Solved: Routing issue - site to site

Mohd Khairul Nizam · ‎09-24-2011

Dear all,

Based on diagram attach, how do i route the Staff PC to access the Server.

Currently the Staff can only ping up to the outside interface of ASA site A( 60.a.a.54)

What is the command to route the Staff (192.168.5.33) to Server (192.168.0.150).

IcebergTitanic · ‎09-27-2011

Yep, I think what you want is to make your routers completely transparent. Essentially doing nothing but turning your WAN (PPP) connection into an ethernet connection for the ASA.

Set up your VPN tunnel on the ASA, and use that to route your LAN traffic. Should work like a dream, then.

Post back if you need help configuring the ASAs...

View solution in original post

Latchum Naidu · ‎09-30-2011

Hi,

There are 6 Main Mode messages. Each message has a specific purpose. The status state of MM_WAIT_MSG2 could mean:

1. you are using Main Mode
2. You are waiting
3. You are waiting on Message 2 of Main mode

Message 1 is used to send your phase 1 proposals. Message 2 is sent by the remote end accepting the SA.

So the question is "Why is my ASA waiting on MSG 2?"

This could be for several reasons.
1. Maybe your packet is being dropped somewhere
2. Maybe there is a problem in the path causing the drop (High BW Utilization, bad circuit etc...)
3. The remote device believes it does not have to renogotiate or the SA is stuck for some reason

What you could try is configuring dead peer detection. This would allow the ASA to detect if the peer is gone, tear down the tunnel and allow for the new SA to be established when the peer is available.

The command below should help:

isakmp keepalive xxx

Place this on both devices then clear the isakmp SAs on both ends.

Please rate the helpful posts.
Regards,
Naidu.

View solution in original post

Ivan Krimmel · ‎09-24-2011

Hi Mohd,

can Server access the outside world? i.e. I am trying to understand, whether there're any issues with Server TCP/IP settings. If yes, then we'd need to check ASA'a settings. What do you use in there - NAT? Identity NAT? Paste the relevant config here. Also, is that only ICMP not working, I guess the purpose of this setup for the Client to access something else on the Server. Check the ACL applied to the outbound interface on the ASA.

HTH,

Ivan.

Mohd Khairul Nizam · ‎09-25-2011

Hi Ivan,

The server can go Internet as normal.

Staff need to see Server for database purpose.

I attached the ASA conf below.

Site A - ASA 5510

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.08.11 11:01:19 =~=~=~=~=~=~=~=~=~=~=~=

ASA Version 8.0(3)

!

hostname

domain-name default.domain.invalid

enable password ym1CwmrLnc/fndsu encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 60.a.a.54 255.255.255.252

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.1

vlan 10

nameif Inside

security-level 80

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/1.2

vlan 20

nameif visitor

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit icmp any any

access-list 100 extended permit tcp any any

access-list 100 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any any eq 2828

access-list 101 extended permit tcp any host 192.168.0.254 eq 2255

pager lines 24

mtu outside 1500

mtu Inside 1500

mtu visitor 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any Inside

icmp permit any visitor

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (Inside) 1 192.168.0.0 255.255.255.0

nat (visitor) 1 192.168.1.0 255.255.255.0

static (Inside,outside) tcp interface 2828 192.168.0.254 telnet netmask 255.255.255.255

access-group 101 in interface outside

access-group 100 in interface Inside

access-group 100 in interface visitor

route outside 0.0.0.0 0.0.0.0 60.a.a.53 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:30:00 absolute uauth 0:30:00 inactivity

dynamic-access-policy-record DfltAccessPolicy

aaa authentication include tcp/0 Inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 Inside

telnet 192.168.4.0 255.255.255.0 Inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 5

console timeout 0

dhcpd dns 202.188.0.133 202.188.5.1

!

dhcpd address 192.168.0.2-192.168.0.253 Inside

dhcpd enable Inside

!

dhcpd address 192.168.1.2-192.168.1.253 visitor

dhcpd enable visitor

!

threat-detection basic-threat

threat-detection statistics access-list

username admin password bOnxO8/ZA7i5hOxq encrypted

username kpmsb password /LTd0pEXjM6Ht1Sp encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:809895a4506cb7e47a57552c4a0e0a0f

: end

Site B - ASA 5510

ASA Version 7.0(8)

!

hostname ASA

domain-name default.domain.invalid

enable password ym1CwmrLnc/fndsu encrypted

passwd ym1CwmrLnc/fndsu encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 218.b.b.234 255.255.255.252

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.1

vlan 10

nameif office

security-level 50

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet0/1.2

vlan 20

nameif visitor

security-level 50

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone MYT 8

access-list 100 extended permit icmp any any

access-list 100 extended permit tcp any host 218.111.42.234 eq 2828

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any any

access-list 101 extended permit ip any any

access-list 102 extended deny ip any 192.168.0.0 255.255.255.0

access-list 102 extended permit icmp any any

access-list 102 extended permit tcp any any

access-list 102 extended permit ip any any

pager lines 24

logging enable

logging buffer-size 1000000

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu office 1500

mtu visitor 1500

mtu management 1500

icmp permit any outside

icmp permit any office

icmp permit any visitor

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (office) 1 192.168.5.0 255.255.255.0

nat (visitor) 1 192.168.6.0 255.255.255.0

static (office,outside) tcp interface 2828 192.168.5.254 telnet netmask 255.255.255.255

access-group 100 in interface outside

access-group 101 in interface office

access-group 102 in interface visitor

route outside 0.0.0.0 0.0.0.0 218.b.b.233 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 3:00:00 absolute uauth 3:00:00 inactivity

username test password P4ttSyrm33SV8TYp encrypted privilege 15

username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 0

username kpmsb password /LTd0pEXjM6Ht1Sp encrypted

aaa authentication include tcp/0 visitor 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

aaa authentication include http office 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 office

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 office

ssh timeout 5

console timeout 0

dhcpd address 192.168.5.2-192.168.5.253 office

dhcpd address 192.168.6.2-192.168.6.253 visitor

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 202.188.0.133 202.188.1.5

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable office

dhcpd enable visitor

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:2ec9bdf0050db34b872292128bf29818

: end

Mohd Khairul Nizam · ‎09-27-2011

Anyone can help me on this? Why the staff can't access server

jliscano · ‎09-27-2011

Mohd -

Looking at your ASA configurations, you do not have site-to-site VPN configured. You diagram shows that you do. In any case, in order for both sites to communicate, one method is to used VPN. Here's a link on setup site-to-site VPN for ASA: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml.

Hope this helps.

Ivan Krimmel · ‎09-27-2011

Since staff can access outside interface of ASA in site A, the non-existence of a VPN is not a case here.

Mohd, I am still looking into this, couldn't spot the issue yet though.

Ivan.

jliscano · ‎09-27-2011

Ivan - Just my .02... If Staff PC's can PING the outside of the firewall on Site A, so can anyone else since it's a public IP. The original question was how to route the staff PC (Site B) to the server (Site A). Unless he is doing one-to-one static NAT (which doesn't seem like it based on the ASA config), I think VPN (remote access or lan-to-lan) is the best solution in this case.

Regards.

Ivan Krimmel · ‎09-27-2011

I agree, it is because they have icmp permit any outside , but since staff can access it, it means the routing is correct, and we only need to let the traffic in, which is being controlled by ASA in site A.

Mohd, is server able to reach the outside interface of ASA at site B? perhaps, to reach the inside network behind ASA B?

Regards,

Ivan.

IcebergTitanic · ‎09-27-2011

See, the problem is that the ASA doesn't want to route a private IP address over the internet. Private IP addresses were made specifically so that people could have lots of local devices and not all have to have specific exterior internet addresses, which is how they were set up originally.

Your diagram does show an IPSEC vpn somewhere, but your configs do not reflect any kind of VPN setup in them. You're missing a lot of configuration to establish a site to site VPN, presuming you're trying to do it over the ASAs.

The ASA's are showing an outside IP address on them. They won't want to route private IP ranges over an internet connection.

Right now, I suspect your routing looks like this:

Workstation traffic leaves, headed for a different network. (192.168.0.x)

The ASA gets it, has no specific route or connected interface that matches the destination network.

ASA throws the traffic out, because it's not going to route LAN traffic out over a WAN connection, because that's just silly.

You really need to have a VPN if you want to route out to the other side using a private IP range.

If you're really set on doing it without a VPN, then you need a local DNS server that tells your local workstations the external IP address of the destination server, rather than trying to connect to its private IP address.

Mohd Khairul Nizam · ‎09-27-2011

Dear all,

Thanks for the reply.

I need to mention here that the VPN is establish using the Cisco 887.

That why i ask the question because, i just stuck at host to host issue.

But severel people said that the VPN should be done on the ASA rather that at the 887.

Anyway, here i attach the 887 config,

Like "jliscano" said, is the one to one static NAT posible. ( for me to route both site)

or should I do vpn at ASA.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.27 16:10:56 =~=~=~=~=~=~=~=~=~=~=~=

sh run

Building configuration...

Current configuration : 6394 bytes

!

! Last configuration change at 08:13:54 UTC Tue Sep 27 2011 by nec

! NVRAM config last updated at 08:12:56 UTC Tue Sep 27 2011 by nec

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service sequence-numbers

!

hostname kewpie-mlk

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$zrgO$UTdQAb.LzJq9y7n22R/Th/

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-2510246803

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2510246803

revocation-check none

rsakeypair TP-self-signed-2510246803

!

crypto pki certificate chain TP-self-signed-2510246803

certificate self-signed 01

ip source-route

!

ip dhcp pool ccp-pool1

import all

network 60.a.a.0 255.255.255.0

dns-server 202.188.0.133 8.8.8.8

default-router 60.a.a.53

!

ip cef

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

license udi pid CISCO887-K9 sn FGL152827A7

!

username nec privilege 15 secret 5 $1$ludy$bhR/Z7LEe3.L4d.ZK/aT30

username test secret 5 $1$1WcH$zyEruqlm/ui/XFTscMBvD.

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key kewpievpn address 218.b.b.233

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to218.b.b.233

set peer 218.b.b.233

set transform-set ESP-3DES-SHA

match address 100

!

interface BRI0

no ip address

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

ip flow ingress

pvc 0/35

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 60.a.a.53 255.255.255.252

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname kewpi@tmnet

ppp chap password 0 tmnet123

ppp pap sent-username kewpi@tmnet password 0 xxxx

no cdp enable

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 60.b.b.b 0.0.0.3

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 60.51.196.0 0.0.0.255 218.b.b.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 60.a.a.0 0.0.0.255 218.b.b.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny ip 60.a.a.0 0.0.0.255 175.b.b.0 0.0.0.255

access-list 101 permit ip 60.a.a.52 0.0.0.3 any

dialer-list 1 protocol ip permit

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

kewpie-mlk#

jliscano · ‎09-27-2011

Mohd - Those several people are correct. You should build the VPN tunnel on the ASA rather than the 887's based on your design. Looking at your tunnel, you only allowed ACL100. So, those 2 networks are only going to pass through the VPN. Now you are also doing PAT on you ASA. You're traffic will not know how to get to your 192.168.x.x subnets this way. This doesn't seem to be a routing issue, but more like a VPN issue.

As for the one-to-one NAT, you need to build that on the ASA, not the 887. My impression was since you did not have VPN on the ASA. NAT could work. I highly suggest you rebuild the VPN on ASA.

Regards.

IcebergTitanic · ‎09-27-2011

Yep, I think what you want is to make your routers completely transparent. Essentially doing nothing but turning your WAN (PPP) connection into an ethernet connection for the ASA.

Set up your VPN tunnel on the ASA, and use that to route your LAN traffic. Should work like a dream, then.

Post back if you need help configuring the ASAs...

Mohd Khairul Nizam · ‎09-27-2011

Dear all,

So i need to down/delete the VPN from 887 right. Or should i use normal ADSL modem

Now i want to config below at both ASA 5510 site.

Plz review it. Is it OK?

site A

----------------------

access-list VPN_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap

crypto map VPN_map 10 set peer 60.a.a.53

crypto map VPN_map 10 set transform-set ESP-AES-256-SHA

crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encryption aes-256

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 5

crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 60.a.a.53 type ipsec-l2l

tunnel-group 60.a.a.53 IPSec-attributes

pre-shared-key kewpievpn

site B

-----------------------

access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168..0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap

crypto map VPN_map 10 set peer 218.b.b.b

crypto map VPN_map 10 set transform-set ESP-AES-256-SHA

crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encryption aes-256

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 5

crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 218.b.b.b type ipsec-l2l

tunnel-group 218.b.b.b IPSec-attributes

pre-shared-key kewpievpn

jliscano · ‎09-27-2011

Mohd - Keep the 887 and just delete the VPN from it. Just make sure you have the VPN ports permitted on your ACL facing your outside interface on your ASA.

As for your configuration, I would flip the ACL around:

SiteA:

access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

SiteB:

access-list VPN_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

The rest of your config looks good.

Hope this helps.

IcebergTitanic · ‎09-28-2011

Yep, that should do it. I can't remember if you need to adjust your outside interface ACL or not. You might need to do a blanket allow on that as well:

access-list outside_in line 1 permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

Personally, I would also move the IP's into object-groups just for clarity:

object-group network SiteA_local

network-object 192.168.0.0 255.255.255.0

object-group network VPN_Peers

network-object 192.168.5.0 255.255.255.0

Then you can adjust your access-lists to just use the object-groups. That way, if you add more sites, you just add them to the object group, rather than having to adjust all your acls.