11-22-2010 11:18 AM - edited 03-04-2019 10:32 AM
Internet
------------>Outside ASA
--------------------------------> Inside ASA 209.184.214.254
------------------------------------> Inside Router1 209.184.214.234
------------------------------------> Outside Router1 192.168.11.13 255.255.255.252
------------------------------------> Outside Router2 192.168.11.14 255.255.255.252
------------------------------------> Inside Router2 192.168.12.1 255.255.255.0
Router 1 can:
Ping 192.168.12.24 (random device on router2 LAN)
Ping 192.168.12.1 (inside Router2)
Ping 209.184.214.x (main LAN)
Ping 8.8.8.8 (google DNS)
Ping 192.168.11.13 (outside router1)
Ping 192.168.11.14 (outside router2)
Router2 can:
Ping 192.168.12.x (router2 LAN devices)
Ping 209.184.214.254 (Inside ASA)
Ping 209.184.214.234 (Inside Router1)
Ping 8.8.8.8 (google DNS)
Ping 192.168.11.13 (outside router1)
Ping 192.168.11.14(outside router2)
Router2 can't:
ping 209.184.214.1-253 (inside router1 LAN devices)
Devices on 192.168.12.x can:
ping 192.168.12.x (inside router2 LAN devices)
ping 8.8.8.8 (google DNS)
can get to Internet if i change DNS to 8.8.8.8
Devices on 192.168.12.x can't:
ping 209.184.214.x (inside router1 LAN)
can't access any devices on 209.184.214.x (remote desktop, file share, etc)
Devices on 209.184.214.x can:
ping 192.168.12.x (inside router2 LAN devices)
get to internet using 209.184.214.141 as DNS (main AD server all devices need to see this)
Ping 192.168.11.13 (outside router1)
Ping 192.168.11.14(outside router2)
Solved! Go to Solution.
11-23-2010 12:48 PM
If the servers are using the inside interface of the firewall for default gateway, change it to the 209.x address of the router on the same subnet. The ASA will not redirect traffic. ASAs are security appliances, while they do function in routed mode they do not redirect traffic on the same interface as a router would.
Give that a try and let us know.
11-22-2010 11:52 AM
Also, of note...
I cant telnet directly to Router2 from a device on 209.184.214.x but I can telnet to router2 from within router1.
Also I see these entries on the ASA during normal operation:
From Main AD/DNS server:
6 Nov 22 2010 14:19:24 209.184.214.141 2967 192.168.12.20 1144 Deny TCP (no connection) from 209.184.214.141/2967 to 192.168.12.20/1144 flags SYN ACK on interface inside
^^^ This port (1144) not sure what is going on here, but just a quick search for that port shows fusion script?
From this entry it looks like a device on 192.168.12.x successfully contacts the DNS server on 209.184.214.x but I don't see the original request:
6 Nov 22 2010 14:02:50 209.184.214.141 53 192.168.12.20 64726 Built inbound UDP connection 692335 for inside:209.184.214.141/53 (209.184.217.141/53) to inside:192.168.12.20/64726 (192.168.12.20/64726)
When I try to remote desktop from 209.184.214.x to 192.168.12.x:
6 Nov 22 2010 14:14:59 209.184.214.140 2055 192.168.12.24 3389 Deny TCP (no connection) from 209.184.214.140/2055 to 192.168.12.24/3389 flags RST on interface inside
Message was edited by: dirkmelvin
Added basic layout...
Message was edited by: dirkmelvin
Router1#sho ip route
Gateway of last resort is 209.184.214.254 to network 0.0.0.0
D 192.168.12.0/24 [90/2172416] via 192.168.11.14, 13:12:12, Serial0/0
192.168.11.0/24 is variably subnetted, 3 subnets, 3 masks
D 192.168.11.0/24 is a summary, 13:12:15, Null0
C 192.168.11.14/32 is directly connected, Serial0/0
C 192.168.11.12/30 is directly connected, Serial0/0
C 209.184.214.0/24 is directly connected, Ethernet0/0
S* 0.0.0.0/0 [1/0] via 209.184.214.254
Router2#sho ip route
Gateway of last resort is 192.168.11.13 to network 0.0.0.0
C 192.168.12.0/24 is directly connected, FastEthernet0
192.168.11.0/24 is variably subnetted, 3 subnets, 3 masks
D 192.168.11.0/24 is a summary, 13:10:56, Null0
C 192.168.11.13/32 is directly connected, Serial0
C 192.168.11.12/30 is directly connected, Serial0
D 209.184.214.0/24 [90/2195456] via 192.168.11.13, 13:10:53, Serial0
S* 0.0.0.0/0 [1/0] via 192.168.11.13
Message was edited by: dirkmelvin
11-22-2010 02:38 PM
From watching the logging on the ASA it looks like the 192.168.12.x devices are trying to hit the 209.184.214.141 server for DNS, but the odd thing is what I am seeing is the DNS server replying back to the 192.168.12.x devices. I don't see the 192.168.12.x request for DNS.
This is a packet trace from one of the 209.184.214.x PCs....I was telnetted into Router2 (from withing router1) and I ran ping to this specific PC:
No. Time Source Destination Protocol Info
10235 205.808349 192.168.11.14 209.184.214.140 ICMP Echo (ping) request (id=0x0006, seq(be/le)=6/1536, ttl=254)
Frame 10235: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: Cisco_20:0d:00 (00:d0:58:20:0d:00), Dst: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8)
Internet Protocol, Src: 192.168.11.14 (192.168.11.14), Dst: 209.184.214.140 (209.184.214.140)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10236 205.808376 209.184.214.140 192.168.11.14 ICMP Echo (ping) reply (id=0x0006, seq(be/le)=6/1536, ttl=128)
Frame 10236: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8), Dst: Cisco_cd:80:4c (c8:4c:75:cd:80:4c)
Internet Protocol, Src: 209.184.214.140 (209.184.214.140), Dst: 192.168.11.14 (192.168.11.14)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10302 207.808323 192.168.11.14 209.184.214.140 ICMP Echo (ping) request (id=0x0006, seq(be/le)=7/1792, ttl=254)
Frame 10302: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: Cisco_20:0d:00 (00:d0:58:20:0d:00), Dst: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8)
Internet Protocol, Src: 192.168.11.14 (192.168.11.14), Dst: 209.184.214.140 (209.184.214.140)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10303 207.808349 209.184.214.140 192.168.11.14 ICMP Echo (ping) reply (id=0x0006, seq(be/le)=7/1792, ttl=128)
Frame 10303: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8), Dst: Cisco_cd:80:4c (c8:4c:75:cd:80:4c)
Internet Protocol, Src: 209.184.214.140 (209.184.214.140), Dst: 192.168.11.14 (192.168.11.14)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10411 209.808297 192.168.11.14 209.184.214.140 ICMP Echo (ping) request (id=0x0006, seq(be/le)=8/2048, ttl=254)
Frame 10411: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: Cisco_20:0d:00 (00:d0:58:20:0d:00), Dst: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8)
Internet Protocol, Src: 192.168.11.14 (192.168.11.14), Dst: 209.184.214.140 (209.184.214.140)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10412 209.808323 209.184.214.140 192.168.11.14 ICMP Echo (ping) reply (id=0x0006, seq(be/le)=8/2048, ttl=128)
Frame 10412: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8), Dst: Cisco_cd:80:4c (c8:4c:75:cd:80:4c)
Internet Protocol, Src: 209.184.214.140 (209.184.214.140), Dst: 192.168.11.14 (192.168.11.14)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10529 211.808271 192.168.11.14 209.184.214.140 ICMP Echo (ping) request (id=0x0006, seq(be/le)=9/2304, ttl=254)
Frame 10529: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: Cisco_20:0d:00 (00:d0:58:20:0d:00), Dst: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8)
Internet Protocol, Src: 192.168.11.14 (192.168.11.14), Dst: 209.184.214.140 (209.184.214.140)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10530 211.808296 209.184.214.140 192.168.11.14 ICMP Echo (ping) reply (id=0x0006, seq(be/le)=9/2304, ttl=128)
Frame 10530: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
Ethernet II, Src: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8), Dst: Cisco_cd:80:4c (c8:4c:75:cd:80:4c)
Internet Protocol, Src: 209.184.214.140 (209.184.214.140), Dst: 192.168.11.14 (192.168.11.14)
Internet Control Message Protocol
Message was edited by: dirkmelvin
11-23-2010 12:48 PM
If the servers are using the inside interface of the firewall for default gateway, change it to the 209.x address of the router on the same subnet. The ASA will not redirect traffic. ASAs are security appliances, while they do function in routed mode they do not redirect traffic on the same interface as a router would.
Give that a try and let us know.
11-22-2010 01:26 PM
I think a topology picture could help a lot.
regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide