menreeq
asked on
Unabled to communicate over Outside interface?
This is kind of a tough one to explain, below is the running config of my ASA 5500. I am trying to help out the phone vendor by setting up access rules that will allow a teleworker to connect to the phone system over the net. The phone system is located on the PT2PT vlan with an private IP of 192.168.30.12 . The DMZ/Teleworker interface is the teleworker server and it has a private IP of 192.168.40.2 . The problem we have is related to the phones audio which is only working in one direction. This requires that UDP traffic be allowed between the VLANSwhich I have allowed. The problem appears to be that the telephone server on the PT2PT vlan needs to be able to reach the DMZ/Teleworker VLAN via its public IP(66.186.39.68). I don't believe this is a problem of the right outside-access-in rules being set up but rather the ASA not allowing public traffic in and out simultaneously . I think that enabling the ability to ping 66.186.39.68 from the host 192.168.30.12 may resolve the problem, if that simplifies the problem for anyone.
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zIt08HFc1ASHTQRr encrypted
names
name 66.186.39.70 TerminalServer
name 66.186.39.68 Teleworker
name 66.186.39.71 DRAC
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.186.39.67 255.255.255.240
!
interface Vlan12
nameif PT2PT
security-level 100
ip address 192.168.30.2 255.255.255.0
!
interface Vlan22
nameif DMZ/Teleworker
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SRTP udp
description 10
port-object range 19000 23010
object-group service RDP tcp
port-object range 3389 3391
object-group service Teleworker tcp
port-object range 2114 2114
port-object range 2116 2116
port-object range ssh ssh
port-object range 3300 3300
port-object range 35000 35000
port-object range 37000 37000
port-object range https https
port-object range 3398 3398
port-object range 6800 6802
port-object range 3999 3999
port-object range 6880 6880
object-group service RTP udp
port-object range 1024 65535
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit gre any any
access-list PT2PT_access_in extended permit tcp any any
access-list PT2PT_access_in extended permit ip any any
access-list PT2PT_access_in extended permit icmp any any
access-list PT2PT_access_in extended permit udp any any
access-list PT2PT_access_in extended permit tcp interface PT2PT eq https any eq https
access-list PT2PT_access_in extended permit icmp host Teleworker 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit tcp any host TerminalServer eq smtp
access-list outside_access_in extended permit tcp any host TerminalServer eq pptp
access-list outside_access_in extended permit tcp any host TerminalServer eq www
access-list outside_access_in extended permit tcp any host TerminalServer eq https
access-list outside_access_in extended permit icmp any host TerminalServer
access-list outside_access_in extended permit tcp any host TerminalServer eq 4125
access-list outside_access_in extended permit tcp any host TerminalServer eq 3389
access-list outside_access_in extended permit tcp any host TerminalServer eq 1433
access-list outside_access_in extended permit udp any host Teleworker object-group SRTP
access-list outside_access_in extended permit tcp any host Teleworker eq 47
access-list outside_access_in extended permit tcp any host Teleworker eq pptp
access-list outside_access_in extended permit tcp any host Teleworker object-group Teleworker
access-list outside_access_in extended permit icmp any host Teleworker
access-list outside_access_in extended permit tcp any host DRAC eq ssh
access-list outside_access_in extended permit tcp any host DRAC eq 5900
access-list outside_access_in extended permit tcp any host DRAC eq 5901
access-list outside_access_in extended permit tcp any host DRAC eq 6668
access-list outside_access_in extended permit tcp any host DRAC eq 3668
access-list outside_access_in extended permit tcp any host DRAC eq 3669
access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list DMZ/Teleworker_access_in extended permit icmp any any
access-list DMZ/Teleworker_access_in extended permit udp any any
access-list DMZ/Teleworker_access_in extended permit ip any any
access-list DMZ/Teleworker_access_in extended permit tcp any any
access-list DMZ/Teleworker_nat0_outbou
access-list DMZ/Teleworker_nat0_outbou
access-list DMZ/Teleworker_nat0_outbou
access-list DMZ/Teleworker_nat0_outbou
access-list PT2PT_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu PT2PT 1500
mtu DMZ/Teleworker 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface PT2PT
monitor-interface DMZ/Teleworker
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 66.186.39.67 netmask 255.255.255.240
global (outside) 2 Teleworker netmask 255.255.255.240
global (outside) 3 66.186.39.69 netmask 255.255.255.240
global (outside) 4 TerminalServer netmask 255.0.0.0
global (outside) 5 DRAC netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 4 192.168.3.0 255.255.255.0
nat (PT2PT) 0 access-list PT2PT_nat0_outbound
nat (PT2PT) 1 192.168.30.0 255.255.255.0
nat (DMZ/Teleworker) 0 access-list DMZ/Teleworker_nat0_outbou
nat (DMZ/Teleworker) 2 192.168.40.0 255.255.255.0
static (DMZ/Teleworker,outside) Teleworker 192.168.40.2 netmask 255.255.255.255
static (inside,outside) DRAC 192.168.3.120 netmask 255.255.255.255
static (inside,outside) TerminalServer 192.168.3.5 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group PT2PT_access_in in interface PT2PT
access-group DMZ/Teleworker_access_in in interface DMZ/Teleworker
route outside 0.0.0.0 0.0.0.0 66.186.39.65 1
route PT2PT 192.168.2.0 255.255.255.0 192.168.30.1 1
route PT2PT 192.168.10.0 255.255.255.252 192.168.30.1 1
route PT2PT 192.168.20.0 255.255.255.0 192.168.30.1 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 PT2PT
http 192.168.30.0 255.255.255.0 PT2PT
http 192.168.2.0 255.255.255.0 PT2PT
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.2-192.168.3.254 inside
!
!
class-map PPTP
description PPTP
match port tcp eq pptp
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map PPTP
class PPTP
inspect pptp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
service-policy PPTP interface outside
prompt hostname context
Cryptochecksum:9d371e31450
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zIt08HFc1ASHTQRr encrypted
names
name 66.186.39.70 TerminalServer
name 66.186.39.68 Teleworker
name 66.186.39.71 DRAC
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.186.39.67 255.255.255.240
!
interface Vlan12
nameif PT2PT
security-level 100
ip address 192.168.30.2 255.255.255.0
!
interface Vlan22
nameif DMZ/Teleworker
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SRTP udp
description 10
port-object range 19000 23010
object-group service RDP tcp
port-object range 3389 3391
object-group service Teleworker tcp
port-object range 2114 2114
port-object range 2116 2116
port-object range ssh ssh
port-object range 3300 3300
port-object range 35000 35000
port-object range 37000 37000
port-object range https https
port-object range 3398 3398
port-object range 6800 6802
port-object range 3999 3999
port-object range 6880 6880
object-group service RTP udp
port-object range 1024 65535
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit gre any any
access-list PT2PT_access_in extended permit tcp any any
access-list PT2PT_access_in extended permit ip any any
access-list PT2PT_access_in extended permit icmp any any
access-list PT2PT_access_in extended permit udp any any
access-list PT2PT_access_in extended permit tcp interface PT2PT eq https any eq https
access-list PT2PT_access_in extended permit icmp host Teleworker 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit tcp any host TerminalServer eq smtp
access-list outside_access_in extended permit tcp any host TerminalServer eq pptp
access-list outside_access_in extended permit tcp any host TerminalServer eq www
access-list outside_access_in extended permit tcp any host TerminalServer eq https
access-list outside_access_in extended permit icmp any host TerminalServer
access-list outside_access_in extended permit tcp any host TerminalServer eq 4125
access-list outside_access_in extended permit tcp any host TerminalServer eq 3389
access-list outside_access_in extended permit tcp any host TerminalServer eq 1433
access-list outside_access_in extended permit udp any host Teleworker object-group SRTP
access-list outside_access_in extended permit tcp any host Teleworker eq 47
access-list outside_access_in extended permit tcp any host Teleworker eq pptp
access-list outside_access_in extended permit tcp any host Teleworker object-group Teleworker
access-list outside_access_in extended permit icmp any host Teleworker
access-list outside_access_in extended permit tcp any host DRAC eq ssh
access-list outside_access_in extended permit tcp any host DRAC eq 5900
access-list outside_access_in extended permit tcp any host DRAC eq 5901
access-list outside_access_in extended permit tcp any host DRAC eq 6668
access-list outside_access_in extended permit tcp any host DRAC eq 3668
access-list outside_access_in extended permit tcp any host DRAC eq 3669
access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list DMZ/Teleworker_access_in extended permit icmp any any
access-list DMZ/Teleworker_access_in extended permit udp any any
access-list DMZ/Teleworker_access_in extended permit ip any any
access-list DMZ/Teleworker_access_in extended permit tcp any any
access-list DMZ/Teleworker_nat0_outbou
access-list DMZ/Teleworker_nat0_outbou
access-list DMZ/Teleworker_nat0_outbou
access-list DMZ/Teleworker_nat0_outbou
access-list PT2PT_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu PT2PT 1500
mtu DMZ/Teleworker 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface PT2PT
monitor-interface DMZ/Teleworker
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 66.186.39.67 netmask 255.255.255.240
global (outside) 2 Teleworker netmask 255.255.255.240
global (outside) 3 66.186.39.69 netmask 255.255.255.240
global (outside) 4 TerminalServer netmask 255.0.0.0
global (outside) 5 DRAC netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 4 192.168.3.0 255.255.255.0
nat (PT2PT) 0 access-list PT2PT_nat0_outbound
nat (PT2PT) 1 192.168.30.0 255.255.255.0
nat (DMZ/Teleworker) 0 access-list DMZ/Teleworker_nat0_outbou
nat (DMZ/Teleworker) 2 192.168.40.0 255.255.255.0
static (DMZ/Teleworker,outside) Teleworker 192.168.40.2 netmask 255.255.255.255
static (inside,outside) DRAC 192.168.3.120 netmask 255.255.255.255
static (inside,outside) TerminalServer 192.168.3.5 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group PT2PT_access_in in interface PT2PT
access-group DMZ/Teleworker_access_in in interface DMZ/Teleworker
route outside 0.0.0.0 0.0.0.0 66.186.39.65 1
route PT2PT 192.168.2.0 255.255.255.0 192.168.30.1 1
route PT2PT 192.168.10.0 255.255.255.252 192.168.30.1 1
route PT2PT 192.168.20.0 255.255.255.0 192.168.30.1 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 PT2PT
http 192.168.30.0 255.255.255.0 PT2PT
http 192.168.2.0 255.255.255.0 PT2PT
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.2-192.168.3.254 inside
!
!
class-map PPTP
description PPTP
match port tcp eq pptp
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map PPTP
class PPTP
inspect pptp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
service-policy PPTP interface outside
prompt hostname context
Cryptochecksum:9d371e31450
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
Is there a reason why the server at 192.168.30.12 needs to access the server at 192.168.40.2 via its public address rather than its private address? Is it performing a DNS lookup and resolving the public address?
The reason I ask is that I don't believe that you can perform "hairpin" flows on traffic that is not IPSEC protected. I'm not 100% on that since I've never tried that before but I haven't been able to find any examples on non VPN traffic doing this.
Would it be possible to send the traffic from 192.168.30.12 straight to 192.168.40.2?
The reason I ask is that I don't believe that you can perform "hairpin" flows on traffic that is not IPSEC protected. I'm not 100% on that since I've never tried that before but I haven't been able to find any examples on non VPN traffic doing this.
Would it be possible to send the traffic from 192.168.30.12 straight to 192.168.40.2?
ASKER
That would be ideal, but as far as I know this cannot be done, I will check with the telecom vendor. In the document that I quoted in my second comment it gives a list of supported routers and includes Netgears\ and Linksys's etc..., are the hairpain flows you mentioned not limited with those types of Firewalls?
I don't think those other firewalls have that restriction. The Cisco TAC engineers have always justified this restriction by saying that hairpin traffic flows mimic IP address spoofing so the firewall doesn't allow that. However, they've relaxed that restriction by allowing IPSEC traffic to be hairpinned. However, I believe that with proper manipulation you could do this with non IPSEC traffic. That's an interesting question and I think that I'll mock it up in the lab.
Unless someone else beats me to it, I'll let you know what I find out.
Unless someone else beats me to it, I'll let you know what I find out.
ASKER
Any luck mocking it up in the lab? I am wondering if I need to start considering placing the teleworker server in front of the ASA with a switch.
No, not yet...been busy doing holiday stuff...I'll see if I can get to it tonight or tomorrow and let you know...
hey im having this same problem with mitel teleworker.. any ideas??
forgot to mention cisco asa 5520 with the same config
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm real sorry for the delay in that...I honestly forgot about your question after I got wrapped up in my normal work stuff. I did mock it up in the lab and confirmed that this traffic flow is not allowed. I didn't expect the points to be awarded to me either. If you want to ask for a refund of these points, I would not object at all because of the time delay.
Best regards,
BB
Best regards,
BB
ASKER
no worries on the delay, it happens. I kind of figured that it wasn't possible and we found a workaround. Thanks.
I'm looking at the same problem here! What was the workaround you put in place?
ASKER
Unfortunately, the phone vendor provided the workaround and I am not sure exactly what they did. Sorry. Bottom line though is that the ASA will not allow this type of traffic flow.
ASKER
"Particular attention should be paid to the requirement that all UDP ports >= 1024 on the LAN be permitted to reach the public IP of the Teleworker server.
• Failure to configure the firewall properly will result in audio problems (typically one-way audio)."