Solved: Re: ASA 5510 - cannot access or ping internal networks - Page 2

raj.mathur · ‎06-21-2009

Hi

I cannot ping from one internal network (10.1.1.0/24) to another internal network (10.1.2.0/24 or 10.1.3.0/24 and so on).

The static route is in place and its working fine. I can ping these network from ASA but not from any workstations.

The error I get on ASA is: packet dropped due to access list implicit deny.

Here is config file:

:

ASA Version 8.0(2)

!

hostname asa

domain-name test.com

enable password YLmDtv0bLkbX2VFy encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 20x.20x.16.xxx 255.255.255.224

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.16.0.254 255.255.255.0

!

interface Ethernet0/3

nameif inside

security-level 100

ip address 10.1.1.2 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.200.1 255.255.255.248

management-only

!

access-list acl_outside remark Allows ping from outside (must enable internal ICMP rule#3)

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit tcp any any eq ftp inactive

access-list acl_outside extended permit tcp any any object-group DM_INLINE_TCP_1 inactive

access-list inside_access_in remark Internal nodes access to outside world (all ports)

access-list inside_access_in extended permit object-group TCPUDP any any object-group Any

access-list inside_access_in remark Allows ping from inside network to outside network (internet).

access-list inside_access_in extended permit icmp any any echo inactive

access-list inside_access_in remark Allow ping reply both ways - from inside to outside and from

access-list inside_access_in remark outside to inside (nat public address nodes)

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.192

access-list nonat extended permit ip any 172.16.100.0 255.255.255.192

access-list group1_splitTunnelAcl standard permit any

pager lines 24

mtu inside 1500

mtu management 1500

ip local pool VPN-Pool 172.16.100.0-172.16.100.62 mask 255.255.255.192

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 20x.20x.16.xxx

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl_outside in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 20x.20x.16.xxx 1

route inside 10.1.2.0 255.255.255.0 10.1.1.248 1

route inside 10.1.3.0 255.255.255.0 10.1.1.248 1

route inside 10.1.4.0 255.255.255.0 10.1.1.248 1

route inside 10.1.7.0 255.255.255.0 10.1.1.248 1

route inside 10.1.9.0 255.255.255.0 10.1.1.248 1

route inside 10.1.14.0 255.255.255.0 10.1.1.248 1

route inside 10.1.15.0 255.255.255.0 10.1.1.247 1

route inside 192.168.1.0 255.255.255.0 10.1.1.248 1

route inside 192.168.20.0 255.255.255.240 10.1.1.248 1

route inside 192.168.30.0 255.255.255.240 10.1.1.248 1

route inside 192.168.40.0 255.255.255.240 10.1.1.248 1

route inside 192.168.50.0 255.255.255.240 10.1.1.248 1

route inside 192.168.70.0 255.255.255.240 10.1.1.248 1

route inside 192.168.80.0 255.255.255.240 10.1.1.248 1

-------------------------------------

Any help or advice will be appreciated.

Thanks

JORGE RODRIGUEZ · ‎06-23-2009

Raj, this is new problem I've come acrross, you will have to try Ingo's suggestions under your current 8.0(2) code , you may need to remove nat excempt access-list you previously configure for all your networks and implement the static nat Ingo posted..

Jorge Rodriguez

raj.mathur · ‎06-23-2009

I tried lngo's suggestion but did not work.

I will try removing nat excempt and see.

JORGE RODRIGUEZ · ‎06-23-2009

Thanks for posting results, let us know PLS, observe real time logs while accessing networks after the changes.

Jorge Rodriguez

raj.mathur · ‎06-23-2009

I tried removing nat excempt but did not help.

Log file is attached.

servicel · ‎06-23-2009

Hi Raj,

Who knew something so simple can turn out to be a problem like this ;)

First of all backup your exsiting config. Then the existing nat commands concerning the branch office networks should be removed as jorgemcse already pointed out regarding nat exempt. i.e. remove the branch-office-networks from the nonat ACL.

Its important copy/paste the following commands exactly via CLI....with every keyword. Also check if any of them get rejected (I know they look strange...explanation can be found in the link I posted).

static (inside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

After you've entered them you should add the security policy:

access-list inside_access_in extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list inside_access_in extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

Try your tcp connection to host 10.1.2.x. If it still doesnt work, and if circumstances allow, save the config and try rebooting the asa. Better would be to pull the power plug for 10sec. (I had issues before where this helped)

If youve done this config, and other services arent disrupted, please leave the config like that and post the asa config here so we can double-check.

If all of this doesnt work you might be running into some version differences as I can only confirm this config working on 7.2(4). I suggest to upgrade to 8.2(1)...or downgrade to 7.2(4).

hth

Ingo

raj.mathur · ‎06-24-2009

Ingo

I tried all the options but did not work. I upgraded to 8.2 and even downgraded but same problem. I can ping branch office network but cannot browse or access any nodes.

Thx