Solved

Cisco ASA 5510 Static Route

Posted on 2010-11-18
5
1,487 Views
Last Modified: 2012-05-10
Hi

I have a Cisco ASA 5510 set as my networks default gateway.  We have a web application that runs from a VPN on another ASA 5510.  

My local Lan is 10.3.100.0 255.255.255.0.  I need to route traffic to 10.133.133.0 via the 2nd ASA.  I can connect to the server on 10.133.133.0 if i use the packet trace utility but not using the application (port 1433). I can also ping from my pc 10.3.100.107 to 10.133.133.221.  I can't see any ACL's that would block sql traffic.

If i set a static route on the pc route add 10.133.133.0 mask 255.255.255.0 10.3.100.16 it works fine.

config

: Saved
:
ASA Version 8.0(2)
!
hostname BromleyASA
domain-name dpconnect.co.uk
enable password XVwn0yiTNqnlIJze encrypted
names
name 10.133.133.0 iProfile
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 193.82.154.147 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 nameif Tenants
 security-level 100
 ip address 192.168.0.17 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
<--- More --->
             
 no security-level
<--- More --->
             
 no ip address
<--- More --->
             
!
<--- More --->
             
interface Ethernet0/3
<--- More --->
             
 nameif inside
<--- More --->
             
 security-level 100
<--- More --->
             
 ip address 10.3.100.13 255.255.255.0
<--- More --->
             
 ospf cost 10
<--- More --->
             
!
<--- More --->
             
interface Management0/0
<--- More --->
             
 nameif management
<--- More --->
             
 security-level 100
<--- More --->
             
 ip address 192.168.1.1 255.255.255.0
<--- More --->
             
 ospf cost 10
<--- More --->
             
 management-only
<--- More --->
             
!
<--- More --->
             
passwd 2KFQnbNIdI.2KYOU encrypted
<--- More --->
             
ftp mode passive
<--- More --->
             
clock timezone GMT/BST 0
<--- More --->
             
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
<--- More --->
             
dns domain-lookup Outside
<--- More --->
             
dns domain-lookup inside
<--- More --->
             
dns domain-lookup management
<--- More --->
             
dns server-group DefaultDNS
<--- More --->
             
 domain-name dpconnect.co.uk
<--- More --->
             
same-security-traffic permit intra-interface
<--- More --->
             
object-group protocol TCPUDP
<--- More --->
             
 protocol-object udp
<--- More --->
             
 protocol-object tcp
<--- More --->
             
object-group service DM_INLINE_TCP_1 tcp
<--- More --->
             
 port-object eq www
<--- More --->
             
 port-object eq https
<--- More --->
             
object-group service DM_INLINE_TCP_2 tcp
<--- More --->
             
 port-object eq https
<--- More --->
             
 port-object eq smtp
<--- More --->
             
object-group protocol DM_INLINE_PROTOCOL_1
<--- More --->
             
 protocol-object ip
<--- More --->
             
 protocol-object udp
<--- More --->
             
 protocol-object tcp
<--- More --->
             
access-list inside_access_in extended permit object-group TCPUDP 10.3.100.0 255.255.255.0 193.82.154.0 255.255.255.0 eq www
<--- More --->
             
access-list inside_access_in extended permit tcp 10.3.100.0 255.255.255.0 193.82.154.0 255.255.255.0 eq smtp
<--- More --->
             
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.3.100.0 255.255.255.0 any log debugging
<--- More --->
             
access-list Outside_access_in remark Task Centre
<--- More --->
             
access-list Outside_access_in extended permit tcp any host 10.3.100.250 object-group DM_INLINE_TCP_2 log disable
<--- More --->
             
access-list Outside_access_in remark Exchange
<--- More --->
             
access-list Outside_access_in extended permit tcp any host 10.3.100.230 object-group DM_INLINE_TCP_1 log disable
<--- More --->
             
access-list Outside_access_in remark DPGate
<--- More --->
             
access-list Outside_access_in extended permit tcp any host 10.3.100.6 eq smtp
<--- More --->
             
access-list Outside_access_in extended permit ip any any log inactive
<--- More --->
             
access-list Outside_access_in extended permit ip any host 10.3.100.6
<--- More --->
             
access-list Outside_access_in extended permit ip any host 193.82.154.150
<--- More --->
             
access-list inside_nat0_outbound extended permit ip iProfile 255.255.255.0 10.3.100.0 255.255.255.0
<--- More --->
             
access-list inside_nat0_outbound extended permit ip 10.3.100.0 255.255.255.0 iProfile 255.255.255.0
<--- More --->
             
pager lines 24
<--- More --->
             
logging enable
<--- More --->
             
logging asdm informational
<--- More --->
             
mtu Outside 1500
<--- More --->
             
mtu inside 1500
<--- More --->
             
mtu management 1500
<--- More --->
             
mtu Tenants 1500
<--- More --->
             
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
             
asdm image disk0:/asdm-611.bin
<--- More --->
             
no asdm history enable
<--- More --->
             
arp timeout 14400
<--- More --->
             
global (Outside) 101 interface
<--- More --->
             
nat (Outside) 101 0.0.0.0 0.0.0.0
<--- More --->
             
nat (inside) 0 access-list inside_nat0_outbound
<--- More --->
             
nat (inside) 101 0.0.0.0 0.0.0.0
<--- More --->
             
nat (management) 102 0.0.0.0 0.0.0.0
<--- More --->
             
static (inside,Outside) 193.82.154.148 10.3.100.230 netmask 255.255.255.255
<--- More --->
             
static (inside,Outside) 193.82.154.146 10.3.100.250 netmask 255.255.255.255
<--- More --->
             
static (Outside,inside) 10.3.100.6 193.82.154.150 netmask 255.255.255.255
<--- More --->
             
access-group Outside_access_in in interface Outside
<--- More --->
             
access-group inside_access_in in interface inside
<--- More --->
             
route Outside 0.0.0.0 0.0.0.0 193.82.154.145 10
<--- More --->
             
route inside iProfile 255.255.255.0 10.3.100.16 1
<--- More --->
             
timeout xlate 3:00:00
<--- More --->
             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
             
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
             
timeout uauth 0:05:00 absolute
<--- More --->
             
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
             
http server enable
<--- More --->
             
http 10.3.100.0 255.255.255.0 inside
<--- More --->
             
http 192.168.1.0 255.255.255.0 management
<--- More --->
             
no snmp-server location
<--- More --->
             
no snmp-server contact
<--- More --->
             
snmp-server enable traps snmp authentication linkup linkdown coldstart
<--- More --->
             
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
<--- More --->
             
crypto isakmp identity hostname
<--- More --->
             
crypto isakmp enable Outside
<--- More --->
             
crypto isakmp policy 10
<--- More --->
             
 authentication pre-share
<--- More --->
             
 encryption des
<--- More --->
             
 hash sha
<--- More --->
             
 group 2
<--- More --->
             
 lifetime 86400
<--- More --->
             
no crypto isakmp nat-traversal
<--- More --->
             
telnet 10.3.100.0 255.255.255.0 inside
<--- More --->
             
telnet timeout 5
<--- More --->
             
ssh timeout 5
<--- More --->
             
console timeout 0
<--- More --->
             
dhcpd address 192.168.1.2-192.168.1.254 management
<--- More --->
             
!
<--- More --->
             
dhcpd address 192.168.0.50-192.168.0.100 Tenants
<--- More --->
             
dhcpd dns 192.168.0.17 interface Tenants
<--- More --->
             
dhcpd enable Tenants
<--- More --->
             
!
<--- More --->
             
threat-detection basic-threat
<--- More --->
             
threat-detection statistics access-list
<--- More --->
             
!
<--- More --->
             
class-map inspection_default
<--- More --->
             
 match default-inspection-traffic
<--- More --->
             
!
<--- More --->
             
!
<--- More --->
             
policy-map type inspect dns preset_dns_map
<--- More --->
             
 parameters
<--- More --->
             
  message-length maximum 512
<--- More --->
             
policy-map global_policy
<--- More --->
             
 class inspection_default
<--- More --->
             
  inspect dns preset_dns_map
<--- More --->
             
  inspect ftp
<--- More --->
             
  inspect h323 h225
<--- More --->
             
  inspect h323 ras
<--- More --->
             
  inspect rsh
<--- More --->
             
  inspect rtsp
<--- More --->
             
  inspect esmtp
<--- More --->
             
  inspect sqlnet
<--- More --->
             
  inspect skinny  
<--- More --->
             
  inspect sunrpc
<--- More --->
             
  inspect xdmcp
<--- More --->
             
  inspect sip  
<--- More --->
             
  inspect netbios
<--- More --->
             
  inspect tftp
<--- More --->
             
!
<--- More --->
             
service-policy global_policy global
<--- More --->
             
webvpn
<--- More --->
             
 enable Outside
<--- More --->
             
username dpconnect password U8i1m1EUa1.lh7j1 encrypted privilege 15
<--- More --->
             
username soakley password hSrww4k5OfoPJXVD encrypted
<--- More --->
             
tunnel-group DefaultL2LGroup ipsec-attributes
<--- More --->
             
 pre-shared-key *
<--- More --->
             
prompt hostname context
<--- More --->
             
Cryptochecksum:1b71d94ee3e76d4a2958780f0a051655
<--- More --->
             
: end

BromleyASA#

BromleyASA#

BromleyASA#

BromleyASA#


0
Comment
Question by:dpconnect
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 34166012
This is expected behavior due to the statefulness of the ASA.  The problem is the return traffic doesn't get routed back through the "default gateway ASA" so it's security mechanisms don't allow the connection.  Adding routes to the PC's will definitely take care of the problem but is not a great solution I know.  I believe you can add routes via Windows DHCP so that might be something to look at.  Alternatively, you could move the VPN ASA into a DMZ (off another inteface) on the default getaway ASA to workaround the issue or add a layer3 switch to the network and have it act as the default gateway and make routing decisions.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 34166581
Agreed.  You need a single default gateway for the PCs to point to.  You can either do that by putting the second ASA in a DMZ (as stated above) or add a router in between PCs and the ASAs and let it make the forwarding decision.
0
 
LVL 2

Expert Comment

by:Sun12345
ID: 34166732
I some how disagree as why return path would work for one kind of traffic and not for SQL., I am not sure what IP 10.3.100.16 is that you are using for adding static route on the PC. Also I do not see any route for second ASA subnet on this configuration?

Are these ASA's physically connected to each other (does not look like) and where is the server located (behind second ASA I assume). Does the ACL on second ASA allows incoming connection towards the server?
0
 

Author Comment

by:dpconnect
ID: 34171140
10.3.100.17 is the default gateway (internet traffic ASA-1) 10.3.100.16 is our 2nd ASA that connects to another network over a VPN (10.133.133.0). I just need to route traffic for the VPN network to 10.3.100.16.  I can do this with a static route on the PC's as suggested above but would like to know if possible just using a default gateway.

The returning traffic should find the source as it is on the same subnet.  ACL's are all correct on the 2nd ASA as if I set this as the gateway i can connect to the application.

So basically 2 ASA's both on the same subnet.  Pinging to 10.133.133.221 (server) works fine.

Thanks
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 34172251
>The returning traffic should find the source as it is on the same subnet.  ACL's are all correct on the 2nd ASA as if I set this as the gateway i can connect to the application.

Yes, however the return traffic will go directly from the 2nd (VPN) ASA to the client PC and not return through the 1st (default gateway) ASA.  This is a problem.  The default gateway ASA never seems the return traffic and most importantly the SYN ACK.  When the client PC sends additional traffic on that connection, the 1st default gateway ASA will deny it since it didn't see the SYN ACK.

There is a relatively new feature that allows you to bypass this functionality on the ASA but you would have to upgrade the ASA's to 8.2.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question