Solved: It would fix the flow issue - Page 2

ewellsie07 · ‎03-07-2015

I've recently inherited a new client that currently sits on a flat network (192.168.2.0/24) spanning two physically separate buildings, connected by fiber.

In order to reach compliance, I need to separate those two buildings logically, and be able to control access between the two.

Since we already had a 1921 in place at one of the buildings for a separate purpose, the idea was to add in a EHWIC that would accept the fiber connection and split the networks using the router to control access, at least until we can properly redesign the network.

The ISP service comes in at the primary location where it connects to the ASA5505, and the 1921 router is located at the secondary location. There needs to be static incoming traffic to both the primary and secondary site, and there are VPN clients that also need to reach the secondary location. The other inside interface on the 1921 is a separate extranet that will only need to accept traffic from the 192.168.2.0/24 and the VPN clients and includes some routes for the 65.xx.xx.xx networks.

As the configs will show, the plan was to create a 192.168.6.0/24 subnet at the primary location, and keep the existing 192.168.2.0/24 subnet at the secondary location. Configured as below, the primary location is working just fine, and all traffic flows in and out. We can also ping from a host at the primary location to a host within the secondary location. However, we cannot ping from the secondary to the primary location, and the secondary location hosts do not have internet access.

The issue appears to be the 1921 not sending the traffic from 192.168.2.0/24 to 192.168.6.0/24 and I can't figure out why. I've tried various NAT statements but just can't seem to figure it out.

Pasted below are the relevant snippets of the ASA config, and the entire 1921 config.

Can anyone assist?

***********ASA**************

interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1xx.xx.xx.xx 255.255.255.224

ip local pool VPN 192.168.4.2-192.168.4.100 mask 255.255.255.0

access-list VPN-Access extended permit ip any 192.168.4.0 255.255.255.0
access-list VPNTunnelList standard permit 192.168.2.0 255.255.255.0
access-list VPNTunnelList standard permit 192.168.6.0 255.255.255.0
access-list VPNTunnelList standard permit host 65.xx.xx.xx
access-list VPNTunnelList standard permit host 65.xx.xx.xx
access-list VPNTunnelList standard permit host 65.xx.xx.xx
access-list VPNTunnelList standard permit host 65.xx.xx.xx

icmp permit any inside

global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list VPN-Access
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.4.0 255.255.255.0

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

route inside 65.xx.xx.xx 255.255.255.255 192.168.6.254 1
route inside 65.xx.xx.xx 255.255.255.255 192.168.6.254 1
route inside 65.xx.xx.xx 255.255.255.255 192.168.6.254 1
route inside 65.xx.xx.xx 255.255.255.255 192.168.6.254 1
route inside 1xx.xxx.0.0 255.255.0.0 192.168.6.254 1
route inside 192.168.2.0 255.255.255.0 192.168.6.254 1

********1921**********

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *********
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone EST -5 0
!
ip cef
!
!
!
!
!
!
ip domain name *******.local
ip name-server 192.168.6.20
no ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4183443168
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4183443168
revocation-check none
rsakeypair TP-self-signed-4183443168
!
!
crypto pki certificate chain TP-self-signed-4183443168
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313833 34343331 3638301E 170D3134 30353036 32313032
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31383334
34333136 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CD4C 75896018 68857109 B9ACBC96 0229831F 2F316A1B DA7EB9EA 5EFD488C
E61EF6FE 49890039 CA5F6CE1 947826FA 949424D7 C6CC19C7 BA0F5E0D 4DAB0E5F
A308668D 47130371 352225FB 77C23430 37110F37 FEC6C065 0791A1B0 DE3650DE
398799F6 54E75454 C308320D 40B59B7C EA2560CA E78D8357 4EAB68BA FE73F549
F6190203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C8C326 4B33918D 08A20CDE 0142E8F2 FE60648F 81301D06
03551D0E 04160414 C8C3264B 33918D08 A20CDE01 42E8F2FE 60648F81 300D0609
2A864886 F70D0101 05050003 8181000F F87EDB80 9BAA5943 61E07975 C34BEBB6
C8343A10 A2A3CEC4 518260FD E5DABC89 4364118F A915A2B6 A994D156 0C58C555
D6751F82 4D4E62BF 00B082FF 0115F2C9 7A0C0DC2 66DE8F9E 3478DCE7 713E2992
5412BC1D EE44C152 8D8E3425 15BED73A 299B8D38 6CDB6667 955A3875 43E28416
FC9BBBC8 396D826C A875E42B 43FDA4
quit
license udi pid CISCO1921/K9 sn FGL181921L5
!
!
username admin privilege 15 secret 5 **********************
username ****** privilege 15 secret 5 ********************
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ****** Network Interface
ip address 16x.xx.xx.xx 255.255.255.240
ip access-group 100 in
ip access-group 100 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ******** LAN Interface
ip address 192.168.2.254 255.255.255.0
ip access-group 100 in
ip access-group 100 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description Fiber Interface to *********
ip address 192.168.6.254 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type sfp
!
ip default-gateway 192.168.6.1
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool POOLNAME 1xx.xx.xx.xx 1xx.xx.xx.xx netmask 255.255.255.240
ip nat inside source list 102 pool POOLNAME overload
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 65.xx.xx.xx 255.255.255.255 1xx.xx.xx.xx
ip route 65.xx.xx.xx 255.255.255.255 1xx.xx.xx.xx
ip route 65.xx.xx.xx 255.255.255.255 1xx.xx.xx.xx
ip route 65.xx.xx.xx 255.255.255.255 1xx.xx.xx.xx
ip route 1xx.xxx.0.0 255.255.0.0 1xx.xx.xx.xx
ip route 192.168.4.0 255.255.255.0 192.168.6.1
!
access-list 100 permit ip any any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
no cdp advertise-v2
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

ewellsie07 · ‎03-28-2015

Finally tried this today, with the additional interface on the ASA.

Still no go. Seemed like the ASA had no problem seeing the router and pinging it, but couldn't get it to work the other way. From the ASA side, I was able to ping from internal hosts to internal hosts behind the router, but not vice versa.

Not sure if it's still a NAT issue or what, but I was forced to revert all the changes back yet again until I can get it 100% working.

It's really frustrating.

Jon Marshall · ‎03-29-2015

I suspect it may now be the configuration on the ASA as opposed to the original problem as all traffic should now be going via the ASA.

If you used an additional interface on the ASA it depends on how you configured it as to whether traffic would flow between the two internal interfaces.

Do you remember what configuration you added or changed on the ASA ?

Jon

ewellsie07 · ‎03-29-2015

I created a new VLAN, assigned one of the interfaces (0/7) and called the new interface "WAN". Set the security level to 100, same as the inside.

It was assigned 192.168.5.1/24 and the router HWIC was assigned 192.168.5.254/24 which the fiber was plugged into.

I could originate pings from the ASA to the router interfaces, even the 192.168.2.254 IP which is the internal interface for the LAN behind the router.

However, I could not get pings or traffic to flow from the router through the ASA.

Jon Marshall · ‎03-29-2015

Okay but for example you had this in your configuratio -

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

these obviously wouldn't be applicable with the new setup etc.

That is what I meant in terms of configuration ie. what exactly did you do on the ASA in addition to adding another interface.

Jon

Jon Marshall · ‎03-30-2015

You will need to add two things -

1) the "same-security-traffic permit inter-interface" command if it isn't already there

and

2) you then need static NAT statements which would essentially be the same as you had before for the two subnets but they would reference the inside and WAN interfaces as opposed to just the inside interface.

Jon

ewellsie07 · ‎04-02-2015

Thanks for the help.

We did get it working, we had to introduce a new switch to segregate the fiber from the 1921 and the new ASA WAN interface, and then it was just a matter of the new NAT statements, and a new NAT statement to allow internet access from the 192.168.2.0 network behind the WAN interface.

Then I had to modify all the static NAT statements for the internet-accessible hosts behind the WAN interface, as they were all configured as static (inside,outside) and had to be adjusted to static (wan,outside).

But it does appear to be working successfully for now, next step is to replace all the switches and consolidate the fiber and ASA interfaces onto a properly configured managed switch with VLAN segregation.

Jon Marshall · ‎04-02-2015

Good to hear.

Glad you got it working and thanks for letting me know.

Jon

ewellsie07 · ‎03-29-2015

Those rules were added when I was trying the previous configuration, but are not there as it sits right now. These are the current NAT rules as it stands right now.

global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list VPN-Access
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.4.0 255.255.255.0

Assuming no other entries are added once I reconfigure the interfaces, what would be the proper NAT statements to allow traffic to flow from 192.168.6.0/24 to 192.168.2.0/24 and vice-versa?

I've also attached a basic network diagram to better explain the setup.

I tried various NAT statements yesterday but couldn't get it to work 100%.

Jon Marshall · ‎03-07-2015

It's late here so I'm logging off for the night.

I will check in with this thread tomorrow in case you have any more queries etc.

One last thing I forgot to mention.

I presume you have "same-security-traffic permit intra-interface" on your ASA at the moment.

If you do create another interface you will need "same-security-traffic permit inter-interface" and you need to update your static NAT statements for the LAN subnets.

Apologies if I am telling you something you already know.

Jon

Jon Marshall · ‎03-07-2015

It would fix the flow issue because nothing has to go via the ASA but the issue then is that all internet traffic from both LANs has to go via the router so traffic from the primary site is bounced off the router in the secondary site which isn't ideal.

I suspect it is part of the issue but I can't say for sure unless you confirm the ICMP inspection as without it I would expect it work ie. the ASA is not stateful for ICMP without it so shouldn't really be dropping ICMP.

It would however break TCP connections.

An alternative to readdressing or changing default gateways is to try TCP state bypass which in effect disables the stateful check and should allow the traffic to flow.

I say should because I have never used it as it kind of defeats part of what you have a stateful firewall for.

See this link -

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

still do not know why internet does not work though as traffic flows should be between the router and ASA direct for that.

Jon

Jon Marshall · ‎03-07-2015

Do you have ICMP inspection turned on your firewall ?

Jon

Cisco 1921 Routing/NAT Issue