Quantifiable
asked on
Cisco ASA5505 Isn't passing traffic between two inside networks
I'm not the sharpest tool in the shed, but I can usually hack my way through what I need to do. I'm stumped. If you really want to take me out at the knees, throw me an ASA and say, "setup some access-lists that work."
I should mention that this was all working until we replaced the 1711 router on the main campus with an ASA5505, and changed the IP scheme for the main campus.
I have attached a PDF of my crude Visio layout for this scenario. I put a sanitized version of my config in the file.
I have two networks:
Main Campus: 172.16.0.0 255.255.252.0
Dormitory: 192.168.2.0 255.255.255.0
I am trying to get traffic flowing between the two. From the ASA I can ping the 1711's 192.168.2.2 address. I cannot ping anything past the 1711, just the IP associated with the 1711. From the 1711, I can ping anything on the inside of my network (of course), but nothing inside the 192.168.2.0 network can ping the 172.16.3.0. Confusing enough?
Can someone help me see what I have done wrong?
KellyHallLink.pdf
I should mention that this was all working until we replaced the 1711 router on the main campus with an ASA5505, and changed the IP scheme for the main campus.
I have attached a PDF of my crude Visio layout for this scenario. I put a sanitized version of my config in the file.
I have two networks:
Main Campus: 172.16.0.0 255.255.252.0
Dormitory: 192.168.2.0 255.255.255.0
I am trying to get traffic flowing between the two. From the ASA I can ping the 1711's 192.168.2.2 address. I cannot ping anything past the 1711, just the IP associated with the 1711. From the 1711, I can ping anything on the inside of my network (of course), but nothing inside the 192.168.2.0 network can ping the 172.16.3.0. Confusing enough?
Can someone help me see what I have done wrong?
KellyHallLink.pdf
Might be wrong but have you the ACL's going in the wrong direction here?
access-group KELLY_OUTBOUND in interface inside
access-group KELLY_INBOUND out interface inside
Should these not be
access-group KELLY_OUTBOUND out interface inside
access-group KELLY_INBOUND in interface inside
access-group KELLY_OUTBOUND in interface inside
access-group KELLY_INBOUND out interface inside
Should these not be
access-group KELLY_OUTBOUND out interface inside
access-group KELLY_INBOUND in interface inside
ASKER
MWheeler1982: I have same-security-traffic intra-interface because there is no direct physical connection from the router to the ASA. It all comes in and out the same Eth0/1 port that is tied to the switch.
I will try that now.
smckeown777: It would seem that way, but that was after trial and failure several times.
Quick qualifying question now:
On the "same-security-traffic," is that in lieu of the ACL? Can I just pull the ACL for Kelly out if I fix that?
I will try that now.
smckeown777: It would seem that way, but that was after trial and failure several times.
Quick qualifying question now:
On the "same-security-traffic," is that in lieu of the ACL? Can I just pull the ACL for Kelly out if I fix that?
ASKER
Okay, I tried changing:
same-security-traffic permit intra-interface
to
same-security-traffice permit inter-interface
But, I got no love. I even pulled-out the KELLY_INBOUND and KELLY_OUTBOUND ACLs. Any other idea?
same-security-traffic permit intra-interface
to
same-security-traffice permit inter-interface
But, I got no love. I even pulled-out the KELLY_INBOUND and KELLY_OUTBOUND ACLs. Any other idea?
Can you post your config again after all the changes you made?
ASKER
fgasimzade: Can you post your config again after all the changes you made?
I am attaching my config -- as it stands now.
One other note. I read an article somewhere about same interface traffic, but didn't they eliminate that restriction with the same-security-traffic command?
KellyhallLink-Suggestion-01.pdf
Stupid question maybe - but i assume you have a route command on the 1711 to point to the 172.16.x.x. network yes?
What ACL's have you on that router?
If you do a tracert from the 172.16 network(on the asa side) to 192.168.2.x where does it stop?
What ACL's have you on that router?
If you do a tracert from the 172.16 network(on the asa side) to 192.168.2.x where does it stop?
ASKER
Not a stupid question! :) I completely forgot to provide you with good information:
And, here are the results of the tracert:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
......................
......................
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
The 1711 is using RIP
I should also mention that this worked before I took out the previous 1711 on the main campus. The config in the ASA is as close as I can get to the 1711 we replaced -- as close as an ASA running 8.2(5) can get to that.
There are no ACLs on the Kelly 1711 router -- there weren't before, either (if that helps)
And please don't forget that I am ACL-disadvantaged. They haunt me in my dreams.
And, here are the results of the tracert:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
......................
......................
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Ok thats your problem!
The ASA isn't a router, therefore doesn't do RIP!
Add a route to the 1711 to point to the 172.16 network and you might be out of trouble...
The ASA isn't a router, therefore doesn't do RIP!
Add a route to the 1711 to point to the 172.16 network and you might be out of trouble...
Sorry if you don't know how to add the route its(on the 1711)
ip route {destination prefix} {destination prefix mask} {interface OR forwarding router’s IP address}
conf t
ip route 172.16.0.0 255.255.0.0 192.168.2.1
ip route {destination prefix} {destination prefix mask} {interface OR forwarding router’s IP address}
conf t
ip route 172.16.0.0 255.255.0.0 192.168.2.1
ASKER
Thank smckeown777, of all the things I cannot do -- I can actually add a route :) But, blessings for making sure.
I asked a question early on, and wonder if you can answer it so I know.
Do I need ACLs on the inside in order for this to work?
I asked a question early on, and wonder if you can answer it so I know.
Do I need ACLs on the inside in order for this to work?
Not that I am aware of, ACL's are usually applied for restricting traffic, it should work without any in your case...
ASKER
Okay, my turn to express a dumb question. I'll try to do it in list format:
1. The remote router (1711) has a VLAN1 interface of 192.168.2.2
2. The remote router (1711) has a VLAN2 interface of 172.16.3.19
3. The ASA has a VLAN1 interface of 172.16.3.1
How do I do that IP Route inside? The next hop, according to the 1711, is itself. Do I need to buffer that with a secondary subnet between the 1711 and the ASA?
1. The remote router (1711) has a VLAN1 interface of 192.168.2.2
2. The remote router (1711) has a VLAN2 interface of 172.16.3.19
3. The ASA has a VLAN1 interface of 172.16.3.1
How do I do that IP Route inside? The next hop, according to the 1711, is itself. Do I need to buffer that with a secondary subnet between the 1711 and the ASA?
No, the next hop in this case is the ASA interface - which in your case is 172.16.3.1
Or you can specify the actual 'interface', which in your case is FA1...
But I normally just specify the next hop IP, try and see if you get it working
So you command will be
ip route 172.16.3.0 255.255.255.0 172.16.3.1
Or
ip route 172.16.3.0 255.255.255.0 FA1
Also there is no 'ip route inside' command on the 1711, its just ip route(ip route inside is the asa command)
Or you can specify the actual 'interface', which in your case is FA1...
But I normally just specify the next hop IP, try and see if you get it working
So you command will be
ip route 172.16.3.0 255.255.255.0 172.16.3.1
Or
ip route 172.16.3.0 255.255.255.0 FA1
Also there is no 'ip route inside' command on the 1711, its just ip route(ip route inside is the asa command)
ASKER
I guess I don't know how to do the route command ;)
I'll try it now.
I'll try it now.
ASKER
Hmmm, no dice. Is it an issue that I'm using CIDR? My main campus network is:
172.16.0.0 255.255.252.0 (22-bit): 172.16.0.0 - 172.16.3.255
So my route command was actually:
Does that seem right?
172.16.0.0 255.255.252.0 (22-bit): 172.16.0.0 - 172.16.3.255
So my route command was actually:
ip route 172.16.0.0 255.255.252.0 172.16.3.1
Does that seem right?
Sorry I misread your subnet...yes that looks right now - still no joy with that command?
ASKER
Nope. Do I need the equivalent on the ASA side? How does the ASA know about the 192.168.2.0 subnet if I don't tell it? It's not using RIP, right? Oh, wait. I have a route inside statement going on in the ASA.
Hmmm... Should I use a
Hmmm... Should I use a
static (inside,inside) 192.168.2.0 255.255.255.0 172.16.0.0 255.255.252.0
Did you re-apply the same security traffic command you originally had?
same security traffic intra-interface?
same security traffic intra-interface?
ASKER
Nope. I'm using INTER-interface
Quantifiable, here's a good posting showing your exact setup, like I mentioned you need the same security traffic intra-interface command to get this working correctly
http://www.tech21century.com/tag/same-security-traffic-permit-intra-interface/
http://www.tech21century.com/tag/same-security-traffic-permit-intra-interface/
ASKER
Okay, I did like you said, and made sure it was like the article. I also realized that I never pulled-out the rip commands on the 1711, so I did that too.
I was, then, able to ping a workstation on the 192 subnet from the ASA only. I can't access any 192.168.2.0 addresses from the 172 side (with the exception of the ASA).
I decided to save the config on the 1711 and reboot it.
here are the results of my "show route" commands:
I don't have that luxury on the ASA right this moment, but should I do that too?
I was, then, able to ping a workstation on the 192 subnet from the ASA only. I can't access any 192.168.2.0 addresses from the 172 side (with the exception of the ASA).
I decided to save the config on the 1711 and reboot it.
here are the results of my "show route" commands:
[b]ASA 5505[/b]
Gateway of last resort is 1.1.1.1 to network 0.0.0.0
C 172.16.0.0 255.255.252.0 is directly connected, inside
C 1.1.1.2 255.255.255.240 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 172.16.3.19, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 12.238.106.33, outside
[b]1711 MAR[/b]
Gateway of last resort is 184.43.105.1 to network 0.0.0.0
2.2.2.2/32 is subnetted, 2 subnets
C 2.2.2.2 is directly connected, Dialer1
C 2.2.2.3 is directly connected, Dialer1
172.16.0.0/22 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Vlan1
C 192.168.2.0/24 is directly connected, Vlan2
S* 0.0.0.0/0 [1/0] via 2.2.2.3
I don't have that luxury on the ASA right this moment, but should I do that too?
I assume you mean should you reboot the ASA? Can't see it making a difference, the routing tables look ok(unless I am missing something)
From the 192 lan can you ping anything on the 172 network did you try?
You have no ACL's at all anywhere in the loop no?
The fact that you can ping a workstation from the ASA means the routing is working, and obviously the client machines on the 172 network are using the ASA as default GW yes?
From the 192 lan can you ping anything on the 172 network did you try?
You have no ACL's at all anywhere in the loop no?
The fact that you can ping a workstation from the ASA means the routing is working, and obviously the client machines on the 172 network are using the ASA as default GW yes?
ASKER
Maybe it would be easier to see both configs. In the mean-time, I'll head over to the dorm and see if I can ping back this way.
*****Update*****
I went to the dorm and I am unable to ping, nor contact, anything on the 172.16.0.0 network with the exception of the 1711's 172.16.3.19 interface and the ASA's 172.16.3.1 interface.
ASA5505.txt
1711MAR.txt
*****Update*****
I went to the dorm and I am unable to ping, nor contact, anything on the 172.16.0.0 network with the exception of the 1711's 172.16.3.19 interface and the ASA's 172.16.3.1 interface.
ASA5505.txt
1711MAR.txt
Ok, what's this line here doing can you explain?
access-list 101 extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.255.0
From my reading that's saying
Permit source(172.16.0.0/22) dest(172.16.4.0/24)
But where is dest 172.16.4.0?
Is this a mistake in your ASA config?
This is the ACL that basically bypasses NAT on the ASA, but I think it should read
access-list 101 extended permit ip 172.16.0.0 255.255.252.0 192.168.2.0 255.255.255.0
Can you confirm/check this?
access-list 101 extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.255.0
From my reading that's saying
Permit source(172.16.0.0/22) dest(172.16.4.0/24)
But where is dest 172.16.4.0?
Is this a mistake in your ASA config?
This is the ACL that basically bypasses NAT on the ASA, but I think it should read
access-list 101 extended permit ip 172.16.0.0 255.255.252.0 192.168.2.0 255.255.255.0
Can you confirm/check this?
ASKER
That ACL is being applied to my VPN subnet.
ip local pool VPN_DHCP 172.16.4.1-172.16.4.100
nat (inside) 0 access-list 101
...but, I apparently forgot to apply it to my VPN. Oops.
ip local pool VPN_DHCP 172.16.4.1-172.16.4.100
nat (inside) 0 access-list 101
...but, I apparently forgot to apply it to my VPN. Oops.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I did do that, but I need to apply that to my inside interface, right?
And, I want to apologize if I just haven't given enough information. I think this is the second time I caught you off-guard.
And, I want to apologize if I just haven't given enough information. I think this is the second time I caught you off-guard.
Well it should already be applied based on this line...
nat (inside) 0 access-list 101
That line basically means - 'don't NAT any IP's within this ACL'
So it should be working...(course something else may be breaking but hard to say)
Also, are you using ADSM to config the ASA? Or are you just using command line?
nat (inside) 0 access-list 101
That line basically means - 'don't NAT any IP's within this ACL'
So it should be working...(course something else may be breaking but hard to say)
Also, are you using ADSM to config the ASA? Or are you just using command line?
ASKER
I'm using the command line because the 8.2(5)IOS doesn't work with the 5.2(4) ASDM image that came installed on the ASA. And, our school is too cheap for a SmartNET contract.
Ah ok, no hassle, if you were using the ADSM you could troubleshoot a bit better with the GUI, but no matter...
So applying the above changes hasn't helped still I assume?
Re-post the config for ASA just so i can double check there's nothing else I've missed(after your changes have been added of course)
Cheers...
So applying the above changes hasn't helped still I assume?
Re-post the config for ASA just so i can double check there's nothing else I've missed(after your changes have been added of course)
Cheers...
ASKER
Here is the new config.
I have been trying to search other places with similar configs. I'm willing to mark your answers as accepted, but I really don't feel good about taking up so much of any one person's time.
If you are growing weary of this, I understand.
ASA5505.txt
I have been trying to search other places with similar configs. I'm willing to mark your answers as accepted, but I really don't feel good about taking up so much of any one person's time.
If you are growing weary of this, I understand.
ASA5505.txt
No worries, glad to (try) to help!
What license have you on the ASA?
I think the base license is limited to 2 Vlans, plus DMZ Restricted
Basically means the 3rd vlan is only able to access ONE of the other vlans
Now I'm grasping at straws here by saying this, but maybe its the cause of your issues(even though based on other posts online I've seen, what you are trying to do should work...)
Run command
sh ver
on the asa, what does it show for VLANS?
What license have you on the ASA?
I think the base license is limited to 2 Vlans, plus DMZ Restricted
Basically means the 3rd vlan is only able to access ONE of the other vlans
Now I'm grasping at straws here by saying this, but maybe its the cause of your issues(even though based on other posts online I've seen, what you are trying to do should work...)
Run command
sh ver
on the asa, what does it show for VLANS?
ASKER
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 25
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5505 Security Plus license.
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 25
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5505 Security Plus license.
Good, that takes care of that, you've got Security Plus so no issue with vlan limits...
What port are you connected to on the ASA for the inside network?
Ethernet 0/1?
What port are you connected to on the ASA for the inside network?
Ethernet 0/1?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The 172.16.0.0 subnet is plugged-in to eth0/1
The outside interface is on eth0/3
And adding the second ACL statement didn't help.
The outside interface is on eth0/3
And adding the second ACL statement didn't help.
Ok, running out of ideas here...I've asked you to run this command earlier and want to get its latest output if you can
From a client machine on either site(i.e. either the 172 net or the 192.168 net)
tracert <other net>
Eg from the 172 network client pc run
tracert 192.168.2.x(x being a client on the far site, not the router interface)
Can you post the output?
From a client machine on either site(i.e. either the 172 net or the 192.168 net)
tracert <other net>
Eg from the 172 network client pc run
tracert 192.168.2.x(x being a client on the far site, not the router interface)
Can you post the output?
ASKER
Now that's just plain weird. I can tracert to the thing, but I can't browse to it. The tracert below is for our Untangle server at the dormitory. I can ping it form my notebook on the 172 side, and the tracert is from the 172 side. I just can't do anything else with it:
Tracing route to 192.168.2.253 over a maximum of 30 hops
1 44 ms 44 ms 43 ms 172.16.3.19
2 44 ms 43 ms 43 ms 192.168.2.253
Trace complete.
Tracing route to 192.168.2.253 over a maximum of 30 hops
1 44 ms 44 ms 43 ms 172.16.3.19
2 44 ms 43 ms 43 ms 192.168.2.253
Trace complete.
Oh, ok - so this means you have connectivity then...good news!! Cause I was totally confused by it not working...
So this is a server running?(Don't know what Untangle is sorry!)
Have you a regular server sharing files somewhere over on the other side? Or should that server you mention be accessible?
So this is a server running?(Don't know what Untangle is sorry!)
Have you a regular server sharing files somewhere over on the other side? Or should that server you mention be accessible?
ASKER
Untangle is an OpenSource web filtering system. We have it setup in transparent bridge mode -- so it doesn't route. In the past configuration, I was able to access it from here using a browser.
On the dormitory side, we have no other type of server. The router is there to provide main campus connectivity to the dorm director and kitchen director. The students use the internet that's hanging off one of the dialer interfaces.
I'll try to contact a couple of machines out there somehow.
On the dormitory side, we have no other type of server. The router is there to provide main campus connectivity to the dorm director and kitchen director. The students use the internet that's hanging off one of the dialer interfaces.
I'll try to contact a couple of machines out there somehow.
Ok, so it obviously has a share which you should be able to access? Is there any other way to access?
Telnet? SSH?
What happens when you try to browse?
Telnet? SSH?
What happens when you try to browse?
ASKER
Couldn't telnet, ssh, or browse. "Web page cannot be displayed" generic message. I can access the web interface from the 192 network.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the stellar support. I wish I could assign more points to this solution. Experts-Exchange is well worth the money. Namely because of people like you.
Great...glad it worked out, was a head-scratcher for sure for a while ;)
Cheers...
Cheers...
Open in new window
Enables interfaces on the same security level so that they can communicate with each other.http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_routed.html#wp1325183