shinglec
asked on
I can ping, but nothing else - through Cisco ASA 5510 w/ multiple subnets and routers
I have two inside subnets separated by two routers (with a 3rd subnet between them). The internet access is on the first subnet. It is layed out as follows:
(Internet)-<ASA5510>-(10.8
ASA5510=10.8.31.254
Linksys1=10.8.16.1 & 192.168.1.1
Linksys2=10.8.32.1 & 192.168.1.2
What needs to exist:
-all traffic outbound for the internet to be NATed
-all traffice between 10.8.16.0/20 and 10.8.32.0/20 to flow freely w/o NAT
Due to physical issue, the Linksys routers must remain to prevent unneccessarry traffic over a limited bandwidth connection. Also the layout must remain the same due to some other traffic filtering unrelated to this issue.
THE PROBLEM IM HAVING:
With the current setup, sitting at my workstation (10.8.31.253) I can ping a host on the other internal subnet (10.8.32.8)... I can not access it via any other means (remote desktop, http, etc)
From everything that I know, the setup looks right... but obviously it isn't working properly. I would guess there is some little key I'm missing. Long story short, I believe the problem to be in the setup of our new router (ASA5510) since this problem did not exist with our previous router (MS ISA box).
Any and all help is greatly appreciated!!
The setup of the ASA and a diagram of the network is attached.
(Internet)-<ASA5510>-(10.8
ASA5510=10.8.31.254
Linksys1=10.8.16.1 & 192.168.1.1
Linksys2=10.8.32.1 & 192.168.1.2
What needs to exist:
-all traffic outbound for the internet to be NATed
-all traffice between 10.8.16.0/20 and 10.8.32.0/20 to flow freely w/o NAT
Due to physical issue, the Linksys routers must remain to prevent unneccessarry traffic over a limited bandwidth connection. Also the layout must remain the same due to some other traffic filtering unrelated to this issue.
THE PROBLEM IM HAVING:
With the current setup, sitting at my workstation (10.8.31.253) I can ping a host on the other internal subnet (10.8.32.8)... I can not access it via any other means (remote desktop, http, etc)
From everything that I know, the setup looks right... but obviously it isn't working properly. I would guess there is some little key I'm missing. Long story short, I believe the problem to be in the setup of our new router (ASA5510) since this problem did not exist with our previous router (MS ISA box).
Any and all help is greatly appreciated!!
The setup of the ASA and a diagram of the network is attached.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname firewall
domain-name plsd.k12.pa.us
enable password LZFPaSEVxrHmksHD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.8.30.203 PolycomHS
name 10.8.19.202 pc949
name 10.8.16.4 EXGNET description Exchange Server
name 10.8.16.5 PBook
name 10.8.16.250 PLSWEB
name 10.8.31.240 PSU-DATA
name 10.8.30.204 PolycomSE
name 10.8.16.36 BusinessServer
name 10.8.20.44 FoodServiceDirector
name 10.8.16.38 LibraryServer
name 10.8.16.6 Parents
dns-guard
!
interface Ethernet0/0
description Internet
nameif OUTSIDE
security-level 0
ip address 63.XXX.XXX.1 255.255.255.0
!
interface Ethernet0/1
description Inside subnet (filtered)
nameif INSIDE-1
security-level 100
ip address 10.8.31.254 255.255.240.0
!
interface Ethernet0/2
description Inside subnet (unfiltered)
nameif INSIDE-2
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/3
description unused
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
!
banner login GO AWAY!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name XXX.XXX.pa.us
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PolycomPorts
service-object tcp range 1700 h323
service-object tcp range 3230 3235
service-object udp range 3230 3253
service-object udp eq ntp
object-group network PSUdigitalEDU
network-object host 146.186.143.6
network-object host 146.186.183.135
network-object host 198.147.175.131
network-object host 72.32.11.171
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group network ProSoft
network-object host 12.5.8.32
network-object host 12.5.8.33
network-object host 12.5.8.34
network-object host 12.5.8.35
network-object host 12.5.8.36
network-object host 12.5.8.37
network-object host 12.5.8.38
network-object host 12.5.8.39
network-object host 12.5.8.40
object-group service DM_INLINE_SERVICE_1
service-object tcp eq pcanywhere-data
service-object udp eq pcanywhere-status
service-object tcp eq 3393
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq www
object-group network Destiny
network-object host 12.107.106.100
network-object host 12.172.137.2
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq 3389
access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.13 object-group DM_INLINE_TCP_1
access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.12 eq www
access-list OUTSIDE_access_in extended permit tcp object-group PSUdigitalEDU host 63.XXX.XXX.11 object-group DM_INLINE_TCP_2
access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.10 object-group DM_INLINE_TCP_0
access-list OUTSIDE_access_in extended permit object-group PolycomPorts any host 63.XXX.XXX.7
access-list OUTSIDE_access_in extended permit object-group PolycomPorts any host 63.XXX.XXX.5
access-list OUTSIDE_access_in extended permit tcp any host PLSWEB eq 3390
access-list OUTSIDE_access_in extended permit tcp any host FoodServiceDirector eq 3389
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group ProSoft host BusinessServer
access-list OUTSIDE_access_in extended permit tcp any host LibraryServer eq 3394
access-list OUTSIDE_access_in extended permit ip 10.8.16.0 255.255.240.0 any inactive
access-list OUTSIDE_access_in extended permit ip 10.8.32.0 255.255.240.0 any inactive
access-list NELINK2_nat0_outbound extended permit ip any any
access-list INSIDE-1_access_in remark allows HS to NE
access-list INSIDE-1_access_in extended permit ip 10.8.16.0 255.255.240.0 any
access-list INSIDE-1_access_in remark allows NE to HS
access-list INSIDE-1_access_in extended permit ip 10.8.32.0 255.255.240.0 any
access-list NELINK2_access_in extended permit ip any any
access-list NELINK_nat0_outbound extended permit ip any any
access-list NELINK_access_in extended permit ip any any
access-list NELINK_nat0_outbound_1 extended permit ip any any
access-list NELINK_access_in_1 extended permit ip any any
access-list INSIDE-1_nat0_outbound remark allows NE to HS
access-list INSIDE-1_nat0_outbound extended permit ip 10.8.32.0 255.255.240.0 10.8.16.0 255.255.240.0
access-list INSIDE-1_nat0_outbound remark allows HS to NE
access-list INSIDE-1_nat0_outbound extended permit ip 10.8.16.0 255.255.240.0 10.8.32.0 255.255.240.0
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE-1 1500
mtu INSIDE-2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE-1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 10 interface
nat (INSIDE-1) 0 access-list INSIDE-1_nat0_outbound
nat (INSIDE-1) 10 0.0.0.0 0.0.0.0
nat (INSIDE-2) 10 0.0.0.0 0.0.0.0
static (INSIDE-1,OUTSIDE) tcp interface 3390 PLSWEB 3389 netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) tcp interface 3389 FoodServiceDirector 3389 netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) tcp interface 3394 LibraryServer 3389 netmask 255.255.255.255 norandomseq
static (INSIDE-1,OUTSIDE) tcp interface 3393 BusinessServer 3389 netmask 255.255.255.255 norandomseq
static (INSIDE-1,OUTSIDE) tcp interface pcanywhere-data BusinessServer pcanywhere-data netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) udp interface pcanywhere-status BusinessServer pcanywhere-status netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.5 PolycomHS netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.7 PolycomSE netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.10 EXGNET netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.11 PSU-DATA netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.12 Parents netmask 255.255.255.255
static (INSIDE-1,OUTSIDE) 63.XXX.XXX.13 PBook netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE-1_access_in in interface INSIDE-1
route OUTSIDE 0.0.0.0 0.0.0.0 63.XXX.XXX.254 1
route INSIDE-1 10.8.32.0 255.255.240.0 10.8.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.68.116.146 255.255.255.255 OUTSIDE
http 10.8.16.0 255.255.240.0 INSIDE-1
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd option 3 ip 172.16.0.1
dhcpd option 6 ip 216.220.93.193 216.220.91.200
!
dhcpd address 172.16.0.101-172.16.0.150 INSIDE-2
dhcpd dns 216.220.80.200 216.220.61.200 interface INSIDE-2
dhcpd enable INSIDE-2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a343e5b1df794a33fce4be7d56281339
: end
sorry, correction on above: I stated ---
By default, ASA allows all traffic inbound to outbound unless restricted by access-lists.
ASA by default allows all traffic outbound to inbound, so access-lists inbound to outbound can cause the issues you are having
my apologies
By default, ASA allows all traffic inbound to outbound unless restricted by access-lists.
ASA by default allows all traffic outbound to inbound, so access-lists inbound to outbound can cause the issues you are having
my apologies
sorry again, (no sleep last few days)
check your access lists inside>outside
check your access lists inside>outside
ASKER
Just a few more things to point out.... from a workstation on subnet 10.8.16.0/20 can fully access a host on 10.8.32.0/20 (rdp, http, etc) if that workstation has a static route set on it to point specifically to the 10.8.32.0/20 subnet via 10.8.16.1 (linksys1). Without that static route set, the default gateway is used (the ASA). This too work, but with pings ONLY (no rdp, http, etc).
In your 10.8.16.1 and 10.8.32.1 routers make sure they have static routes to the inside interface of the asa - check the routing tables after adding these routes and that should solve it. If not, try using ospf on the asa just for testing as I mentioned earlier, which will work by advertising all routes to your subnets.
The fact that after a static route on the workstaion is added to 10.8.32.0 means it is a routing issue - the 10.8.16.1 router needs information how to send packets to the asa
The fact that after a static route on the workstaion is added to 10.8.32.0 means it is a routing issue - the 10.8.16.1 router needs information how to send packets to the asa
ASKER
The static routes have been confirmed on all routers. Like I said before, Pings go through fine which confirm the route. Upon http use to a device on the remote subnet, the ASA log shows the following.... (usually just the first error... but sometimes all three... the last 2 are created in pairs... that is to say that as soon as the connection is made it is destroyed)
6 Jul 07 2009 14:13:58 106015 10.8.31.253 22770 10.8.32.1 80 Deny TCP (no connection) from 10.8.31.253/22770 to 10.8.32.1/80 flags RST on interface INSIDE-1
6 Jul 07 2009 14:13:58 302013 10.8.31.253 22773 10.8.32.1 80 Built inbound TCP connection 88722 for INSIDE-1:10.8.31.253/22773
6 Jul 07 2009 14:13:59 302014 10.8.31.253 22773 10.8.32.1 80 Teardown TCP connection 88722 for INSIDE-1:10.8.31.253/22773
also of note is that this all works ok if Linksys1 is removed from the equation and the 192.168.1.0/24 subnet is connected to port 3 on the ASA and routing is done that way.... (this solution does not work since it does not pass through the content filter)...so this again shows me that it has something to do with the intra-network routing on the ASA. Recall that the desired setup did at one time work before teh ASA replaced the old ISA router. (this shows that the other linksys routers are set correctly.
as for OSPF.... only the ASA suppors OSPF... the two linksys routers only support RIP (v1&2) and although i set all 3 to us RIPv2, it did not appear to do anything useful at all. (routing tables did not change)
This link at Cisco.com may give a little insite as to what should be going on here.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
6 Jul 07 2009 14:13:58 106015 10.8.31.253 22770 10.8.32.1 80 Deny TCP (no connection) from 10.8.31.253/22770 to 10.8.32.1/80 flags RST on interface INSIDE-1
6 Jul 07 2009 14:13:58 302013 10.8.31.253 22773 10.8.32.1 80 Built inbound TCP connection 88722 for INSIDE-1:10.8.31.253/22773
6 Jul 07 2009 14:13:59 302014 10.8.31.253 22773 10.8.32.1 80 Teardown TCP connection 88722 for INSIDE-1:10.8.31.253/22773
also of note is that this all works ok if Linksys1 is removed from the equation and the 192.168.1.0/24 subnet is connected to port 3 on the ASA and routing is done that way.... (this solution does not work since it does not pass through the content filter)...so this again shows me that it has something to do with the intra-network routing on the ASA. Recall that the desired setup did at one time work before teh ASA replaced the old ISA router. (this shows that the other linksys routers are set correctly.
as for OSPF.... only the ASA suppors OSPF... the two linksys routers only support RIP (v1&2) and although i set all 3 to us RIPv2, it did not appear to do anything useful at all. (routing tables did not change)
This link at Cisco.com may give a little insite as to what should be going on here.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
See if you can disable icmp redirects on these linksys routers. You may have asymmetric routing issues with the asa. On the router you simply have a default gateway to the ASA and on the ASA set static routes to the 'routed subnets' with destinations of the router interface IP that's part of the connected subnet. You stated previously though you did this.
I researched this, and some cisc articles mention you can
turn off TCP sequence number randomisation on the ASA (It's not the best idea)
this article explains icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
I researched this, and some cisc articles mention you can
turn off TCP sequence number randomisation on the ASA (It's not the best idea)
this article explains icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Certain things come to mind when you state you can ping 10.8.32.0 network, but not access services running on tcp such as rdp, http
Your access-lists look correct to these subnets.
you might have some conflicting access-lists. By default, ASA allows all traffic inbound to outbound unless restricted by access-lists. I would temporarily try removing your outbound traffic lists and see if that helps. I have seen outbound access-lists cause these types of issues. If still not successful, you can then try to access these services on hosts between the routers, to rule out any access lists in the routers which might be blocking these services.
A sh access-list command will show if the hitcounts on the access-lists increasing by one, showing that traffic is being processed by that list to help troubleshooting.
You can also do packet traces inside the asa also to aid in troubleshooting.
If you are using static routes, make sure all the routers and the asa have all the correct routing information. When I am testing connectivity in a network such as yours with many subnets behind an asa, I will often use a routing protocol such as ospf which will advertise all subnets. If you can then reach all the networks with ospf, you can then remove it and re-examine your static routes.
I am not a big fan of routing protocols on firewalls,as these can sometimes affect bandwith with the helo advertisements. Static routes are the best with firewalls since they have the lowest metric and consume not bandwidth