Solved

Unabled to communicate over Outside interface?

Posted on 2007-11-19
13
1,187 Views
Last Modified: 2008-03-20
This is kind of a tough one to explain, below is the running config of my ASA 5500. I am trying to help out the phone vendor by setting up access rules that will allow a teleworker to connect to the phone system over the net. The phone system is located on the PT2PT vlan with an private IP of 192.168.30.12 . The DMZ/Teleworker interface is the teleworker server and it has a private IP of 192.168.40.2 . The problem we have is related to the phones audio which is only working in one direction. This requires that UDP traffic be allowed between the VLANSwhich I have allowed. The problem appears to be that the telephone server on the PT2PT vlan needs to  be able to reach the DMZ/Teleworker VLAN via its public IP(66.186.39.68). I don't believe this is a problem of the right outside-access-in rules being set up but rather the ASA not allowing public traffic in and out simultaneously . I think that enabling the ability to ping 66.186.39.68 from the host 192.168.30.12 may resolve the problem, if that simplifies the problem for anyone.
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zIt08HFc1ASHTQRr encrypted
names
name 66.186.39.70 TerminalServer
name 66.186.39.68 Teleworker
name 66.186.39.71 DRAC
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.186.39.67 255.255.255.240
!
interface Vlan12
 nameif PT2PT
 security-level 100
 ip address 192.168.30.2 255.255.255.0
!
interface Vlan22
 nameif DMZ/Teleworker
 security-level 100
 ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SRTP udp
 description 10
 port-object range 19000 23010
object-group service RDP tcp
 port-object range 3389 3391
object-group service Teleworker tcp
 port-object range 2114 2114
 port-object range 2116 2116
 port-object range ssh ssh
 port-object range 3300 3300
 port-object range 35000 35000
 port-object range 37000 37000
 port-object range https https
 port-object range 3398 3398
 port-object range 6800 6802
 port-object range 3999 3999
 port-object range 6880 6880
object-group service RTP udp
 port-object range 1024 65535
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit gre any any
access-list PT2PT_access_in extended permit tcp any any
access-list PT2PT_access_in extended permit ip any any
access-list PT2PT_access_in extended permit icmp any any
access-list PT2PT_access_in extended permit udp any any
access-list PT2PT_access_in extended permit tcp interface PT2PT eq https any eq https
access-list PT2PT_access_in extended permit icmp host Teleworker 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit tcp any host TerminalServer eq smtp
access-list outside_access_in extended permit tcp any host TerminalServer eq pptp
access-list outside_access_in extended permit tcp any host TerminalServer eq www
access-list outside_access_in extended permit tcp any host TerminalServer eq https
access-list outside_access_in extended permit icmp any host TerminalServer
access-list outside_access_in extended permit tcp any host TerminalServer eq 4125
access-list outside_access_in extended permit tcp any host TerminalServer eq 3389
access-list outside_access_in extended permit tcp any host TerminalServer eq 1433
access-list outside_access_in extended permit udp any host Teleworker object-group SRTP
access-list outside_access_in extended permit tcp any host Teleworker eq 47
access-list outside_access_in extended permit tcp any host Teleworker eq pptp
access-list outside_access_in extended permit tcp any host Teleworker object-group Teleworker
access-list outside_access_in extended permit icmp any host Teleworker
access-list outside_access_in extended permit tcp any host DRAC eq ssh
access-list outside_access_in extended permit tcp any host DRAC eq 5900
access-list outside_access_in extended permit tcp any host DRAC eq 5901
access-list outside_access_in extended permit tcp any host DRAC eq 6668
access-list outside_access_in extended permit tcp any host DRAC eq 3668
access-list outside_access_in extended permit tcp any host DRAC eq 3669
access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list DMZ/Teleworker_access_in extended permit icmp any any
access-list DMZ/Teleworker_access_in extended permit udp any any
access-list DMZ/Teleworker_access_in extended permit ip any any
access-list DMZ/Teleworker_access_in extended permit tcp any any
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu PT2PT 1500
mtu DMZ/Teleworker 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface PT2PT
monitor-interface DMZ/Teleworker
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 66.186.39.67 netmask 255.255.255.240
global (outside) 2 Teleworker netmask 255.255.255.240
global (outside) 3 66.186.39.69 netmask 255.255.255.240
global (outside) 4 TerminalServer netmask 255.0.0.0
global (outside) 5 DRAC netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 4 192.168.3.0 255.255.255.0
nat (PT2PT) 0 access-list PT2PT_nat0_outbound
nat (PT2PT) 1 192.168.30.0 255.255.255.0
nat (DMZ/Teleworker) 0 access-list DMZ/Teleworker_nat0_outbound
nat (DMZ/Teleworker) 2 192.168.40.0 255.255.255.0
static (DMZ/Teleworker,outside) Teleworker 192.168.40.2 netmask 255.255.255.255
static (inside,outside) DRAC 192.168.3.120 netmask 255.255.255.255
static (inside,outside) TerminalServer 192.168.3.5 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group PT2PT_access_in in interface PT2PT
access-group DMZ/Teleworker_access_in in interface DMZ/Teleworker
route outside 0.0.0.0 0.0.0.0 66.186.39.65 1
route PT2PT 192.168.2.0 255.255.255.0 192.168.30.1 1
route PT2PT 192.168.10.0 255.255.255.252 192.168.30.1 1
route PT2PT 192.168.20.0 255.255.255.0 192.168.30.1 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 PT2PT
http 192.168.30.0 255.255.255.0 PT2PT
http 192.168.2.0 255.255.255.0 PT2PT
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.2-192.168.3.254 inside
!

!
class-map PPTP
 description PPTP
 match port tcp eq pptp
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map PPTP
 class PPTP
  inspect pptp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
service-policy PPTP interface outside
prompt hostname context
Cryptochecksum:9d371e31450cfdf7272f7fb605700a9a
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

0
Comment
Question by:menreeq
  • 5
  • 5
  • 2
  • +1
13 Comments
 

Author Comment

by:menreeq
ID: 20316975
Here is the line in the Teleworker instructions for setting up the firewall:

"Particular attention should be paid to the requirement that all UDP ports >= 1024 on the LAN be permitted to reach the public IP of the Teleworker server.
• Failure to configure the firewall properly will result in audio problems (typically one-way audio)."
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20317025
Is there a reason why the server at 192.168.30.12 needs to access the server at 192.168.40.2 via its public address rather than its private address?  Is it performing a DNS lookup and resolving the public address?

The reason I ask is that I don't believe that you can perform "hairpin" flows on traffic that is not IPSEC protected.  I'm not 100% on that since I've never tried that before but I haven't been able to find any examples on non VPN traffic doing this.

Would it be possible to send the traffic from 192.168.30.12 straight to 192.168.40.2?
0
 

Author Comment

by:menreeq
ID: 20317070
That would be ideal, but as far as I know this cannot be done, I will check with the telecom vendor. In the document that I quoted in my second comment it gives a list of supported routers and includes Netgears\ and Linksys's etc..., are the hairpain flows you mentioned not limited with those types of Firewalls?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20317102
I don't think those other firewalls have that restriction.  The Cisco TAC engineers have always justified this restriction by saying that hairpin traffic flows mimic IP address spoofing so the firewall doesn't allow that.  However, they've relaxed that restriction by allowing IPSEC traffic to be hairpinned.  However, I believe that with proper manipulation you could do this with non IPSEC traffic.  That's an interesting question and I think that I'll mock it up in the lab.

Unless someone else beats me to it, I'll let you know what I find out.
0
 

Author Comment

by:menreeq
ID: 20359761
Any luck mocking it up in the lab? I am wondering if I need to start considering placing the teleworker server in front of the ASA with a switch.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20359865
No, not yet...been busy doing holiday stuff...I'll see if I can get to it tonight or tomorrow and let you know...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:secure181
ID: 20881261
hey im having this same problem with mitel teleworker.. any ideas??
0
 

Expert Comment

by:secure181
ID: 20882023
forgot to mention cisco asa 5520 with the same config
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 21172429
Sorry for the delay.  I've confirmed that you cannot do this type of traffic flow.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 21172527
I'm real sorry for the delay in that...I honestly forgot about your question after I got wrapped up in my normal work stuff.  I did mock it up in the lab and confirmed that this traffic flow is not allowed.  I didn't expect the points to be awarded to me either.  If you want to ask for a refund of these points, I would not object at all because of the time delay.

Best regards,
BB
0
 

Author Comment

by:menreeq
ID: 21172546
no worries on the delay, it happens. I kind of figured that it wasn't possible and we found a workaround. Thanks.
0
 

Expert Comment

by:gearbulk
ID: 24138024
I'm looking at the same problem here! What was the workaround you put in place?
0
 

Author Comment

by:menreeq
ID: 24141590
Unfortunately, the phone vendor provided the workaround and I am not sure exactly what they did. Sorry. Bottom line though is that the ASA will not allow this type of traffic flow.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now