Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Internal Traffic Being Denied on Cisco ASA 5505

Posted on 2008-10-16
8
Medium Priority
?
958 Views
Last Modified: 2012-08-13
We have an environment that has 2 internet gateways. One is a cable connection going through a SonicWall and the other is a T1 going through a Cisco ASA 5505. The Sonic connection also is doing VPN to other Sonics in 2 other locations. The T1 is simply for internet access and is hosting an ftp server. The ftp ports are being translated to the server by the ASA. The issue is that I am seeing all kinds of traffic on the internal network being blocked by the ASA - for example, 192.168.1.180 tries to communicate with 192.168.1.33 and the connection is being denied by 192.168.1.1, which is the internal interface of the ASA. The majority of the nodes use the Sonic as the default gateway. Please advise - this is somewhat urgent.
0
Comment
Question by:progonosko
  • 5
  • 3
8 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22733871
If both source and destination are local 192.168.1.x addresses, you can simply suppress the error messages so they don't fill up your log. It is normal behavior
You can also disable proxy-arp on the inside interface of the ASA
  sysopt noproxyarp inside


0
 

Author Comment

by:progonosko
ID: 22734563
The source and destination addresses are not the same. Much of the traffic is one node on the internal network going to another node on the internal network - and being denied by the inside interface. I will post a screen shot of the log as well as the running config as soon as I can.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22734707
This is understood that both the source and destination are on the internal network. The ASA is seeing it, but can't do anything with it. Like I said, just suppress the error messages and don't worry about it, and be sure to disable proxyarp inside.

0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:progonosko
ID: 22735318
lrmoore,

Sorry. I re-read your comment and it is evident that you understood what I was saying - no offense intended. I'll let you know how this works. Thank you for your help.
0
 

Author Comment

by:progonosko
ID: 22737144
I applied this command, and sure enough, the traffic is passing now. Interestingly, now the ftp server cannot be reached from outside. Also, please look at the attached config and graphic and let me know if you can see any reason that the NAT isn't working (it was).
The traffic denial (shown in the gif) is to the subnets in the other sites via the vpn.
Your help is very much appreciated. If you want me to open another question for this so I can give you more points, let me know.




:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password  encrypted
passwd  encrypted
names
name 192.168.1.1 InsideIF
!
interface Vlan1
 nameif inside
 security-level 100
 ip address InsideIF 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.38 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside extended permit tcp host 192.168.1.241 host xxx.xxx.xxx.38 eq ftp
access-list outside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 inactive
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.38 eq ftp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.38 eq ssh
access-list outside_access_in extended permit tcp 192.168.1.0 255.255.255.0 xxx.xxx.xxx.36 255.255.255.252
access-list inside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 eq ftp
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 xxx.xxx.xxx.36 255.255.255.252 eq www
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host InsideIF
access-list inside_access_in extended permit tcp host xxx.xxx.xxx.38 host 192.168.1.241 eq ssh
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit tcp host InsideIF 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 host InsideIF
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.241 ftp netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.241 ftp xxx.xxx.xxx.38 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.241 ssh netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.241 ssh xxx.xxx.xxx.38 ssh netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.37 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:07195dedea7c8005a85cafe19359d09e
: end

asa.gif
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22739873
Start by removing the inside acl since you have no denies and default is to permit everything anyway

  no access-group inside_access_in in interface inside

Where is 192.168.10.x ? Can I assume it is the VPN on the Sonicwall? If yes, then add a route statement
  route inside 192.168.10.0 255.255.255.0 192.168.1.2  <= IP of Sonicwall

If the noproxyarp breaks the ftp, re-enable it
  no sysopt noproxyarp inside

0
 

Author Comment

by:progonosko
ID: 22740136
lrmoore,

Yes, the 192.168.10.0 is the VPN on the Sonic. I will add the route and see. At this point, I'm going to give you the points because you answered my original question and then some. I'm sure this isn't done; I hope you're around this weekend. Thanks again!
0
 

Author Closing Comment

by:progonosko
ID: 31506713
Thank you very much for your help, lrmoore.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question