Solved

Internal Traffic Being Denied on Cisco ASA 5505

Posted on 2008-10-16
8
943 Views
Last Modified: 2012-08-13
We have an environment that has 2 internet gateways. One is a cable connection going through a SonicWall and the other is a T1 going through a Cisco ASA 5505. The Sonic connection also is doing VPN to other Sonics in 2 other locations. The T1 is simply for internet access and is hosting an ftp server. The ftp ports are being translated to the server by the ASA. The issue is that I am seeing all kinds of traffic on the internal network being blocked by the ASA - for example, 192.168.1.180 tries to communicate with 192.168.1.33 and the connection is being denied by 192.168.1.1, which is the internal interface of the ASA. The majority of the nodes use the Sonic as the default gateway. Please advise - this is somewhat urgent.
0
Comment
Question by:progonosko
  • 5
  • 3
8 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
If both source and destination are local 192.168.1.x addresses, you can simply suppress the error messages so they don't fill up your log. It is normal behavior
You can also disable proxy-arp on the inside interface of the ASA
  sysopt noproxyarp inside


0
 

Author Comment

by:progonosko
Comment Utility
The source and destination addresses are not the same. Much of the traffic is one node on the internal network going to another node on the internal network - and being denied by the inside interface. I will post a screen shot of the log as well as the running config as soon as I can.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
This is understood that both the source and destination are on the internal network. The ASA is seeing it, but can't do anything with it. Like I said, just suppress the error messages and don't worry about it, and be sure to disable proxyarp inside.

0
 

Author Comment

by:progonosko
Comment Utility
lrmoore,

Sorry. I re-read your comment and it is evident that you understood what I was saying - no offense intended. I'll let you know how this works. Thank you for your help.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:progonosko
Comment Utility
I applied this command, and sure enough, the traffic is passing now. Interestingly, now the ftp server cannot be reached from outside. Also, please look at the attached config and graphic and let me know if you can see any reason that the NAT isn't working (it was).
The traffic denial (shown in the gif) is to the subnets in the other sites via the vpn.
Your help is very much appreciated. If you want me to open another question for this so I can give you more points, let me know.




:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password  encrypted
passwd  encrypted
names
name 192.168.1.1 InsideIF
!
interface Vlan1
 nameif inside
 security-level 100
 ip address InsideIF 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.38 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside extended permit tcp host 192.168.1.241 host xxx.xxx.xxx.38 eq ftp
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 inactive
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.38 eq ftp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.38 eq ssh
access-list outside_access_in extended permit tcp 192.168.1.0 255.255.255.0 xxx.xxx.xxx.36 255.255.255.252
access-list inside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 eq ftp
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 xxx.xxx.xxx.36 255.255.255.252 eq www
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host InsideIF
access-list inside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 eq ssh
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit tcp host InsideIF 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 host InsideIF
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.241 ftp netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.241 ftp xxx.xxx.xxx.38 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.241 ssh netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.241 ssh xxx.xxx.xxx.38 ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.37 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:07195dedea7c8005a85cafe19359d09e
: end

asa.gif
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Start by removing the inside acl since you have no denies and default is to permit everything anyway

  no access-group inside_access_in in interface inside

Where is 192.168.10.x ? Can I assume it is the VPN on the Sonicwall? If yes, then add a route statement
  route inside 192.168.10.0 255.255.255.0 192.168.1.2  <= IP of Sonicwall

If the noproxyarp breaks the ftp, re-enable it
  no sysopt noproxyarp inside

0
 

Author Comment

by:progonosko
Comment Utility
lrmoore,

Yes, the 192.168.10.0 is the VPN on the Sonic. I will add the route and see. At this point, I'm going to give you the points because you answered my original question and then some. I'm sure this isn't done; I hope you're around this weekend. Thanks again!
0
 

Author Closing Comment

by:progonosko
Comment Utility
Thank you very much for your help, lrmoore.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now