static route on cisco asa 5505 not working
This should be a really easy one for an expert. My setup is internet goes into a swtich. That switch goes to both a watchguard firewall and a cisco asa 5505. Both of these firewall go into this branch office LAN. Via the watchguard firewall users can access the main office LAN and the LANs of the other branch office. The only purpose of the cisco firewall is to allow vpn connectivity for remote users, watchguard doesn't have an IOS app yet and pptp isn't working too well for us.
The problem that I'm having is that once VPNed in through the asa users can only access resources on that subnet. I put in a static route for the other subnets to go to the watchguard, which will know the path to the subnets, but the static route doesn't work. I can ping the other subnets from the ASDM on the ASA, but my traceroute fails. It says that there is an access rule policy(implicit rule), which I guess in the any any deny. But before that rule I have a any any permit for IP traffic.
Any Ideas? I know permitting any any is stupd, but I put it in to see if I could get anything to work.
The problem that I'm having is that once VPNed in through the asa users can only access resources on that subnet. I put in a static route for the other subnets to go to the watchguard, which will know the path to the subnets, but the static route doesn't work. I can ping the other subnets from the ASDM on the ASA, but my traceroute fails. It says that there is an access rule policy(implicit rule), which I guess in the any any deny. But before that rule I have a any any permit for IP traffic.
Any Ideas? I know permitting any any is stupd, but I put it in to see if I could get anything to work.
Last Comment
Soulja
Can you post a sanitized config of your ASA.
I think you are missing a static route on the Watchguard. You need to route the ip subnet that vpn clients are assigned (for example 172.16.1.0) to the ASA. Otherwise the Watchguard will just forward the traffic to its own default gateway, which is probably the internet connection.
ASKER
The LAN of the branch that users are VPNing to is 192.168.111.x I'm trying to get them to 192.168.253.x and 192.168.254.x
192.168.111.16 is a router that handles a point to point between this branch and the main office and the colo. So I can have the static route to go through that or through 192.168.111.2, which is the watchguard firewall on this LAN
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname hudv2
domain-name domain.local
enable password CmQUTXbdPhnsyfYZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.111.16 A-192.168.111.16 description watchguard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.111.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.11.125.83 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.111.251
name-server 192.168.111.252
domain-name domain.local
access-list pptp_users extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.111.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list vpn_traffic extended permit ip 192.168.111.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address asdm@domain.com
logging recipient-address admin@domain.com level informational
mtu inside 1500
mtu outside 1500
ip local pool DHCP_Pool 192.168.111.200-192.168.11
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.11.125.81 1
route inside 192.168.253.0 255.255.255.0 192.168.111.2 2
route inside 192.168.254.0 255.255.255.0 192.168.111.2 3
route inside 0.0.0.0 0.0.0.0 192.168.111.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
network-acl pptp_users
network-acl outside_access_in
aaa-server HudsonUsers protocol radius
aaa-server HudsonUsers (inside) host 192.168.111.251
key xxxxxx
radius-common-pw xxxxxx
aaa-server HudsonUsers (inside) host 192.168.111.252
key xxxxxx
radius-common-pw xxxxxx
aaa authentication telnet console HudsonUsers
http server enable
http 192.168.111.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
snmp-server location Server Room
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.111.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.3.
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.111.251 192.168.111.252
dns-server value 192.168.111.251 192.168.111.252
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_traffic
webvpn
svc ask none default svc
tunnel-group hudv2 type remote-access
tunnel-group hudv2 general-attributes
address-pool DHCP_Pool
authentication-server-grou
password-management password-expire-in-days 7
tunnel-group hudv2 webvpn-attributes
group-alias GROUP enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.111.225 192.168.1.21
prompt hostname context
Cryptochecksum:65f6eb493dd
: end
192.168.111.16 is a router that handles a point to point between this branch and the main office and the colo. So I can have the static route to go through that or through 192.168.111.2, which is the watchguard firewall on this LAN
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname hudv2
domain-name domain.local
enable password CmQUTXbdPhnsyfYZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.111.16 A-192.168.111.16 description watchguard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.111.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.11.125.83 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.111.251
name-server 192.168.111.252
domain-name domain.local
access-list pptp_users extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.111.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list vpn_traffic extended permit ip 192.168.111.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address asdm@domain.com
logging recipient-address admin@domain.com level informational
mtu inside 1500
mtu outside 1500
ip local pool DHCP_Pool 192.168.111.200-192.168.11
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.11.125.81 1
route inside 192.168.253.0 255.255.255.0 192.168.111.2 2
route inside 192.168.254.0 255.255.255.0 192.168.111.2 3
route inside 0.0.0.0 0.0.0.0 192.168.111.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
network-acl pptp_users
network-acl outside_access_in
aaa-server HudsonUsers protocol radius
aaa-server HudsonUsers (inside) host 192.168.111.251
key xxxxxx
radius-common-pw xxxxxx
aaa-server HudsonUsers (inside) host 192.168.111.252
key xxxxxx
radius-common-pw xxxxxx
aaa authentication telnet console HudsonUsers
http server enable
http 192.168.111.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
snmp-server location Server Room
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.111.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.3.
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.111.251 192.168.111.252
dns-server value 192.168.111.251 192.168.111.252
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_traffic
webvpn
svc ask none default svc
tunnel-group hudv2 type remote-access
tunnel-group hudv2 general-attributes
address-pool DHCP_Pool
authentication-server-grou
password-management password-expire-in-days 7
tunnel-group hudv2 webvpn-attributes
group-alias GROUP enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.111.225 192.168.1.21
prompt hostname context
Cryptochecksum:65f6eb493dd
: end
ASKER
kellemann
I'm sure the watchguard is fine. I have a ssl vpn setup on that, and when I connect I can get to the other subnets. Also while in the ASAs ASDM the traceroute fails, and it says that it fails because of an access list action, an implicit rule. The only implicit rules present are the catchall any any deny that is built-in
I'm sure the watchguard is fine. I have a ssl vpn setup on that, and when I connect I can get to the other subnets. Also while in the ASAs ASDM the traceroute fails, and it says that it fails because of an access list action, an implicit rule. The only implicit rules present are the catchall any any deny that is built-in
I posted before seeing the config and assumed that you were using a different subnet for vpn clients. Using the same IPs as the internal network will make the ASA proxy-arp the requests for the VPN clients.
Please try this command and post the output:
packet-tracer input inside tcp 192.168.111.200 8888 192.168.254.111 9999 detail
Please try this command and post the output:
packet-tracer input inside tcp 192.168.111.200 8888 192.168.254.111 9999 detail
ASKER
Result of the command: "packet-tracer input inside tcp 192.168.111.200 8888 192.168.254.111 9999 detail"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.254.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd817a308, priority=111, domain=permit, deny=true
hits=1690, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.254.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd817a308, priority=111, domain=permit, deny=true
hits=1690, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER
a packet trace on the subnet that the insider interface is on also fails, even after I put in the following commands:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Your split-tunnel config will not allow the two other subnet through the tunnel. Please add these lines:
access-list vpn_traffic extended permit ip 192.168.253.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list vpn_traffic extended permit ip 192.168.254.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.253.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.111.0 255.255.255.0
No need for the same-security-traffic commands.
access-list vpn_traffic extended permit ip 192.168.253.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list vpn_traffic extended permit ip 192.168.254.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.253.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.111.0 255.255.255.0
No need for the same-security-traffic commands.
ASKER
kellemann:
That still didn't do it. It is still failing when I do a packet trace from 192.168.111.3 to 192.168.111.x or to 192.168.253.x. The reason given is the implicit any any deny.
That still didn't do it. It is still failing when I do a packet trace from 192.168.111.3 to 192.168.111.x or to 192.168.253.x. The reason given is the implicit any any deny.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
kellemann:
I think that you are right and nat was the problem. Your last post might have fixed it. It works not, and didn't last week. But the packet tracer still fails. When I went to a coffee shop just to try it first hand it works. I can't exactly pinpoint when though.
I think that you are right and nat was the problem. Your last post might have fixed it. It works not, and didn't last week. But the packet tracer still fails. When I went to a coffee shop just to try it first hand it works. I can't exactly pinpoint when though.
ASKER
kellemann:
I think that you are right and nat was the problem. Your last post might have fixed it. It works not, and didn't last week. But the packet tracer still fails. When I went to a coffee shop just to try it first hand it works. I can't exactly pinpoint when though.
I think that you are right and nat was the problem. Your last post might have fixed it. It works not, and didn't last week. But the packet tracer still fails. When I went to a coffee shop just to try it first hand it works. I can't exactly pinpoint when though.
Packet-tracer is proably failing because it interprets the source ip as being internal instead of belonging to a vpn client. This is one of the drawbacks of reusing the internal subnet for vpn-clients. Whether it outweight the advantages (simpler routing etc.) is an individual assessment.
It will work on the real vpn clients, but the packet-tracer (which is just a simulation), will probably keep failing.
It will work on the real vpn clients, but the packet-tracer (which is just a simulation), will probably keep failing.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
