Solved

Internal Traffic Being Denied on Cisco ASA 5505

Posted on 2008-10-16
8
948 Views
Last Modified: 2012-08-13
We have an environment that has 2 internet gateways. One is a cable connection going through a SonicWall and the other is a T1 going through a Cisco ASA 5505. The Sonic connection also is doing VPN to other Sonics in 2 other locations. The T1 is simply for internet access and is hosting an ftp server. The ftp ports are being translated to the server by the ASA. The issue is that I am seeing all kinds of traffic on the internal network being blocked by the ASA - for example, 192.168.1.180 tries to communicate with 192.168.1.33 and the connection is being denied by 192.168.1.1, which is the internal interface of the ASA. The majority of the nodes use the Sonic as the default gateway. Please advise - this is somewhat urgent.
0
Comment
Question by:progonosko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22733871
If both source and destination are local 192.168.1.x addresses, you can simply suppress the error messages so they don't fill up your log. It is normal behavior
You can also disable proxy-arp on the inside interface of the ASA
  sysopt noproxyarp inside


0
 

Author Comment

by:progonosko
ID: 22734563
The source and destination addresses are not the same. Much of the traffic is one node on the internal network going to another node on the internal network - and being denied by the inside interface. I will post a screen shot of the log as well as the running config as soon as I can.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22734707
This is understood that both the source and destination are on the internal network. The ASA is seeing it, but can't do anything with it. Like I said, just suppress the error messages and don't worry about it, and be sure to disable proxyarp inside.

0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:progonosko
ID: 22735318
lrmoore,

Sorry. I re-read your comment and it is evident that you understood what I was saying - no offense intended. I'll let you know how this works. Thank you for your help.
0
 

Author Comment

by:progonosko
ID: 22737144
I applied this command, and sure enough, the traffic is passing now. Interestingly, now the ftp server cannot be reached from outside. Also, please look at the attached config and graphic and let me know if you can see any reason that the NAT isn't working (it was).
The traffic denial (shown in the gif) is to the subnets in the other sites via the vpn.
Your help is very much appreciated. If you want me to open another question for this so I can give you more points, let me know.




:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password  encrypted
passwd  encrypted
names
name 192.168.1.1 InsideIF
!
interface Vlan1
 nameif inside
 security-level 100
 ip address InsideIF 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.38 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside extended permit tcp host 192.168.1.241 host xxx.xxx.xxx.38 eq ftp
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 inactive
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.38 eq ftp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.38 eq ssh
access-list outside_access_in extended permit tcp 192.168.1.0 255.255.255.0 xxx.xxx.xxx.36 255.255.255.252
access-list inside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 eq ftp
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 xxx.xxx.xxx.36 255.255.255.252 eq www
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host InsideIF
access-list inside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 eq ssh
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit tcp host InsideIF 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 host InsideIF
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.241 ftp netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.241 ftp xxx.xxx.xxx.38 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.241 ssh netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.241 ssh xxx.xxx.xxx.38 ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.37 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:07195dedea7c8005a85cafe19359d09e
: end

asa.gif
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22739873
Start by removing the inside acl since you have no denies and default is to permit everything anyway

  no access-group inside_access_in in interface inside

Where is 192.168.10.x ? Can I assume it is the VPN on the Sonicwall? If yes, then add a route statement
  route inside 192.168.10.0 255.255.255.0 192.168.1.2  <= IP of Sonicwall

If the noproxyarp breaks the ftp, re-enable it
  no sysopt noproxyarp inside

0
 

Author Comment

by:progonosko
ID: 22740136
lrmoore,

Yes, the 192.168.10.0 is the VPN on the Sonic. I will add the route and see. At this point, I'm going to give you the points because you answered my original question and then some. I'm sure this isn't done; I hope you're around this weekend. Thanks again!
0
 

Author Closing Comment

by:progonosko
ID: 31506713
Thank you very much for your help, lrmoore.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco USB console Windows 8.1 unable to open serial port 4 77
SonicWall Max Connection Setting 7 37
NAT/PAT unable to config correctly 7 41
Cisco SRST questions 5 20
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question