Solved

Cisco ASA 5510 Static Route

Posted on 2010-11-18
5
1,479 Views
Last Modified: 2012-05-10
Hi

I have a Cisco ASA 5510 set as my networks default gateway.  We have a web application that runs from a VPN on another ASA 5510.  

My local Lan is 10.3.100.0 255.255.255.0.  I need to route traffic to 10.133.133.0 via the 2nd ASA.  I can connect to the server on 10.133.133.0 if i use the packet trace utility but not using the application (port 1433). I can also ping from my pc 10.3.100.107 to 10.133.133.221.  I can't see any ACL's that would block sql traffic.

If i set a static route on the pc route add 10.133.133.0 mask 255.255.255.0 10.3.100.16 it works fine.

config

: Saved
:
ASA Version 8.0(2)
!
hostname BromleyASA
domain-name dpconnect.co.uk
enable password XVwn0yiTNqnlIJze encrypted
names
name 10.133.133.0 iProfile
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 193.82.154.147 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 nameif Tenants
 security-level 100
 ip address 192.168.0.17 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
<--- More --->
             
 no security-level
<--- More --->
             
 no ip address
<--- More --->
             
!
<--- More --->
             
interface Ethernet0/3
<--- More --->
             
 nameif inside
<--- More --->
             
 security-level 100
<--- More --->
             
 ip address 10.3.100.13 255.255.255.0
<--- More --->
             
 ospf cost 10
<--- More --->
             
!
<--- More --->
             
interface Management0/0
<--- More --->
             
 nameif management
<--- More --->
             
 security-level 100
<--- More --->
             
 ip address 192.168.1.1 255.255.255.0
<--- More --->
             
 ospf cost 10
<--- More --->
             
 management-only
<--- More --->
             
!
<--- More --->
             
passwd 2KFQnbNIdI.2KYOU encrypted
<--- More --->
             
ftp mode passive
<--- More --->
             
clock timezone GMT/BST 0
<--- More --->
             
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
<--- More --->
             
dns domain-lookup Outside
<--- More --->
             
dns domain-lookup inside
<--- More --->
             
dns domain-lookup management
<--- More --->
             
dns server-group DefaultDNS
<--- More --->
             
 domain-name dpconnect.co.uk
<--- More --->
             
same-security-traffic permit intra-interface
<--- More --->
             
object-group protocol TCPUDP
<--- More --->
             
 protocol-object udp
<--- More --->
             
 protocol-object tcp
<--- More --->
             
object-group service DM_INLINE_TCP_1 tcp
<--- More --->
             
 port-object eq www
<--- More --->
             
 port-object eq https
<--- More --->
             
object-group service DM_INLINE_TCP_2 tcp
<--- More --->
             
 port-object eq https
<--- More --->
             
 port-object eq smtp
<--- More --->
             
object-group protocol DM_INLINE_PROTOCOL_1
<--- More --->
             
 protocol-object ip
<--- More --->
             
 protocol-object udp
<--- More --->
             
 protocol-object tcp
<--- More --->
             
access-list inside_access_in extended permit object-group TCPUDP 10.3.100.0 255.255.255.0 193.82.154.0 255.255.255.0 eq www
<--- More --->
             
access-list inside_access_in extended permit tcp 10.3.100.0 255.255.255.0 193.82.154.0 255.255.255.0 eq smtp
<--- More --->
             
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.3.100.0 255.255.255.0 any log debugging
<--- More --->
             
access-list Outside_access_in remark Task Centre
<--- More --->
             
access-list Outside_access_in extended permit tcp any host 10.3.100.250 object-group DM_INLINE_TCP_2 log disable
<--- More --->
             
access-list Outside_access_in remark Exchange
<--- More --->
             
access-list Outside_access_in extended permit tcp any host 10.3.100.230 object-group DM_INLINE_TCP_1 log disable
<--- More --->
             
access-list Outside_access_in remark DPGate
<--- More --->
             
access-list Outside_access_in extended permit tcp any host 10.3.100.6 eq smtp
<--- More --->
             
access-list Outside_access_in extended permit ip any any log inactive
<--- More --->
             
access-list Outside_access_in extended permit ip any host 10.3.100.6
<--- More --->
             
access-list Outside_access_in extended permit ip any host 193.82.154.150
<--- More --->
             
access-list inside_nat0_outbound extended permit ip iProfile 255.255.255.0 10.3.100.0 255.255.255.0
<--- More --->
             
access-list inside_nat0_outbound extended permit ip 10.3.100.0 255.255.255.0 iProfile 255.255.255.0
<--- More --->
             
pager lines 24
<--- More --->
             
logging enable
<--- More --->
             
logging asdm informational
<--- More --->
             
mtu Outside 1500
<--- More --->
             
mtu inside 1500
<--- More --->
             
mtu management 1500
<--- More --->
             
mtu Tenants 1500
<--- More --->
             
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
             
asdm image disk0:/asdm-611.bin
<--- More --->
             
no asdm history enable
<--- More --->
             
arp timeout 14400
<--- More --->
             
global (Outside) 101 interface
<--- More --->
             
nat (Outside) 101 0.0.0.0 0.0.0.0
<--- More --->
             
nat (inside) 0 access-list inside_nat0_outbound
<--- More --->
             
nat (inside) 101 0.0.0.0 0.0.0.0
<--- More --->
             
nat (management) 102 0.0.0.0 0.0.0.0
<--- More --->
             
static (inside,Outside) 193.82.154.148 10.3.100.230 netmask 255.255.255.255
<--- More --->
             
static (inside,Outside) 193.82.154.146 10.3.100.250 netmask 255.255.255.255
<--- More --->
             
static (Outside,inside) 10.3.100.6 193.82.154.150 netmask 255.255.255.255
<--- More --->
             
access-group Outside_access_in in interface Outside
<--- More --->
             
access-group inside_access_in in interface inside
<--- More --->
             
route Outside 0.0.0.0 0.0.0.0 193.82.154.145 10
<--- More --->
             
route inside iProfile 255.255.255.0 10.3.100.16 1
<--- More --->
             
timeout xlate 3:00:00
<--- More --->
             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
             
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
             
timeout uauth 0:05:00 absolute
<--- More --->
             
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
             
http server enable
<--- More --->
             
http 10.3.100.0 255.255.255.0 inside
<--- More --->
             
http 192.168.1.0 255.255.255.0 management
<--- More --->
             
no snmp-server location
<--- More --->
             
no snmp-server contact
<--- More --->
             
snmp-server enable traps snmp authentication linkup linkdown coldstart
<--- More --->
             
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
<--- More --->
             
crypto isakmp identity hostname
<--- More --->
             
crypto isakmp enable Outside
<--- More --->
             
crypto isakmp policy 10
<--- More --->
             
 authentication pre-share
<--- More --->
             
 encryption des
<--- More --->
             
 hash sha
<--- More --->
             
 group 2
<--- More --->
             
 lifetime 86400
<--- More --->
             
no crypto isakmp nat-traversal
<--- More --->
             
telnet 10.3.100.0 255.255.255.0 inside
<--- More --->
             
telnet timeout 5
<--- More --->
             
ssh timeout 5
<--- More --->
             
console timeout 0
<--- More --->
             
dhcpd address 192.168.1.2-192.168.1.254 management
<--- More --->
             
!
<--- More --->
             
dhcpd address 192.168.0.50-192.168.0.100 Tenants
<--- More --->
             
dhcpd dns 192.168.0.17 interface Tenants
<--- More --->
             
dhcpd enable Tenants
<--- More --->
             
!
<--- More --->
             
threat-detection basic-threat
<--- More --->
             
threat-detection statistics access-list
<--- More --->
             
!
<--- More --->
             
class-map inspection_default
<--- More --->
             
 match default-inspection-traffic
<--- More --->
             
!
<--- More --->
             
!
<--- More --->
             
policy-map type inspect dns preset_dns_map
<--- More --->
             
 parameters
<--- More --->
             
  message-length maximum 512
<--- More --->
             
policy-map global_policy
<--- More --->
             
 class inspection_default
<--- More --->
             
  inspect dns preset_dns_map
<--- More --->
             
  inspect ftp
<--- More --->
             
  inspect h323 h225
<--- More --->
             
  inspect h323 ras
<--- More --->
             
  inspect rsh
<--- More --->
             
  inspect rtsp
<--- More --->
             
  inspect esmtp
<--- More --->
             
  inspect sqlnet
<--- More --->
             
  inspect skinny  
<--- More --->
             
  inspect sunrpc
<--- More --->
             
  inspect xdmcp
<--- More --->
             
  inspect sip  
<--- More --->
             
  inspect netbios
<--- More --->
             
  inspect tftp
<--- More --->
             
!
<--- More --->
             
service-policy global_policy global
<--- More --->
             
webvpn
<--- More --->
             
 enable Outside
<--- More --->
             
username dpconnect password U8i1m1EUa1.lh7j1 encrypted privilege 15
<--- More --->
             
username soakley password hSrww4k5OfoPJXVD encrypted
<--- More --->
             
tunnel-group DefaultL2LGroup ipsec-attributes
<--- More --->
             
 pre-shared-key *
<--- More --->
             
prompt hostname context
<--- More --->
             
Cryptochecksum:1b71d94ee3e76d4a2958780f0a051655
<--- More --->
             
: end

BromleyASA#

BromleyASA#

BromleyASA#

BromleyASA#


0
Comment
Question by:dpconnect
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
This is expected behavior due to the statefulness of the ASA.  The problem is the return traffic doesn't get routed back through the "default gateway ASA" so it's security mechanisms don't allow the connection.  Adding routes to the PC's will definitely take care of the problem but is not a great solution I know.  I believe you can add routes via Windows DHCP so that might be something to look at.  Alternatively, you could move the VPN ASA into a DMZ (off another inteface) on the default getaway ASA to workaround the issue or add a layer3 switch to the network and have it act as the default gateway and make routing decisions.
0
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
Agreed.  You need a single default gateway for the PCs to point to.  You can either do that by putting the second ASA in a DMZ (as stated above) or add a router in between PCs and the ASAs and let it make the forwarding decision.
0
 
LVL 2

Expert Comment

by:Sun12345
Comment Utility
I some how disagree as why return path would work for one kind of traffic and not for SQL., I am not sure what IP 10.3.100.16 is that you are using for adding static route on the PC. Also I do not see any route for second ASA subnet on this configuration?

Are these ASA's physically connected to each other (does not look like) and where is the server located (behind second ASA I assume). Does the ACL on second ASA allows incoming connection towards the server?
0
 

Author Comment

by:dpconnect
Comment Utility
10.3.100.17 is the default gateway (internet traffic ASA-1) 10.3.100.16 is our 2nd ASA that connects to another network over a VPN (10.133.133.0). I just need to route traffic for the VPN network to 10.3.100.16.  I can do this with a static route on the PC's as suggested above but would like to know if possible just using a default gateway.

The returning traffic should find the source as it is on the same subnet.  ACL's are all correct on the 2nd ASA as if I set this as the gateway i can connect to the application.

So basically 2 ASA's both on the same subnet.  Pinging to 10.133.133.221 (server) works fine.

Thanks
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
Comment Utility
>The returning traffic should find the source as it is on the same subnet.  ACL's are all correct on the 2nd ASA as if I set this as the gateway i can connect to the application.

Yes, however the return traffic will go directly from the 2nd (VPN) ASA to the client PC and not return through the 1st (default gateway) ASA.  This is a problem.  The default gateway ASA never seems the return traffic and most importantly the SYN ACK.  When the client PC sends additional traffic on that connection, the 1st default gateway ASA will deny it since it didn't see the SYN ACK.

There is a relatively new feature that allows you to bypass this functionality on the ASA but you would have to upgrade the ASA's to 8.2.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco switch SVI 17 39
Cisco ASA5508-X vs Barracuda X200 2 18
Copy files flash files using tftp 6 23
Cisco NBAR 6 10
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now