Solved

Cisco ASA 5505 - Inside to Inside help

Posted on 2009-04-01
4
1,102 Views
Last Modified: 2012-05-06
Greetings all!

I have a 5505 on 192.168.0.0/24.  I need to access other switches and routers at our remote offices on networks 192.168.1.0/24 and 192.168.20.0/24.  When I try this from my machine, I get:

"Inbound TCP connection denied from 192.168.0.88/63093 to 192.168.1.254/80 flags SYN  on interface inside"

Either this won't work because of the inherit ASA routing security or I need some NAT entries (or something else).  Any advice would be appreciated!   Thank you.

Results of "sh run":


ASA Version 8.0(4)23 

!

hostname ciscoasa

domain-name priority.local

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.250 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 174.11.212.132 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/currentsoftware/asa804-23-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name priority.local

pager lines 24

logging enable

logging timestamp

logging trap critical

logging asdm informational

logging host inside 192.168.0.160

logging permit-hostdown

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/currentsoftware/asdm-61557.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 174.10.217.134 1

route inside 192.168.1.0 255.255.255.0 192.168.0.1 1

route inside 192.168.20.0 255.255.255.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL 

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 subject-name CN=ciscoasa

 crl configure

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0

threat-detection scanning-threat shun duration 3600

threat-detection statistics host

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 207.5.137.134 source outside prefer

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:feefdf9142a2a26d7cf45412858d992f

: end

Open in new window

0
Comment
Question by:knoxlogic
  • 2
  • 2
4 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
You need to set the 192.168.0.0/24 hosts default gateway to 192.168.0.1 and then make sure the 192.168.0.1 router has a default route via the ASA.

You can enable same interface traffic but you are still going to have an issue with TCP connections.
0
 

Author Comment

by:knoxlogic
Comment Utility
I'm not sure I can do this, as 192.168.0.1 is setup as our MPLS router, via our LEC.  We/I don't manage that.  
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Okay, do you have a layer3 switch on the network?

Here's the problem when you attempt to communicate to the remote network with your current setup.

TCP SYN from 192.168.0.10 to 192.168.1.10 goes to ASA then to MPLS router then to client (okay so far)
TCP SYN ACK from 192.168.1.10 goes to MPLS router then to 192.168.0.10 (bypassing ASA).
TCP ACK from 192.168.0.10 to 192.168.1.10 goes to ASA and the ASA denies the connection since it didn't see the SYN ACK.

If you can't use the MPLS router as the gateway for the 192.168.0.0/24 subnet and you don't have a layer 3 switch on the 192.168.0.0/24 subnet, the only other alternative is to add routes to every PC for the remote networks:

route add 192.168.1.0 mask 255.255.255.0 192.168.0.1 -p
route add 192.168.20.0 mask 255.255.255.0 192.168.0.1 -p
0
 

Author Closing Comment

by:knoxlogic
Comment Utility
I'll have to get a Layer3 switch to get this working "correctly", but for now, your route statements did the trick.  Thanks!

FYI... for anyone seeing this issue and running these route commands in Windows Vista with UAC turned on, you'll have to make sure you run "cmd" as an administrator (being logged in as one doesn't work).  To do this:

start -> type "cmd" -> ctrl-shift-enter

That will put you in "admin" mode for command line.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now