Solved

I can ping, but nothing else -  through Cisco ASA 5510 w/ multiple subnets and routers

Posted on 2009-07-01
9
2,107 Views
Last Modified: 2012-05-07
I have two inside subnets separated by two routers (with a 3rd subnet between them).  The internet access is on the first subnet.  It is layed out as follows:

(Internet)-<ASA5510>-(10.8.16.0/20)-<Linksys1>-(192.168.1.0/24)-<Linksys2>-(10.8.32.0/20)
ASA5510=10.8.31.254
Linksys1=10.8.16.1 & 192.168.1.1
Linksys2=10.8.32.1 & 192.168.1.2

What needs to exist:
-all traffic outbound for the internet to be NATed
-all traffice between 10.8.16.0/20 and 10.8.32.0/20 to flow freely w/o NAT

Due to physical issue, the Linksys routers must remain to prevent unneccessarry traffic over a limited bandwidth connection.  Also the layout must remain the same due to some other traffic filtering unrelated to this issue.

THE PROBLEM IM HAVING:
With the current setup, sitting at my workstation (10.8.31.253) I can ping a host on the other internal subnet (10.8.32.8)... I can not access it via any other means (remote desktop, http, etc)
From everything that I know, the setup looks right... but obviously it isn't working properly. I would guess there is some little key I'm missing.  Long story short, I believe the problem to be in the setup of our new router (ASA5510) since this problem did not exist with our previous router (MS ISA box).

Any and all help is greatly appreciated!!

The setup of the ASA and a diagram of the network is attached.

Result of the command: "show running-config"
 
: Saved
:
ASA Version 8.2(1) 
!
hostname firewall
domain-name plsd.k12.pa.us
enable password LZFPaSEVxrHmksHD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.8.30.203 PolycomHS
name 10.8.19.202 pc949
name 10.8.16.4 EXGNET description Exchange Server
name 10.8.16.5 PBook
name 10.8.16.250 PLSWEB
name 10.8.31.240 PSU-DATA
name 10.8.30.204 PolycomSE
name 10.8.16.36 BusinessServer
name 10.8.20.44 FoodServiceDirector
name 10.8.16.38 LibraryServer
name 10.8.16.6 Parents
dns-guard
!
interface Ethernet0/0
 description Internet
 nameif OUTSIDE
 security-level 0
 ip address 63.XXX.XXX.1 255.255.255.0 
!
interface Ethernet0/1
 description Inside subnet (filtered)
 nameif INSIDE-1
 security-level 100
 ip address 10.8.31.254 255.255.240.0 
!
interface Ethernet0/2
 description Inside subnet (unfiltered)
 nameif INSIDE-2
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
interface Ethernet0/3
 description unused
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
banner login GO AWAY!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name XXX.XXX.pa.us
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PolycomPorts
 service-object tcp range 1700 h323 
 service-object tcp range 3230 3235 
 service-object udp range 3230 3253 
 service-object udp eq ntp 
object-group network PSUdigitalEDU
 network-object host 146.186.143.6
 network-object host 146.186.183.135
 network-object host 198.147.175.131
 network-object host 72.32.11.171
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
object-group network ProSoft
 network-object host 12.5.8.32
 network-object host 12.5.8.33
 network-object host 12.5.8.34
 network-object host 12.5.8.35
 network-object host 12.5.8.36
 network-object host 12.5.8.37
 network-object host 12.5.8.38
 network-object host 12.5.8.39
 network-object host 12.5.8.40
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq pcanywhere-data 
 service-object udp eq pcanywhere-status 
 service-object tcp eq 3393 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq www
object-group network Destiny
 network-object host 12.107.106.100
 network-object host 12.172.137.2
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq 3389
access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.13 object-group DM_INLINE_TCP_1 
access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.12 eq www 
access-list OUTSIDE_access_in extended permit tcp object-group PSUdigitalEDU host 63.XXX.XXX.11 object-group DM_INLINE_TCP_2 
access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.10 object-group DM_INLINE_TCP_0 
access-list OUTSIDE_access_in extended permit object-group PolycomPorts any host 63.XXX.XXX.7 
access-list OUTSIDE_access_in extended permit object-group PolycomPorts any host 63.XXX.XXX.5 
access-list OUTSIDE_access_in extended permit tcp any host PLSWEB eq 3390 
access-list OUTSIDE_access_in extended permit tcp any host FoodServiceDirector eq 3389 
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group ProSoft host BusinessServer 
access-list OUTSIDE_access_in extended permit tcp any host LibraryServer eq 3394 
access-list OUTSIDE_access_in extended permit ip 10.8.16.0 255.255.240.0 any inactive 
access-list OUTSIDE_access_in extended permit ip 10.8.32.0 255.255.240.0 any inactive 
access-list NELINK2_nat0_outbound extended permit ip any any 
access-list INSIDE-1_access_in remark allows HS to NE
access-list INSIDE-1_access_in extended permit ip 10.8.16.0 255.255.240.0 any 
access-list INSIDE-1_access_in remark allows NE to HS
access-list INSIDE-1_access_in extended permit ip 10.8.32.0 255.255.240.0 any 
access-list NELINK2_access_in extended permit ip any any 
access-list NELINK_nat0_outbound extended permit ip any any 
access-list NELINK_access_in extended permit ip any any 
access-list NELINK_nat0_outbound_1 extended permit ip any any 
access-list NELINK_access_in_1 extended permit ip any any 
access-list INSIDE-1_nat0_outbound remark allows NE to HS
access-list INSIDE-1_nat0_outbound extended permit ip 10.8.32.0 255.255.240.0 10.8.16.0 255.255.240.0 
access-list INSIDE-1_nat0_outbound remark allows HS to NE
access-list INSIDE-1_nat0_outbound extended permit ip 10.8.16.0 255.255.240.0 10.8.32.0 255.255.240.0 
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE-1 1500
mtu INSIDE-2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE-1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 10 interface
nat (INSIDE-1) 0 access-list INSIDE-1_nat0_outbound
nat (INSIDE-1) 10 0.0.0.0 0.0.0.0
nat (INSIDE-2) 10 0.0.0.0 0.0.0.0
static (INSIDE-1,OUTSIDE) tcp interface 3390 PLSWEB 3389 netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) tcp interface 3389 FoodServiceDirector 3389 netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) tcp interface 3394 LibraryServer 3389 netmask 255.255.255.255  norandomseq
static (INSIDE-1,OUTSIDE) tcp interface 3393 BusinessServer 3389 netmask 255.255.255.255  norandomseq
static (INSIDE-1,OUTSIDE) tcp interface pcanywhere-data BusinessServer pcanywhere-data netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) udp interface pcanywhere-status BusinessServer pcanywhere-status netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.5 PolycomHS netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.7 PolycomSE netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.10 EXGNET netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.11 PSU-DATA netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.12 Parents netmask 255.255.255.255 
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.13 PBook netmask 255.255.255.255 
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE-1_access_in in interface INSIDE-1
route OUTSIDE 0.0.0.0 0.0.0.0 63.XXX.XXX.254 1
route INSIDE-1 10.8.32.0 255.255.240.0 10.8.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.68.116.146 255.255.255.255 OUTSIDE
http 10.8.16.0 255.255.240.0 INSIDE-1
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd option 3 ip 172.16.0.1
dhcpd option 6 ip 216.220.93.193 216.220.91.200
!
dhcpd address 172.16.0.101-172.16.0.150 INSIDE-2
dhcpd dns 216.220.80.200 216.220.61.200 interface INSIDE-2
dhcpd enable INSIDE-2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:a343e5b1df794a33fce4be7d56281339
: end

Open in new window

NETWORK.pdf
0
Comment
Question by:shinglec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 24760116
Hello, Shinglec
Certain things come to mind when you state you can ping 10.8.32.0 network, but not access services running on tcp such as rdp, http
Your access-lists look correct to these subnets.

you might have some conflicting access-lists. By default, ASA allows all traffic inbound to outbound unless restricted by access-lists. I would temporarily try removing your outbound traffic lists and see if that helps. I have seen outbound access-lists cause these types of issues. If still not successful, you can then try to access these services on hosts between the routers, to rule out any access lists in the routers which might be blocking these services.

A sh access-list command will show if the hitcounts on the access-lists increasing by one, showing that traffic is being processed by that list to help troubleshooting.

You  can also do packet traces inside the asa also to aid in troubleshooting.

If you are using static routes, make sure all the routers and the asa have all the correct routing information. When I am testing connectivity in a network such as yours with many subnets behind an asa, I will often use a routing protocol such as ospf which will advertise all subnets. If you can then reach all the networks with ospf, you can then remove it and re-examine your static routes.

I am not a big fan of routing protocols on firewalls,as these can sometimes affect bandwith with the helo advertisements. Static routes are the best with firewalls since they have the lowest metric and consume not bandwidth

0
 
LVL 15

Expert Comment

by:bignewf
ID: 24760124
sorry, correction on above: I stated ---
By default, ASA allows all traffic inbound to outbound unless restricted by access-lists.

ASA by default allows all traffic outbound to inbound, so access-lists inbound to outbound can cause the issues you are having

my apologies
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24760143
sorry again, (no sleep last few days)
check your access lists inside>outside
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:shinglec
ID: 24767404
Just a few more things to point out....  from a workstation on subnet 10.8.16.0/20 can fully access a host on 10.8.32.0/20 (rdp, http, etc) if that workstation has a static route set on it to point specifically to the 10.8.32.0/20 subnet via 10.8.16.1 (linksys1).  Without that static route set, the default gateway is used (the ASA).  This too work, but with pings ONLY (no rdp, http, etc).  
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24772610
In your 10.8.16.1 and 10.8.32.1 routers make sure they have static routes to the inside interface of the asa - check the routing tables after adding these routes and that should solve it. If not, try using ospf on the asa just for testing as I mentioned earlier, which will work by advertising all routes to your subnets.
The fact that after a static route on the workstaion is added to 10.8.32.0 means it is a routing issue - the 10.8.16.1 router needs information how to send packets to the asa



0
 

Author Comment

by:shinglec
ID: 24797446
The static routes have been confirmed on all routers.  Like I said before, Pings go through fine which confirm the route.  Upon http use to a device on the remote subnet, the ASA log shows the following.... (usually just the first error... but sometimes all three... the last 2 are created in pairs... that is to say that as soon as the connection is made it is destroyed)

6      Jul 07 2009      14:13:58      106015      10.8.31.253      22770      10.8.32.1      80      Deny TCP (no connection) from 10.8.31.253/22770 to 10.8.32.1/80 flags RST  on interface INSIDE-1

6      Jul 07 2009      14:13:58      302013      10.8.31.253      22773      10.8.32.1      80      Built inbound TCP connection 88722 for INSIDE-1:10.8.31.253/22773 (10.8.31.253/22773) to INSIDE-1:10.8.32.1/80 (10.8.32.1/80)

6      Jul 07 2009      14:13:59      302014      10.8.31.253      22773      10.8.32.1      80      Teardown TCP connection 88722 for INSIDE-1:10.8.31.253/22773 to INSIDE-1:10.8.32.1/80 duration 0:00:01 bytes 0 TCP Reset-O


also of note is that this all works ok if Linksys1 is removed from the equation and the 192.168.1.0/24 subnet is connected to port 3 on the ASA and routing is done that way.... (this solution does not work since it does not pass through the content filter)...so this again shows me that it has something to do with the intra-network routing on the ASA.  Recall that the desired setup did at one time work before teh ASA replaced the old ISA router. (this shows that the other linksys routers are set correctly.

as for OSPF.... only the ASA suppors OSPF... the two linksys routers only support RIP (v1&2) and although i set all 3 to us RIPv2, it did not appear to do anything useful at all. (routing tables did not change)

This link at Cisco.com may give a little insite as to what should be going on here.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24804979
See if you can disable icmp redirects on these linksys routers. You may have asymmetric routing issues with the asa. On the router you simply have a default gateway to the ASA and on the ASA set static routes to the 'routed subnets' with destinations of the router interface IP that's part of the connected subnet. You stated previously though you did this.

I researched this, and some cisc  articles mention you can
turn off TCP sequence number randomisation on the ASA (It's not the best idea)

this article explains icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
0
 

Accepted Solution

by:
shinglec earned 0 total points
ID: 24812926
Thanks for your assistance.  However the answer lies within the following sentence from cisco.com:  "Note: ASA/PIX does not support ICMP redirects, because it does not support asymmetric routing."

That being the case,  a modified layout is in order.  It may be as simple as placing another router immediately after the asa on the inside.... but I'll have to experiment with that.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question