Solved: MikeIt won't work as is

miketranosky · ‎03-12-2015

Hello everyone,

I am having a little trouble with routing and looking for some help or guidance. My setup is my ISP (Cable) comes in to my Motorola SB modem --> goes to my Cisco 871 FastEthernet4 --> out of the FastEthernet1 (plans to eventually move to FastEthernet0) of the 871 --> into the ASA 5505 Ethernet 0 (outside interface) --> out of the ASA 5505 Ethernet 1 --> into my LAN (DHCP configured for 10.10.10.0 network.)

The problem that I am running into is that I am unable to ping through my ASA while connected to my inside interface. I am; however, able to ping from the console of the ASA to the outside, just not from an inside-connected PC. Likewise, I am unable to browse or reach the Internet in any way (I wanted to rule out ICMP as being the only protocol blocked.)

I currently have a DHCP pool (10.10.10.0) set up on my 871, because the ASA5505 was added after-the-fact. Eventually I would like hand out most if not all DHCP addresses from the ASA, but I left the conflicting DHCP pool in place on the router until I get routing through the ASA figured out (I have an access point and some other devices hanging off of that which are Internet-accessible.)

My outside interface (FA4) on the 871 is setup for DHCP. Inside (FA1) is setup for VLAN5, which is configured as another internal address of 192.168.1.1. On the ASA, my outside (Ethernet0) interface is setup with an IP address of 192.168.1.2 and my inside (Ethernet 1) interface (plan to have remaining Ethernet ports hand out DHCP addresses as well if possible) are setup for DHCP network 10.10.10.0.

I know I could eliminate the 871 and do all of the routing on the ASA, but that would take the fun out of learning :) Plus, I would like to eventually do some ingress/egress filtering on the edge router. You'll notice I'm forwarding 32400 for my Plex server as well on the 871 plus I will have to open a few other ports for other applications that require access to the web.

Below is my 871 config:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
enable secret 5 $1$l6em$U/xDm4Ls6932u5AVPvbYU/
!
no aaa new-model
clock timezone est -5
clock summer-time EDT recurring
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.101 10.10.10.255
!
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 208.67.222.222 208.67.220.220
!
!
ip cef
ip domain name lab.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username cisco privilege 15 secret 5 $1$eFJE$P3EoqEUbHIAqH5vXe.bFZ/
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 5
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan5
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.10 32400 interface FastEthernet4 32400
ip nat inside source static udp 10.10.10.10 32400 interface FastEthernet4 32400
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
login local
transport input ssh
!
scheduler max-task-time 5000
end

And this is my ASA5505 config:

asa# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname asa
enable password aaM6CM7NHIUNxhXl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan5
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 5
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 10.10.10.11-10.10.10.42 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 2Y5LXjCiT.j9NH6j encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination forsport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2a74d4bee8105a6f33d77afe97d03c7
: end

Any help or guidance with my config would be greatly appreciated.

I think my problems lie within the ASA config, but maybe I am overlooking something on the 871 too?

Thank you everyone,
Mike T.

Jon Marshall · ‎03-12-2015

Mike

No problem.

You do want to get rid of the static NAT statement yes.

Also because all NAT is on the 871 then once you change the 10.10.10.x IPs connected to the 871 you will need to add a route to the 871 so it knows how to get to the 10.10.10.0/24 subnet ie.

ip route 10.10.10.0 255.255.255.0 192.168.1.2

Apart from that you should be okay.

If you have any more problems of queries after making the changes then please feel free to post back.

Jon

View solution in original post

Jon Marshall · ‎03-13-2015

Mike

I think I may have given you some bad information so apologies for that.

With no nat-control I think you still need your static statement because nat-control affects inside to outside but not outside to inside.

So you can put your static back. Note you don't have to do it for the whole subnet although you can if you want as you did before. You could just do it for the host eg.

static (inside,outside) <Plex server IP> <Plex server IP> netmask 255.255.255.255

or you can even do it for a specific port -

static (inside,outside) tcp <Plex server IP> 32400 <Plex server IP> 32400 netmask 255.255.255.255

Up to you which you use.

Can you add one of them and try again.

Jon

View solution in original post

Jon Marshall · ‎03-12-2015

Mike

It won't work as is because you have the 10.10.10.0/24 network connected to the 871 so it thinks it is local.

But you also have the 10.10.10.0/24 network on the inside of the ASA as well.

And you have used a different IP subnet, 192.168.1.0/24 to connect the ASA to your 871.

What you can try to get internet access working outbound for 10.10.10.x clients is on your ASA -

nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface

but you won't be able to get the port forwarding working ie. your static NAT statement on the ASA won't work because the 871 is also connected to the same network.

You could present the internal server as a 192.168.1.x IP and then translate to a 10.10.10.x IP and that would work.

Is there are a reason you are using the same IP subnet on both the inside of the ASA and the 871 ?

Jon

miketranosky · ‎03-12-2015

Hi Jon,

Wow, thank you for such a quick response! I thought maybe the 10.10.10.0/24 on both the 871 and the ASA was tripping me up a little bit. I am admittedly new to Cisco, so please bear with me. There isn't any reason that I am using the same IP subnet both the inside interface on both. I thought about changing that to a 10.10.10.0 /29, since I really only need a few clients. What happened was that I had my 871 as a stand-alone router in which I wanted clients to receive the 10.10.10.x addresses handed out via DHCP. Now, I have acquired an ASA5505 that I would like to put in with the existing setup, but want the ASA to hand out the 10.10.10.x client addresses via DHCP ports Ethernet 1-7. I just happened to leave the config as-is on the router (just added the entry for the access-list to permit the 192.168.1.0 network and changed the IP on FA1 to a 192.168.1.0/24 address.)

There also isn't a particular reason that I chose to use a different IP subnet to connect the ASA to the 871. Would it make more sense to keep everything on one IP subnet. For example, make my inside interface of the 871 a 10.10.10.5 and the outside interface of the ASA a 10.10.10.6? Would it also be necessary to move the 10.10.10.0/24 on the inside of the 871 to a different subnet or IP subnet then?

I would like to keep all NATing on the edge router, hence the static nat statement on the ASA.

I apologize, I don't quite understand what you meant by presenting the inside server as a 192.168.1.x and translate it to a 10.10.10.x. Do you mean make the inside interface of the ASA a 192.168.1.x and then use DHCP to hand out 10.10.10.x addresses?

Hopefully I was clearer about what I am looking to do with the setup. Essentially do all routing, port forwarding, NATing on the edge router and pass all traffic from the ASA to the router.

Thanks again for such a quick response and for all of your help!

Mike T

Jon Marshall · ‎03-12-2015

Mike

If you don't want to do any NAT on the ASA then you need to decide where the 10.10.10.0/24 subnet is going to be because it can't be in both places.

What I meant by the server bit was you could present the internal 10.10.10.x IP as a 192.168.1.x IP on the outside of your ASA then the 871 would forward the traffic to the ASA.

But like I say if you want to keep all NAT on the 871 then you don't really want that.

You may also need to enable "no nat-control" on your ASA because if you don't then you have to use NAT for your inside clients to go through the ASA to the 871.

If you do enable it then you need to remove the "static (inside,outside) ...." command you have on your ASA currently.

So you really need to decide exactly what you want to do and where and if you definitely want to put all NAT on the 871 you will have to use a different IP subnet for either your inside clients on the ASA or on the 871.

Jon

miketranosky · ‎03-12-2015

Jon,

Thanks again for the quick response and for guiding me along in my education! I would like to keep all NAT on the 871 and keep the 10.10.10.0/24 on the ASA, because ultimately that is where I would like to have DHCP hand out the 10.10.10.x addresses to the clients. I will start by changing the 10.10.10.0/24 addresses on the 871 to something different (i.e. 172.16.0.0/24), and change the DHCP pool on the 871 to hand out 172.16.0.x addresses, but I think I will be keeping the port forwarding on the 871 for the 10.10.10.x clients?

I have set the no nat-control on the ASA so that I won't be using NAT on it (I assume I'll want to get rid of my static nat statement as well?)

I think you have me pointed in the right direction for now at least and really appreciate you taking the time to help me out.

I will update once I have a chance to work on it and make the changes above.

Thanks again!

Mike T.

Jon Marshall · ‎03-12-2015

Mike

No problem.

You do want to get rid of the static NAT statement yes.

Also because all NAT is on the 871 then once you change the 10.10.10.x IPs connected to the 871 you will need to add a route to the 871 so it knows how to get to the 10.10.10.0/24 subnet ie.

ip route 10.10.10.0 255.255.255.0 192.168.1.2

Apart from that you should be okay.

If you have any more problems of queries after making the changes then please feel free to post back.

Jon

miketranosky · ‎03-12-2015

Jon,

Again, thanks for all of your help.

I'll provide an update later on today when I have a chance to work on it and if I run into any trouble, but I have confidence.

Thanks again for taking your time to help me out.

Mike T.

miketranosky · ‎03-12-2015

Jon,

Thank you for your help earlier today. Routing is (finally) working as I wanted it. On my 871, I have my vlan 10 interface using 172.16.0.0/24 and dhcp handing out addresses on that pool of addresses. On my inside interface of my ASA, I am using the 10.10.10.0/24 and using DHCP to hand out addresses there. Everything is working great. Thank you again!

The only remaining question I have (for now) is that I have clients connected to my inside interface of my ASA that require port forwards. For example, I have the port forward for my Plex server (port 32400) currently configured on my 871. What would need to occur to allow that port forward to occur through the ASA? I imagine I would have to forward from the ASA, since that is where the Plex server is connected and receiving an address, but the only way I know how to do this is with a NAT statement. Is there a simpler way to accomplish this and can I keep the port forward on the edge router and still translate into my ASA and directly to the Plex Server?

Thank you again for all of your help,

Mike T.

Jon Marshall · ‎03-12-2015

Mike

You should be able to just use an acl on the outside interface to allow through that port eg -

access-list outside_in permit tcp any host <Plex server IP> eq 32400
access-group outside_in in interface outside

what the above does is allow any IP address eg. internet IP to access the server on that specific TCP port and then applies the acl to the outside interface.

The above acl has no effect on your clients internet access and you don't need to allow the return traffic for clients internet access because your firewall is stateful.

I don't want to tell you things you already know but if you want a more detailed explanation of how the ASA works in terms of stateful traffic just let me know.

Jon

miketranosky · ‎03-12-2015

Jon,

Thank you again for your help. I would certainly enjoy the lesson on how the ASA handles stateful traffic. As I mentioned, I am relatively new to the Cisco ecosystem and especially the ASA. I'm happy and really enjoy being able to work on the ASA in a lab environment instead of trying hands-on in production :)

I have added the ACL and applied it to the outside interface of the ASA, but am still having trouble seeing that port as open from the outside, although it makes perfect sense what you are saying. I wasn't sure if it was necessary to leave the NAT translation on the router or not (I didn't change anything other than what I mentioned.) I imagine it would be easier for me to move all NAT to the ASA instead of keeping that on the 871 and just use the 871 as a bridge and do ingress/egress. Or maybe it really doesn't make much of a difference; and I'm not really certain what best practice is either.

In any event, I'll keep plugging at it here and see if I can figure it out until I hear back.

Again, I really appreciate your guidance and educating - Thank you

Mike T.

Jon Marshall · ‎03-13-2015

Mike

I think I may have given you some bad information so apologies for that.

With no nat-control I think you still need your static statement because nat-control affects inside to outside but not outside to inside.

So you can put your static back. Note you don't have to do it for the whole subnet although you can if you want as you did before. You could just do it for the host eg.

static (inside,outside) <Plex server IP> <Plex server IP> netmask 255.255.255.255

or you can even do it for a specific port -

static (inside,outside) tcp <Plex server IP> 32400 <Plex server IP> 32400 netmask 255.255.255.255

Up to you which you use.

Can you add one of them and try again.

Jon

miketranosky · ‎03-13-2015

Jon,

Thank you for the information on the ASA. I have actually saved that to my Evernote, which has become my Knowledge Base for everything -- I have been adding notes for everything I have been changing with my configs as well, so this has been a great learning experience for me. So thank you for your helping me along and for passing along your knowledge.

I have added the static NAT rule in my ASA config (I used the static (inside,outside) tcp 10.10.10.10 32400 10.10.10.10 32400 net mask 255.255.255.255 statement -- as well as one for UDP) and I am now able to telnet from the outside to my WAN IP, port 32400 (although port checkers like yougetsignal.com tell me that it is closed?) So, I will check once I have a chance and see if the port is able to establish a connection. I don't see my "no nat-control" in my running config, but as far as I can tell I won't, possibly because no nat-control is the default setting? Out of curiosity, how would my config differ on both the ASA and the 871 if I left the cabling as-is with the cable modem coming in the router (FA4) and then out of the router (FA1) into the asa (e0/0) if I wanted to ONLY use the 871 as ingress/egress filtering and do all NATing on the ASA? Would that be more optimal a config? I thought it would be best practice to keep the 871 on the edge and NAT there, but I am unsure.

I did notice from the 871 that I am unable to ping the Plex server (10.10.10.10,) but I believe I understand why now based on your last message. Since the ICMP packets originate from the outside interface, and I am not explicitly allowing icmp with an ACL back into my inside of the ASA, those packets are getting denied.

I appreciate your help and insight. I cannot begin to tell you how helpful you have been with this.

I'll let you know how things work later once I have a chance to test.

Thanks again,

Mike T.

Jon Marshall · ‎03-13-2015

Mike

Yes, the ping is failing because you haven't -

1) allowed it through with your acl

and

2) if you did you would need to modify your static NAT to not use the specific TCP port ie. just a general NAT statement as in my previous post.

In terms of where to do the NAT you can only do it on the ASA if it can get a public IP on it's outside interface.

Technically you could do NAT on the ASA now for outbound traffic but it is kind of pointless because your router has the public IP so it would have to do NAT again.

Where it is best to do it is quite a complicated answer because it depends on so many things but the key one is IP addressing in terms of public IPs.

With your setup I would personally look to do it on the ASA especially if later on you wanted to terminate VPNs on the ASA but it will work fine with your router as well.

I just think with a single firewall and internet connection it makes more sense to have a single point of control for access and NAT configuration.

With more complicated setups eg. dual ISPs etc. then it can sometimes make sense to move the IP addressing to the router although often in those scenarios you get two sets of public IPs, a small subnet for connecting your router to the ISP and then a larger one which can be used for the ASA outside interface to the router connection.

Like I say though either will work in your setup.

Jon

miketranosky · ‎03-13-2015

Jon,

Thanks again for your advice.

I believe that is what I am going to plan on doing then eventually. I guess the next logical question is, do you recommend taking the 871 out altogether and make the ASA my edge "router?" I would prefer to keep the 871 if at all possible and my understanding is that I could bridge the outside interface of the 871 (FA4) where the modem connects to the inside interface (FA1) where the 871 connects to the outside interface of the ASA. This would present the outside interface of the ASA with the public IP from my modem, and I could configure my outside interface on the ASA for ip address setroute, right? Would that cause any issues?

I'm just not certain how the config looks to set up that bridge group to bridge my FA4 where I'll use DHCP to get a public address and FA1 where I'll connect my ASA. I did some research and found this link, but I'm not certain the config would achieve what I want it to.

My plan is to eventually terminate a VPN on the ASA, so I will eventually have to move NAT to the ASA. I can find several resources on bridging a Cisco router for a DSL connection, but not too much on a cable connection using DHCP. You have been so helpful before, so I'm certain you can at least provide a link or guide me through that process as well.

In the meantime, I'll let you know how the port forward works once I get a chance to work on it.

Again, thank you very much for your time and for letting me pick your brain.

Mike T.

miketranosky · ‎03-16-2015

Hi Jon,

I just wanted to provide an update on everything. I didn't have a chance to update the forum, so I wanted to provide an update.

Everything is working perfectly now. I am able to route through the ASA without any trouble as well as reach my service that is connected internally. I was actually running into a small issue internally causing some issues with accessing my Plex server. Since Plex is hosted on my ReadyNAS, and my network card was always configured with out-of-box settings for the network card (aside from a static IP,) it had something foreign in the "Default Router" box. I changed that, and was able to connect into my service. User error :)

My plans are to eventually move everything to the ASA and put the router in a bridged configuration as I mentioned in my previous post. I will have to do some research on creating a bridge group to present my outside interface of my ASA the public IP address, without removing the 871.

Anyways, I just wanted to thank you for all of your help and guidance of getting my configuration setup. I will be back I'm sure to have my questions answered when I move everything to the ASA like how I setup/configure my VPN, etc.

Thanks again,
Mike T.

Trouble with ASA5505 behind 871