Solved: Don't know if it is the routers or the ASA causing this...

dirkmelvin · ‎11-22-2010

Internet

------------>Outside ASA

--------------------------------> Inside ASA 209.184.214.254

------------------------------------> Inside Router1 209.184.214.234

------------------------------------> Outside Router1 192.168.11.13 255.255.255.252

------------------------------------> Outside Router2 192.168.11.14 255.255.255.252

------------------------------------> Inside Router2 192.168.12.1 255.255.255.0

Router 1 can:

Ping 192.168.12.24 (random device on router2 LAN)

Ping 192.168.12.1 (inside Router2)

Ping 209.184.214.x (main LAN)

Ping 8.8.8.8 (google DNS)

Ping 192.168.11.13 (outside router1)

Ping 192.168.11.14 (outside router2)

Router2 can:

Ping 192.168.12.x (router2 LAN devices)

Ping 209.184.214.254 (Inside ASA)

Ping 209.184.214.234 (Inside Router1)

Ping 8.8.8.8 (google DNS)

Ping 192.168.11.13 (outside router1)

Ping 192.168.11.14(outside router2)

Router2 can't:

ping 209.184.214.1-253 (inside router1 LAN devices)

Devices on 192.168.12.x can:

ping 192.168.12.x (inside router2 LAN devices)

ping 8.8.8.8 (google DNS)

can get to Internet if i change DNS to 8.8.8.8

Devices on 192.168.12.x can't:

ping 209.184.214.x (inside router1 LAN)

can't access any devices on 209.184.214.x (remote desktop, file share, etc)

Devices on 209.184.214.x can:

ping 192.168.12.x (inside router2 LAN devices)

get to internet using 209.184.214.141 as DNS (main AD server all devices need to see this)

Ping 192.168.11.13 (outside router1)

Ping 192.168.11.14(outside router2)

Ping 209.184.214.x

Devices on 209.186.214.x can't:

remote desktop to 192.168.12.x

fileshare to 192.168.12.x

On ASA when I try to ping from router2 to 209.184.214.140 (actually same for any 209.184.214.x except .234 and .254) I see this entry:

4 Nov 22 2010 12:31:17 Denied ICMP type=0, from laddr 209.184.214.140 on interface inside to 192.168.11.14: no matching session

and of course I get no reply on the router

This would tell me that something in the ASA is stopping the echo-reply.

But I can't identify anything that would do such.

bwm0875 · ‎11-23-2010

If the servers are using the inside interface of the firewall for default gateway, change it to the 209.x address of the router on the same subnet. The ASA will not redirect traffic. ASAs are security appliances, while they do function in routed mode they do not redirect traffic on the same interface as a router would.

Give that a try and let us know.

View solution in original post

dirkmelvin · ‎11-22-2010

Also, of note...

I cant telnet directly to Router2 from a device on 209.184.214.x but I can telnet to router2 from within router1.

Also I see these entries on the ASA during normal operation:

From Main AD/DNS server:

6 Nov 22 2010 14:19:24 209.184.214.141 2967 192.168.12.20 1144 Deny TCP (no connection) from 209.184.214.141/2967 to 192.168.12.20/1144 flags SYN ACK on interface inside

^^^ This port (1144) not sure what is going on here, but just a quick search for that port shows fusion script?

From this entry it looks like a device on 192.168.12.x successfully contacts the DNS server on 209.184.214.x but I don't see the original request:

6 Nov 22 2010 14:02:50 209.184.214.141 53 192.168.12.20 64726 Built inbound UDP connection 692335 for inside:209.184.214.141/53 (209.184.217.141/53) to inside:192.168.12.20/64726 (192.168.12.20/64726)

When I try to remote desktop from 209.184.214.x to 192.168.12.x:

6 Nov 22 2010 14:14:59 209.184.214.140 2055 192.168.12.24 3389 Deny TCP (no connection) from 209.184.214.140/2055 to 192.168.12.24/3389 flags RST on interface inside

Message was edited by: dirkmelvin

Added basic layout...

Message was edited by: dirkmelvin

Router1#sho ip route

Gateway of last resort is 209.184.214.254 to network 0.0.0.0

D 192.168.12.0/24 [90/2172416] via 192.168.11.14, 13:12:12, Serial0/0

192.168.11.0/24 is variably subnetted, 3 subnets, 3 masks

D 192.168.11.0/24 is a summary, 13:12:15, Null0

C 192.168.11.14/32 is directly connected, Serial0/0

C 192.168.11.12/30 is directly connected, Serial0/0

C 209.184.214.0/24 is directly connected, Ethernet0/0

S* 0.0.0.0/0 [1/0] via 209.184.214.254

Router2#sho ip route

Gateway of last resort is 192.168.11.13 to network 0.0.0.0

C 192.168.12.0/24 is directly connected, FastEthernet0

192.168.11.0/24 is variably subnetted, 3 subnets, 3 masks

D 192.168.11.0/24 is a summary, 13:10:56, Null0

C 192.168.11.13/32 is directly connected, Serial0

C 192.168.11.12/30 is directly connected, Serial0

D 209.184.214.0/24 [90/2195456] via 192.168.11.13, 13:10:53, Serial0

S* 0.0.0.0/0 [1/0] via 192.168.11.13

Message was edited by: dirkmelvin

dirkmelvin · ‎11-22-2010

From watching the logging on the ASA it looks like the 192.168.12.x devices are trying to hit the 209.184.214.141 server for DNS, but the odd thing is what I am seeing is the DNS server replying back to the 192.168.12.x devices. I don't see the 192.168.12.x request for DNS.

This is a packet trace from one of the 209.184.214.x PCs....I was telnetted into Router2 (from withing router1) and I ran ping to this specific PC:

No. Time Source Destination Protocol Info

10235 205.808349 192.168.11.14 209.184.214.140 ICMP Echo (ping) request (id=0x0006, seq(be/le)=6/1536, ttl=254)

Frame 10235: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)

Ethernet II, Src: Cisco_20:0d:00 (00:d0:58:20:0d:00), Dst: DellPcba_0b:c0:a8 (00:0d:56:0b:c0:a8)

Internet Protocol, Src: 192.168.11.14 (192.168.11.14), Dst: 209.184.214.140 (209.184.214.140)