Solved

I can ping, but nothing else -  through Cisco ASA 5510 w/ multiple subnets and routers

Posted on 2009-07-01
9
2,014 Views
Last Modified: 2012-05-07
I have two inside subnets separated by two routers (with a 3rd subnet between them).  The internet access is on the first subnet.  It is layed out as follows:

(Internet)-<ASA5510>-(10.8.16.0/20)-<Linksys1>-(192.168.1.0/24)-<Linksys2>-(10.8.32.0/20)
ASA5510=10.8.31.254
Linksys1=10.8.16.1 & 192.168.1.1
Linksys2=10.8.32.1 & 192.168.1.2

What needs to exist:
-all traffic outbound for the internet to be NATed
-all traffice between 10.8.16.0/20 and 10.8.32.0/20 to flow freely w/o NAT

Due to physical issue, the Linksys routers must remain to prevent unneccessarry traffic over a limited bandwidth connection.  Also the layout must remain the same due to some other traffic filtering unrelated to this issue.

THE PROBLEM IM HAVING:
With the current setup, sitting at my workstation (10.8.31.253) I can ping a host on the other internal subnet (10.8.32.8)... I can not access it via any other means (remote desktop, http, etc)
From everything that I know, the setup looks right... but obviously it isn't working properly. I would guess there is some little key I'm missing.  Long story short, I believe the problem to be in the setup of our new router (ASA5510) since this problem did not exist with our previous router (MS ISA box).

Any and all help is greatly appreciated!!

The setup of the ASA and a diagram of the network is attached.

Result of the command: "show running-config"
 

: Saved

:

ASA Version 8.2(1) 

!

hostname firewall

domain-name plsd.k12.pa.us

enable password LZFPaSEVxrHmksHD encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.8.30.203 PolycomHS

name 10.8.19.202 pc949

name 10.8.16.4 EXGNET description Exchange Server

name 10.8.16.5 PBook

name 10.8.16.250 PLSWEB

name 10.8.31.240 PSU-DATA

name 10.8.30.204 PolycomSE

name 10.8.16.36 BusinessServer

name 10.8.20.44 FoodServiceDirector

name 10.8.16.38 LibraryServer

name 10.8.16.6 Parents

dns-guard

!

interface Ethernet0/0

 description Internet

 nameif OUTSIDE

 security-level 0

 ip address 63.XXX.XXX.1 255.255.255.0 

!

interface Ethernet0/1

 description Inside subnet (filtered)

 nameif INSIDE-1

 security-level 100

 ip address 10.8.31.254 255.255.240.0 

!

interface Ethernet0/2

 description Inside subnet (unfiltered)

 nameif INSIDE-2

 security-level 100

 ip address 172.16.0.1 255.255.255.0 

!

interface Ethernet0/3

 description unused

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.0.1 255.255.255.0 

!

banner login GO AWAY!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns server-group DefaultDNS

 domain-name XXX.XXX.pa.us

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service PolycomPorts

 service-object tcp range 1700 h323 

 service-object tcp range 3230 3235 

 service-object udp range 3230 3253 

 service-object udp eq ntp 

object-group network PSUdigitalEDU

 network-object host 146.186.143.6

 network-object host 146.186.183.135

 network-object host 198.147.175.131

 network-object host 72.32.11.171

object-group service DM_INLINE_TCP_0 tcp

 port-object eq www

 port-object eq https

 port-object eq smtp

object-group network ProSoft

 network-object host 12.5.8.32

 network-object host 12.5.8.33

 network-object host 12.5.8.34

 network-object host 12.5.8.35

 network-object host 12.5.8.36

 network-object host 12.5.8.37

 network-object host 12.5.8.38

 network-object host 12.5.8.39

 network-object host 12.5.8.40

object-group service DM_INLINE_SERVICE_1

 service-object tcp eq pcanywhere-data 

 service-object udp eq pcanywhere-status 

 service-object tcp eq 3393 

object-group service DM_INLINE_TCP_1 tcp

 port-object eq 3389

 port-object eq www

object-group network Destiny

 network-object host 12.107.106.100

 network-object host 12.172.137.2

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq 3389

access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.13 object-group DM_INLINE_TCP_1 

access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.12 eq www 

access-list OUTSIDE_access_in extended permit tcp object-group PSUdigitalEDU host 63.XXX.XXX.11 object-group DM_INLINE_TCP_2 

access-list OUTSIDE_access_in extended permit tcp any host 63.XXX.XXX.10 object-group DM_INLINE_TCP_0 

access-list OUTSIDE_access_in extended permit object-group PolycomPorts any host 63.XXX.XXX.7 

access-list OUTSIDE_access_in extended permit object-group PolycomPorts any host 63.XXX.XXX.5 

access-list OUTSIDE_access_in extended permit tcp any host PLSWEB eq 3390 

access-list OUTSIDE_access_in extended permit tcp any host FoodServiceDirector eq 3389 

access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group ProSoft host BusinessServer 

access-list OUTSIDE_access_in extended permit tcp any host LibraryServer eq 3394 

access-list OUTSIDE_access_in extended permit ip 10.8.16.0 255.255.240.0 any inactive 

access-list OUTSIDE_access_in extended permit ip 10.8.32.0 255.255.240.0 any inactive 

access-list NELINK2_nat0_outbound extended permit ip any any 

access-list INSIDE-1_access_in remark allows HS to NE

access-list INSIDE-1_access_in extended permit ip 10.8.16.0 255.255.240.0 any 

access-list INSIDE-1_access_in remark allows NE to HS

access-list INSIDE-1_access_in extended permit ip 10.8.32.0 255.255.240.0 any 

access-list NELINK2_access_in extended permit ip any any 

access-list NELINK_nat0_outbound extended permit ip any any 

access-list NELINK_access_in extended permit ip any any 

access-list NELINK_nat0_outbound_1 extended permit ip any any 

access-list NELINK_access_in_1 extended permit ip any any 

access-list INSIDE-1_nat0_outbound remark allows NE to HS

access-list INSIDE-1_nat0_outbound extended permit ip 10.8.32.0 255.255.240.0 10.8.16.0 255.255.240.0 

access-list INSIDE-1_nat0_outbound remark allows HS to NE

access-list INSIDE-1_nat0_outbound extended permit ip 10.8.16.0 255.255.240.0 10.8.32.0 255.255.240.0 

pager lines 24

logging enable

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE-1 1500

mtu INSIDE-2 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any INSIDE-1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 10 interface

nat (INSIDE-1) 0 access-list INSIDE-1_nat0_outbound

nat (INSIDE-1) 10 0.0.0.0 0.0.0.0

nat (INSIDE-2) 10 0.0.0.0 0.0.0.0

static (INSIDE-1,OUTSIDE) tcp interface 3390 PLSWEB 3389 netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) tcp interface 3389 FoodServiceDirector 3389 netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) tcp interface 3394 LibraryServer 3389 netmask 255.255.255.255  norandomseq

static (INSIDE-1,OUTSIDE) tcp interface 3393 BusinessServer 3389 netmask 255.255.255.255  norandomseq

static (INSIDE-1,OUTSIDE) tcp interface pcanywhere-data BusinessServer pcanywhere-data netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) udp interface pcanywhere-status BusinessServer pcanywhere-status netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) 63.XXX.XXX.5 PolycomHS netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) 63.XXX.XXX.7 PolycomSE netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) 63.XXX.XXX.10 EXGNET netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) 63.XXX.XXX.11 PSU-DATA netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) 63.XXX.XXX.12 Parents netmask 255.255.255.255 

static (INSIDE-1,OUTSIDE) 63.XXX.XXX.13 PBook netmask 255.255.255.255 

access-group OUTSIDE_access_in in interface OUTSIDE

access-group INSIDE-1_access_in in interface INSIDE-1

route OUTSIDE 0.0.0.0 0.0.0.0 63.XXX.XXX.254 1

route INSIDE-1 10.8.32.0 255.255.240.0 10.8.16.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 207.68.116.146 255.255.255.255 OUTSIDE

http 10.8.16.0 255.255.240.0 INSIDE-1

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd option 3 ip 172.16.0.1

dhcpd option 6 ip 216.220.93.193 216.220.91.200

!

dhcpd address 172.16.0.101-172.16.0.150 INSIDE-2

dhcpd dns 216.220.80.200 216.220.61.200 interface INSIDE-2

dhcpd enable INSIDE-2

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:a343e5b1df794a33fce4be7d56281339

: end

Open in new window

NETWORK.pdf
0
Comment
Question by:shinglec
  • 5
  • 3
9 Comments
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
Hello, Shinglec
Certain things come to mind when you state you can ping 10.8.32.0 network, but not access services running on tcp such as rdp, http
Your access-lists look correct to these subnets.

you might have some conflicting access-lists. By default, ASA allows all traffic inbound to outbound unless restricted by access-lists. I would temporarily try removing your outbound traffic lists and see if that helps. I have seen outbound access-lists cause these types of issues. If still not successful, you can then try to access these services on hosts between the routers, to rule out any access lists in the routers which might be blocking these services.

A sh access-list command will show if the hitcounts on the access-lists increasing by one, showing that traffic is being processed by that list to help troubleshooting.

You  can also do packet traces inside the asa also to aid in troubleshooting.

If you are using static routes, make sure all the routers and the asa have all the correct routing information. When I am testing connectivity in a network such as yours with many subnets behind an asa, I will often use a routing protocol such as ospf which will advertise all subnets. If you can then reach all the networks with ospf, you can then remove it and re-examine your static routes.

I am not a big fan of routing protocols on firewalls,as these can sometimes affect bandwith with the helo advertisements. Static routes are the best with firewalls since they have the lowest metric and consume not bandwidth

0
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
sorry, correction on above: I stated ---
By default, ASA allows all traffic inbound to outbound unless restricted by access-lists.

ASA by default allows all traffic outbound to inbound, so access-lists inbound to outbound can cause the issues you are having

my apologies
0
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
sorry again, (no sleep last few days)
check your access lists inside>outside
0
 

Author Comment

by:shinglec
Comment Utility
Just a few more things to point out....  from a workstation on subnet 10.8.16.0/20 can fully access a host on 10.8.32.0/20 (rdp, http, etc) if that workstation has a static route set on it to point specifically to the 10.8.32.0/20 subnet via 10.8.16.1 (linksys1).  Without that static route set, the default gateway is used (the ASA).  This too work, but with pings ONLY (no rdp, http, etc).  
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 15

Expert Comment

by:bignewf
Comment Utility
In your 10.8.16.1 and 10.8.32.1 routers make sure they have static routes to the inside interface of the asa - check the routing tables after adding these routes and that should solve it. If not, try using ospf on the asa just for testing as I mentioned earlier, which will work by advertising all routes to your subnets.
The fact that after a static route on the workstaion is added to 10.8.32.0 means it is a routing issue - the 10.8.16.1 router needs information how to send packets to the asa



0
 

Author Comment

by:shinglec
Comment Utility
The static routes have been confirmed on all routers.  Like I said before, Pings go through fine which confirm the route.  Upon http use to a device on the remote subnet, the ASA log shows the following.... (usually just the first error... but sometimes all three... the last 2 are created in pairs... that is to say that as soon as the connection is made it is destroyed)

6      Jul 07 2009      14:13:58      106015      10.8.31.253      22770      10.8.32.1      80      Deny TCP (no connection) from 10.8.31.253/22770 to 10.8.32.1/80 flags RST  on interface INSIDE-1

6      Jul 07 2009      14:13:58      302013      10.8.31.253      22773      10.8.32.1      80      Built inbound TCP connection 88722 for INSIDE-1:10.8.31.253/22773 (10.8.31.253/22773) to INSIDE-1:10.8.32.1/80 (10.8.32.1/80)

6      Jul 07 2009      14:13:59      302014      10.8.31.253      22773      10.8.32.1      80      Teardown TCP connection 88722 for INSIDE-1:10.8.31.253/22773 to INSIDE-1:10.8.32.1/80 duration 0:00:01 bytes 0 TCP Reset-O


also of note is that this all works ok if Linksys1 is removed from the equation and the 192.168.1.0/24 subnet is connected to port 3 on the ASA and routing is done that way.... (this solution does not work since it does not pass through the content filter)...so this again shows me that it has something to do with the intra-network routing on the ASA.  Recall that the desired setup did at one time work before teh ASA replaced the old ISA router. (this shows that the other linksys routers are set correctly.

as for OSPF.... only the ASA suppors OSPF... the two linksys routers only support RIP (v1&2) and although i set all 3 to us RIPv2, it did not appear to do anything useful at all. (routing tables did not change)

This link at Cisco.com may give a little insite as to what should be going on here.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
0
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
See if you can disable icmp redirects on these linksys routers. You may have asymmetric routing issues with the asa. On the router you simply have a default gateway to the ASA and on the ASA set static routes to the 'routed subnets' with destinations of the router interface IP that's part of the connected subnet. You stated previously though you did this.

I researched this, and some cisc  articles mention you can
turn off TCP sequence number randomisation on the ASA (It's not the best idea)

this article explains icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
0
 

Accepted Solution

by:
shinglec earned 0 total points
Comment Utility
Thanks for your assistance.  However the answer lies within the following sentence from cisco.com:  "Note: ASA/PIX does not support ICMP redirects, because it does not support asymmetric routing."

That being the case,  a modified layout is in order.  It may be as simple as placing another router immediately after the asa on the inside.... but I'll have to experiment with that.
0
 

Expert Comment

by:AnritsuLTD
Comment Utility
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now