Link to home
Create AccountLog in
Avatar of Neadom Tucker
Neadom TuckerFlag for United States of America

asked on

Cisco ASA 5505 Routing to Internal Network Issues

I have a Cisco ASA 5505 that I have with two interfaces LAN (192.168.70.1/24) and WAN(Static IP from ISP).  I only have a base license.

I have another generic router that I have for testing on the network
WAN IP 192.168.70.10 LAN Subnet & IP (10.0.0.1/16).

I have a static route setup on my ASA for 10.0.0.0/16 to go to 192.168.70.10

Inside my generic router I have a server 10.0.10.10.  Here is my issue.

 From the Cisco I can ping 10.0.10.10.  However from my PC I can not. I get request timed out. My PC has the 192.168.70.1 for its Gateway.  I can ping 192.168.70.1 (Cisco ASA LAN interface) from my PC so ICMP is working.  I have done this several times with Sonicwalls with out issue.  What am I doing wrong here?  Any ideas?

I have looked at my Secuirty Policies on my inside interfaces and ICMP, TCP and UDP is permitted.

access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any

Anyone have any great ideas?

Tucker
Avatar of Neadom Tucker
Neadom Tucker
Flag of United States of America image

ASKER

Running a Packet Tracer on the ADSM I do see where it is getting blocked by my ACL. I get the error Flow is denied by configured rule.  Am I missing some kind of inside-inside rule?
Hi,

Can you post the configuration (access-lists, NAT, routes and interface configuration).
Here it is:
Result of the command: "show run"

: Saved
:
ASA Version 7.2(4)
!
hostname oto
domain-name domainname.local
enable password xog1vkvNT9FMcP6g encrypted
passwd xog1vkvNT9FMcP6g encrypted
names
name 174.141.7.122 COMPANYA description 255.255.255.248
name 10.1.0.0 SSOINTERNAL description SSO Network of Servers for Clients
name 10.0.0.0 SSOLAN description Domain Management Network
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.70.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 173.165.153.73 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 4.2.2.2
 name-server 68.87.68.162
 name-server 68.87.74.162
 domain-name domainname.local
object-group service Email tcp
 port-object eq smtp
object-group service SSL tcp
 port-object eq https
object-group service Web-ConnectWise tcp
 port-object eq https
object-group service TerminalServices tcp
 port-object range 3389 3389
object-group service LDAPSSL udp
 port-object range 636 636
 port-object range 389 389
object-group service LDAP tcp
 port-object eq ldap
 port-object eq ldaps
object-group service VPN tcp
 description VPN
 port-object range pptp pptp
 port-object eq https
object-group service VOIP tcp
 description Voice Over IP Ports for Phone System
 port-object eq sip
object-group service VOIPUDP udp
 description UDP Ports for phone system
 port-object range 10000 20000
 port-object range sip 5082
object-group network Group1
 description Desc#1
 network-object VENDORIP1 255.255.255.224
 network-object VENDORIP2 255.255.255.224
 network-object VENDORIP3255.255.255.224
 network-object VENDORIP4 255.255.255.240
object-group network Group2
 network-object VENDORIP5 255.255.255.224
 network-object VENDORIP6 255.255.255.224
object-group network Group3
 network-object VENDORIP7 255.255.254.0
object-group service SSL_Outside tcp
 description SSL from Outside
 port-object range 8888 8888
object-group service ViperRemoteService tcp
 port-object eq 18082
access-list outside_access_in extended permit udp any host ISPWANIP#3 object-group VOIPUDP
access-list outside_access_in extended permit tcp any host ISPWANIP#3 object-group VOIP
access-list outside_access_in extended permit tcp any host ISPWANIP#2 object-group SSL
access-list outside_access_in extended permit tcp any host ISPWANIP#1 object-group Web-ConnectWise
access-list outside_access_in extended permit tcp object-group ReflexionMailGroup host ISPWANIP#2 object-group Email
access-list outside_access_in extended permit tcp host VENDORIPADDRESS host ISPWANIP#1 object-group TerminalServices
access-list outside_access_in extended permit tcp object-group Reflexion host ISPWANIP#2 eq ldap
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host ISPWANIP#4 eq https
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit udp any any log
access-list inside_access_out extended permit tcp any any log
access-list inside_access_out extended permit icmp any any log
access-list inside_access_out extended permit udp any any object-group VOIPUDP
access-list inside_access_out extended permit tcp any any object-group VOIP
access-list outside_20_cryptomap extended permit ip 192.168.70.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list DomainTech_splitTunnelAcl standard permit any
access-list Test_splitTunnelAcl standard permit CLIENTIPADDRESS 255.255.255.248
access-list outside_40_cryptomap extended permit ip 192.168.70.0 255.255.255.0 10.52.9.0 255.255.255.0
access-list PRIORITY extended permit ip any host CLIENTIPADDRESS2
access-list PRIORITY extended permit ip host CLIENTIPADDRESS2  any
access-list DomainVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 172.16.24.96 255.255.255.240
pager lines 24
logging enable
logging asdm-buffer-size 300
logging monitor debugging
logging asdm debugging
logging from-address router@domainname.com
logging recipient-address jdoe@domainname.com level errors
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 172.16.24.100-172.16.24.110 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 ISPWANIP#4 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.70.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp ISPWANIP#4 https 192.168.70.3 https netmask 255.255.255.255
static (inside,outside) ISPWANIP#1 192.168.70.210 netmask 255.255.255.255
static (inside,outside) ISPWANIP#2 192.168.70.220 netmask 255.255.255.255
static (inside,outside) ISPWANIP#3 192.168.70.222 netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route inside SSOLAN 255.255.0.0 192.168.70.10 1
route inside SSOINTERNAL 255.255.0.0 192.168.70.10 1
route outside 0.0.0.0 0.0.0.0 ISPWANIPGATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server DomainTech protocol radius
 accounting-mode simultaneous
aaa-server DomainTech (inside) host 192.168.70.220
 key password
 radius-common-pw password
aaa-server test protocol ldap
aaa-server test (inside) host 192.168.70.220
 timeout 5
 server-port 636
 ldap-base-dn domainname
 ldap-login-password *
 ldap-login-dn cn=jdoe
 ldap-over-ssl enable
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.70.0 255.255.255.0 inside
snmp-server host inside 192.168.70.220 poll community public version 2c
snmp-server location Home
snmp-server contact Domain Tech
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 50
 authentication crack
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.70.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.70.0 255.255.255.0 inside
ssh timeout 40
console timeout 0
management-access inside
dhcpd auto_config outside
!

priority-queue inside
priority-queue outside
tftp-server inside 192.168.70.115 \091223
webvpn
 auto-signon allow ip 192.168.70.220 255.255.255.255 auth-type ntlm
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.70.222
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value domainname.local
group-policy DomainVPN internal
group-policy DomainVPN attributes
 dns-server value 192.168.70.220
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DomainVPN_splitTunnelAcl
 default-domain value domainname.local
group-policy DomainTech internal
group-policy DomainTech attributes
 wins-server none
 dns-server value 192.168.70.220
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DomainTech_splitTunnelAcl
 default-domain value domainname.local
username domain password cbd.LnP3B30Wt6s8 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNPool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group DomainVPN type ipsec-ra
tunnel-group DomainVPN general-attributes
 address-pool VPNPool
 default-group-policy DomainVPN
tunnel-group DomainVPN ipsec-attributes
 pre-shared-key *
!
class-map PRIORITY
 match access-list PRIORITY
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect pptp
 class PRIORITY
  priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b394ca090a6528180eb0e2b6184bded1
: end
Looks like something to do with Intra-Interface... I read this but dont understand it:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Tucker
I believe you are missing the nat 0 statement to exempt nat.
Can you explain a bit more?  I know enough to get in trouble.

Tucker
create a new access list to allow traffic between those subnets.

access-list inside_nat_0_inside extender permit tcp 192.168.70.0 255.255.255.0 10.0.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat_0_inside
Ok so I added the first line but when I added the second line I get the following error:
ERROR: access-list has protocol or port

sorry... permit ip :)
.... what?
Again... I get in trouble here if I try this crap on my own.  :)

Thanks!!!
ASKER CERTIFIED SOLUTION
Avatar of predragpetrovic
predragpetrovic
Flag of Qatar image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks!!  So that still did not work.  I have to use extended and not extender  not sure if that matters.

I added:
access-list inside_nat_0_inside extended permit ip 192.168.70.0 255.255.255.0 SSOLAN 255.255.0.0
and
nat (inside) 0 access-list inside_nat_0_inside

I get the same response on the logs and on packet trace.  Denyed:
3      Dec 27 2010      14:03:56      106014                   Deny inbound icmp src inside:192.168.70.121 dst inside:10.0.10.10 (type 8, code 0)

Avatar of rochey2009
rochey2009

Hi,

Try

same-security-traffic permit intra-interface

This will allow traffic to flow in and out of the same interface
Ok so now i got a new error messages:
3      Dec 27 2010      16:46:48      305005      10.0.10.10             No translation group found for icmp src inside:192.168.70.121 dst inside:10.0.10.10 (type 8, code 0)
3      Dec 27 2010      16:46:53      305005      10.0.10.10             No translation group found for udp src inside:192.168.70.220/53 dst inside:10.0.10.10/33517

I am trying to ping 10.0.10.10. Still no response.


Thanks for your help
Ok so I got it to ping.  I removed nat (inside) 1 0.0.0.0 0.0.0.0 and the ping worked.  However I can not view the webpage that is on this appliance.  I am trying to connect to http://10.0.10.10.  I really dont want to NAT it i just want it to act like a router for this subnet.  I dont think that is possible.  I put back the nat (inside) 1 0.0.0.0 0.0.0.0 as I saw somewhere that was needed.
Hi,

NAT 0 is used to bypass NAT translations. If you modify your NAT 0 access-list to include the devices that you want to skip the NAT translation.
sorry ignore my previous entry. so you can ping 10.0.10.10 from a pc 192.168.70.0 subnet but you can't web to it?
Yes that is correct.  Very Odd.  This may be my cheap router causing the issue.  But i have it setup for Router not NAT and I have my static route enabled.  I will play with it some more tonight on the 10.0.0.0 side of the network and see what I fine.
This got me able to ping the network which is what I wanted but I am still having issues with DNS.  I can not get our from my subnetwork.  I will open another question for this issue.  Thanks for your help.
FYI  I got my DNS issue working.  I had to add a route to my Windows DNS Server.  See the other post here that helped me.

https://www.experts-exchange.com/questions/26715152/ASA-5505-Routing-from-Subdomain-but-Not-allowing-DNS-Traffic.html?anchorAnswerId=34475476#a34475476