Solved: Re: Segment from PIX to segment on ASA - Page 2

Tyler Woods · ‎11-19-2013

I need the following to happen:

Host at 12.x.x.134 to access host 10.50.2.32 on port 8888.

Host at 12.x.x.134 to access host 10.50 2.33 on port 1560.

I am at a complete loss on getting this accomplished. Have tried multiple configurations and nothing works. Ideally I would collapse this all to the ASA but I do not have the time to dedicate at the moment so I just need to get this working as it is. The ASA is under SMARTnet but CCO ID does not have permission to its serial number yet.

Any guidance on this would be greatly appreciated. Is below enough to go on?

ASA Interfaces

Ethernet0/0 outside 64.xx.xx.130 security-level 0 --> to RouterA via 2980

Ethernet0/1 inside 10.50.2.1 security-level 100 --> to 2980

Ethernet0/2 dmz1 10.10.10.2 security-level 50 --> to ASA e2

PIX

Ethernet0 outside 12.xx.xx.2 security-level 0 --> to RouterB via 2980

Ethernet1 dmz 12.x.x.129 security-level 50 --> to 2980

Ethernet2 dmz2 10.10.10.1 security-level 50 --> to PIX e0/2

Tyler Woods · ‎11-20-2013

That should be the route on the ASA correct?

They are different subnets. That is why for the outside interface I used two "x" instead of one to differentiate. Sorry for the confusion.

Jon Marshall · ‎11-20-2013

Yes that route would be on the ASA because it uses it's dmz1 interface to reach the pix.

You could actually test with just one host route rather than use the 12.x.x.x subnet and see if that host works.

Jon

Tyler Woods · ‎11-20-2013

So given the NAT statements I put in already using that route should work? If that is the case I'll give it a try with a single host right now.

Jon Marshall · ‎11-20-2013

Yes, you will need the original config posted + that route.

Try it and let me know.

Jon

Tyler Woods · ‎11-20-2013

I have made the changes and asked for that site to give it a try. They may not get to test till tomorrow as it is 5:30 PM their time.

Thank you Jon for all your assistance on this.

Jon Marshall · ‎11-20-2013

No problem. Let me know how you get on and if it doesn't work then we can carry on troubleshooting.

Jon

Tyler Woods · ‎11-21-2013

Still not working. With goof I made with route on the ASA I applied that same logic to the route on the PIX.

This is what I had:

route dmz 10.50.2.0 255.255.255.0 10.10.10.2

Changed it to:

route dmz2 10.50.2.0 255.255.255.0 10.10.10.2

Neither has made this work.

Jon Marshall · ‎11-21-2013

Tyler

Did anything break when you added the route to the ASA ?

When you try to connect from a 12.x.x.x host do you see any hits on the acl applied to the ASA dmz1 interface ?

We need to work out where the traffic is failing.

Jon

Tyler Woods · ‎11-21-2013

Nothing broke thankfully.

The route I have on the ASA is: route dmz1 12.10.100.134 255.255.255.255 10.10.10.1

Route on the PIX currently: route dmz2 10.50.2.0 255.255.255.0 10.10.10.2

These ACL entries are applied to the dmz1 interface on the ASA:

access-list DMZ2IN line 4 extended permit tcp host 12.10.100.134 host 10.50.2.33 eq 1560

access-list DMZ2IN line 5 extended permit tcp host 12.10.100.134 host 10.50.2.32 eq 8888

I have these static NATs in place on the ASA:

static (inside,dmz1) tcp 10.50.2.32 8888 10.50.2.32 8888 netmask 255.255.255.255

static (inside,dmz1) tcp 10.50.2.33 1560 10.50.2.33 1560 netmask 255.255.255.255

Jon Marshall · ‎11-21-2013

Based on the orginal diagram that config should have worked. Like i say we need to understand where the packets are getting dropped.

So first we need to work out if the packets are leaving the pix on the right interface. Easiest way to do this is look at the acl on the dmz1 interface of the ASA and make a note of the counters for the relevant line. Try and connect and see if the counters increment. If they do we know that packets are going through the pix correctly.

Jon

Tyler Woods · ‎11-21-2013

Apologies, I failed to answer that earlier. The counters have remained at zero.

Jon Marshall · ‎11-21-2013

Do you have any acls applied to the dmz or dmz2 interfaces on the pix ?

Jon

Tyler Woods · ‎11-21-2013

The following is applied to dmz2; both with no hit counts.

access-list temp_inside extended deny ip any host 89.x.x.x log

access-list temp_inside extended permit ip any any

Jon Marshall · ‎11-21-2013

Sorry i have should asked this in the last post. Can you post any NAT config for the dmz and dmz2 interfaces on the pix ?

Jon

Tyler Woods · ‎11-21-2013

I'm wondering if that may be the issue. Just not well versed enough to know for sure.

PIX NATs

nat (dmz2) 0 10.50.2.0 255.255.255.0

ASA NATs

nat (inside) 0 access-list NONAT

nat (inside) 1 10.50.2.0 255.255.255.0

crypto isakmp nat-traversal 21