Background:
We are a small company, I am the only SA and have been researching and self teaching my self about this ASA5505. We currently have about 20 servers, and a good number of virtual servers. We have internet connection coming directly in to the ASA, then the ASA is connected to a couple netgear 24 port switches, unmanaged. The ASA handles everything, DHCP, VPN, and routing. The servers we host are web servers so pretty much everything is blocked unless you are on the VPN except port 80 and 443. I have NAT set up for some of the servers, and everything has been fine.
On to the question:
Recently I have been working on adding some networks for growth planning and organization. I have been working on setting up a test network on 10.0.5.0/24 this network like all the rest that I will be setting up in the future needs to be able to talk to the internet, as well as talk to all the other networks, Specifically in this case it needs to talk to 10.0.0.0/24. I have been reading a lot on line and have been able to get the basic configuration set up, but no matter what I do I am unable to get the networks to talk to each other, nor am I able to get the 10.0.5.0 to talk to the internet (which at one point before I started with trunking they were able to at least talk to the internet). I have been getting different errors mostly about portmap address translation which I was able to fix, then NAT translation group errors which I then was able to fix, but after trying all sorts of different NAT configs, I just end up getting SYN timeout errors when ever I try to ssh or remote desktop in to my test machines, Same goes for when I try to ssh or RDP in to any machine on the main network from the 10,0.5.0/24 network. The two 10.0.5.0/24 machines are able to talk to each other fine. Right now I have no need for added security on the internal network, I want all VPN/wireless clients to be able to talk to all networks, As we grow there might be a need to restrict access to certain interfaces, but that can be done through ACL's pretty easily. Any help or advice you can give would be great, I have posted my current config below. I also have the most updated versions of ASDM and ASA IOS.
Thanks.
: Saved
:
ASA Version 8.2(1)
!
hostname *
domain-name *
enable password *
passwd *
names
name #.#.#.#5 CHICAGO403
name #.#.#.#6 CHICAGO404
name #.#.#.#8 CHICAGO395
name #.#.#.31 CHICAGO168
name 10.0.5.0 server-network
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif T1
security-level 99
ip address #.#.#.206 255.255.255.240
ospf cost 10
!
interface Vlan3
nameif server
security-level 100
ip address 10.0.5.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup T1
dns domain-lookup server
dns server-group DefaultDNS
name-server 10.0.0.104
domain-name cisco.intranet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Zabbix tcp
description Monitoring
port-object eq 10050
port-object eq 10051
object-group service Web
service-object tcp eq www
service-object tcp eq https
service-object udp eq www
object-group service DNS
service-object tcp eq domain
service-object udp eq domain
access-list levelfivevpn_splitTunnelAcl standard permit any
access-list T1_access_in extended permit ip any any inactive
access-list T1_access_in extended permit ip host CHICAGO403 any
access-list T1_access_in extended permit ip host CHICAGO404 any
access-list T1_access_in extended permit ip host CHICAGO168 any
access-list T1_access_in extended permit ip host CHICAGO395 any
access-list T1_access_in extended permit object-group Web any host #.#.#.194
access-list T1_access_in extended permit object-group Web any host #.#.#.196
access-list T1_access_in extended permit object-group Web any host #.#.#.197
access-list T1_access_in extended permit tcp any host #.#.#.197 eq smtp
access-list T1_access_in extended permit object-group Web any host #.#.#.201
access-list T1_access_in extended permit object-group Web any host #.#.#.202
access-list T1_access_in extended permit object-group Web any host #.#.#.203
access-list T1_access_in extended permit object-group Web any host #.#.#.204
access-list T1_access_in extended permit object-group DNS any host #.#.#.204
access-list T1_access_in extended permit tcp any host #.#.#.204 eq ssh
access-list T1_access_in extended permit object-group Web any host #.#.#.205
access-list T1_access_in extended permit icmp any any traceroute inactive
access-list T1_access_in extended permit tcp any host #.#.#.195 eq 3389 inactive
access-list T1_access_in extended permit ip any host #.#.#.198
access-list T1_access_in extended permit ip server-network 255.255.255.0 any
access-list T1_access_in extended permit ip 10.0.0.0 255.255.255.0 any
access-list level5test_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list T1_nat_outbound extended permit ip vpn-network 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip vpn-network 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any vpn-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip any server-network 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list T1_nat_outbound_1 extended permit ip vpn-network 255.255.255.0 any
access-list dmz_access_in extended permit ip any any
access-list servers_access_in extended permit ip any any
access-list server_access_in extended permit ip any any
access-list server_access_in_1 extended permit icmp any any echo-reply
access-list server_access_in_1 extended permit icmp any any unreachable
access-list server_access_in_1 extended permit icmp any any time-exceeded
access-list server_access_in_1 extended permit icmp any server-network 255.255.255.0
access-list server_access_in_1 extended permit ip any any
access-list server_nat0_outbound extended permit ip server-network 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
logging from-address l*
logging recipient-address * level errors
mtu inside 1500
mtu T1 1500
mtu server 1500
ip local pool *pool2 10.0.1.2-10.0.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any T1
icmp permit any server
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (inside) 1 interface
global (T1) 1 interface
global (server) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (T1) 1 access-list T1_nat_outbound_1 dns
nat (T1) 1 access-list T1_nat_outbound dns outside
nat (server) 0 access-list server_nat0_outbound
nat (server) 1 0.0.0.0 0.0.0.0 dns
static (inside,T1) #.#.#.197 10.0.0.100 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.196 10.0.0.101 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.194 10.0.0.103 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.204 10.0.0.104 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.200 10.0.0.105 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.201 10.0.0.110 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.202 10.0.0.111 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.203 10.0.0.112 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.195 10.0.0.113 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.205 10.0.0.126 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.197 10.0.0.100 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.196 10.0.0.101 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.194 10.0.0.103 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.204 10.0.0.104 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.200 10.0.0.105 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.201 10.0.0.110 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.202 10.0.0.111 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.203 10.0.0.112 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.195 10.0.0.113 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.205 10.0.0.126 netmask 255.255.255.255 dns
static (inside,T1) #.#.#.198 10.0.0.21 netmask 255.255.255.255 dns
static (inside,inside) #.#.#.198 10.0.0.21 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group T1_access_in in interface T1
access-group server_access_in_1 in interface server
route T1 0.0.0.0 0.0.0.0 #.#.#.193 1
route inside vpn-network 255.255.255.0 10.0.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LEVEL5LDAP protocol ldap
reactivation-mode depletion deadtime 60
max-failed-attempts 5
aaa-server * (inside) host *
ldap-base-dn *
ldap-scope subtree
ldap-naming-attribute uid
server-type openldap
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.0.0.254 community public udp-port 161
snmp-server location*
snmp-server contact *
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df T1
crypto dynamic-map T1_dyn_map 20 set pfs group1
crypto dynamic-map T1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 20 set reverse-route
crypto dynamic-map T1_dyn_map 40 set pfs group1
crypto dynamic-map T1_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 40 set reverse-route
crypto dynamic-map T1_dyn_map 60 set pfs group1
crypto dynamic-map T1_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 60 set reverse-route
crypto map T1_map 65535 ipsec-isakmp dynamic T1_dyn_map
crypto map T1_map interface T1
crypto isakmp enable inside
crypto isakmp enable T1
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 1440
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 1
console timeout 0
management-access inside
dhcpd address 10.0.0.5-10.0.0.99 inside
dhcpd dns 10.0.0.104 interface inside
dhcpd wins 10.0.0.125 interface inside
dhcpd domain level5 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.0.0.104 source inside prefer
webvpn
enable T1
svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 1
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy levelfivevpn internal
group-policy levelfivevpn attributes
banner value Welcome to the Level Five Solutions network. The Level Five Solutions network and VPN are for business related use only, all activity while connected to this network is monitored and logged.
banner value If there are any questions or problems please email admin@levelfivesolutions.com for assitance, and for emergencies call 913-220-7883.
wins-server value 10.0.0.125
dns-server value 10.0.0.104
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value levelfivevpn_splitTunnelAcl
group-policy level5any internal
group-policy level5any attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
svc ask enable
username administrator password moFTh3LGLZlp9/q. encrypted privilege 15
username jlear password 1klDEtXNysS7TUa0 encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool level5pool2
authentication-server-group LEVEL5LDAP
tunnel-group levelfivevpn type remote-access
tunnel-group levelfivevpn general-attributes
address-pool level5pool2
authentication-server-group LEVEL5LDAP
default-group-policy levelfivevpn
tunnel-group levelfivevpn ipsec-attributes
pre-shared-key *
tunnel-group level5any type remote-access
tunnel-group level5any general-attributes
address-pool level5pool2
authentication-server-group LEVEL5LDAP
default-group-policy level5any
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
smtp-server *
mount Share type cifs
server *
share *
domain *
username *
password ********
status enable
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no compression svc http-comp
: end
asdm image disk0:/asdm-621.bin
asdm history enable
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
Select allOpen in new window
by: jodylemoinePosted on 2009-09-20 at 10:26:04ID: 25377984
The unmanaged switches are most probably the root of the problem here. When any network device uses VLAN trunking on an interface, it does so by transmitting frames destined for the native VLAN unmodified, and by transmitting frames for non-native VLANs with a tag to indicate which VLAN it belongs to. When receiving, it accepts untagged frames as belonging to the native VLAN and tagged frames as belonging to the VLAN that the frame is tagged to. This functionality assumes that the device at the other end of the physical connection (the switch in this case) is intelligent enough to participate in this tagging. Because those Netgear switches are unmanaged, the frames from your 10.10.5.0/24 network are probably coming in untagged and are being treated as belonging to VLAN1 on the ASA, blocking your communications to/from the ASA and the Internet. The two computers will still be able to communicate with each other easily because they are on the same Ethernet network with the same IP range and don't have any trunking/tagging to worry about. Upgrading to a managed switch will permit you to define separate VLANs and tagging so that the trunking with the ASA will function properly.
Jody