarted one of the ASA's without telling me, wiping my test configuration (I didn't save it as it is on a live network and I need to be able to reverse things easily if I make a mistake whilst off site). RIP settings were not present when the ASA came back up. Now corrected.

I may be getting somewhere in that I have just discovered that the static nat appears to be being applied before the routing. i.e. I expected a packet to come in to the ASA, the routing table decide where it should go, then anything for outside gets nat applied.

It appears that nat was applied first, then the packets wouldn't be routed where I expected.

NAT rules on one ASA were set as object network insideIP

nat(any,any) static outsideIP where as thet are now set as nat(inside,outside)

Still not right, but I am now convinced this is an ASA problem rather than the 871.

At the moment, from serverA, I can access serverB via its EXTERNAL address but not via its lan address.

This has to be an issue on ASA2.

Abzal · ‎11-15-2012

Hi,

Ok, let's do like this. Set default gateway for internal lan 871 router. And put static route for internet toward to ASA. To be able access to the internet.

Hope it will help.

Best regards,
Abzal

dataIP · ‎11-15-2012

Hi Abzal,

I just tried your suggestion, which I agree, should work.

I have only applied it on the A network as I really don't want to cut myself off from the other as I am working off site.

It hasn't worked for me though.

Even if it did, there is a small problem... both networks have different services and therefore different firewall rules. As far as I can see by having a default route on the 871 out to one of the ASAs we would end up with all traffic going down one internet connection.

If we could put a different default route for each interface (side) of the 871 then we would get away with it.... but also since this should have been a very simple quick fix to allow the data migration to be done, I really didn't wan't to make changes to all servers and clients on the B network.

Abzal · ‎11-14-2012

Try to remove inside access-lists on both ASAs.

Hope it will help.

Best regards,
Abzal