• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

Cisco ASA 5505 new Vlan not routing to internet

Hi all!

I've got a 5505 at our site that has been working great for about a year.  It was a simple two vlan setup connecting our internal network (50.x)to the internet with some vpn functionality as well.  Recently we've had the need arise for a separate development subnet which I've configured with 51.x addresses and created a new vlan for on the ASA.  We want unfettered access between the development vlan and the internal, so as you'll see in the config the security level of both is 100.

I've got traffic working perfectly between the internal and development subnets, and the internal subnet can still get out to the internet as it has always been able to, but I can't for the life of me get any traffic to pass from the dev subnet to the internet.

Config as follows:

 
: Saved
:
ASA Version 8.2(1) 
!
hostname ASA
domain-name xxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
name x.x.x.0 ColoSubnet_1 description Subnet at CoLocation Site
name 192.168.50.127 Host127
name 192.168.50.135 Host135
name 192.168.50.2 Host2
name 192.168.50.30 Host30
name 192.168.50.34 Host34
name 192.168.50.4 Host4
name x.x.x.x OutsideIP
name 192.168.50.12 shareStage
name 192.168.50.128 PlaySP
name 192.168.52.0 VPN_Range
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.3 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address OutsideIP 255.255.255.248 
!
interface Vlan3
 nameif Development
 security-level 100
 ip address 192.168.51.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name xxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.50.0 255.255.255.0
 network-object VPN_Range 255.255.255.0
 network-object 192.168.51.0 255.255.255.0
object-group service shareStage tcp
 port-object eq 555
object-group service PlaySP Outside tcp
 port-object eq 11234
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.51.0 255.255.255.0
 network-object ColoSubnet_1 255.255.255.192
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.50.0 255.255.255.0
 network-object ColoSubnet_1 255.255.255.192
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 ColoSubnet_1 255.255.255.192 
access-list inside_nat0_outbound remark Inside to Any
access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
access-list inside_nat0_outbound remark VPN to Any
access-list inside_nat0_outbound extended permit ip VPN_Range 255.255.255.0 object-group DM_INLINE_NETWORK_3 
access-list inside_nat0_outbound extended permit ip any VPN_Range 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list outside_access_in extended permit tcp any host OutsideIP eq pptp log alerts 
access-list outside_access_in extended permit tcp any host OutsideIP eq smtp 
access-list outside_access_in extended permit tcp any host OutsideIP eq 3389 
access-list outside_access_in extended permit tcp any host OutsideIP eq www log 
access-list outside_access_in extended permit tcp any host OutsideIP eq https log 
access-list outside_access_in extended permit tcp any host OutsideIP eq 3390 log 
access-list outside_access_in extended permit tcp any host OutsideIP eq 3391 
access-list outside_access_in extended permit tcp any host OutsideIP eq 3392 
access-list outside_access_in extended permit tcp any host OutsideIP eq 3395 
access-list outside_access_in extended permit tcp any host OutsideIP eq 3396 
access-list outside_access_in extended permit gre any host OutsideIP log alerts 
access-list outside_access_in extended permit tcp any host shareStage object-group shareStage 
access-list outside_access_in extended permit tcp any host OutsideIP object-group PlaySPOutside 
access-list outside_access_in extended permit icmp any any log debugging 
access-list Internal_Network standard permit 192.168.50.0 255.255.255.0 
access-list Internal_Network standard permit ColoSubnet_1 255.255.255.192 
access-list Development_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list Development_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging asdm informational
no logging message 302014
no logging message 302013
mtu inside 1500
mtu outside 1500
mtu Development 1500
ip local pool VPN_Pool 192.168.52.50-192.168.52.100
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (inside) 1 VPN_Range 255.255.255.0
nat (Development) 0 access-list Development_nat0_outbound
nat (Development) 1 192.168.51.0 255.255.255.0
static (inside,outside) tcp interface 3389 Host2 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface pptp Host2 pptp netmask 255.255.255.255 
static (inside,outside) tcp interface www Host4 www netmask 255.255.255.255 
static (inside,outside) tcp interface https Host4 https netmask 255.255.255.255 
static (inside,outside) tcp interface smtp Host4 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 3391 Host127 3391 netmask 255.255.255.255 
static (inside,outside) tcp interface 3392 Host135 3392 netmask 255.255.255.255 
static (inside,outside) tcp interface 3395 Host34 3395 netmask 255.255.255.255 
static (inside,outside) tcp interface 3396 Host30 3396 netmask 255.255.255.255 
static (inside,outside) tcp interface 11234 PlaySP 11234 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server authent_group protocol kerberos
aaa-server authent_group (inside) host Host2
 kerberos-realm xxxxx
aaa-server author_group protocol ldap
aaa-server author_group (inside) host Host2
 server-port 636
 ldap-base-dn DC=xxxxx
 ldap-group-base-dn DC=xxxxx
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn ldap
 ldap-over-ssl enable
 server-type microsoft
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console authent_group LOCAL
http server enable 443
http 192.168.50.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
http ColoSubnet_1 255.255.255.192 outside
http 192.168.51.0 255.255.255.0 Development
http Aurora 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set connection-type originate-only
crypto map outside_map1 1 set peer x.x.x.x
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
ssh scopy enable
ssh 192.168.50.0 255.255.255.0 inside
ssh x.x.x.x 255.255.255.255 outside
ssh ColoSubnet_1 255.255.255.192 outside
ssh Aurora 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source outside
webvpn        
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.50.2
 vpn-tunnel-protocol IPSec svc 
 ipsec-udp enable
 default-domain value xxxxxx
 address-pools value VPN_Pool
group-policy GP internal
group-policy GP attributes
 dns-server value 192.168.50.2 192.168.50.3
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Internal_Network
 address-pools value VPN_Pool
username admin password xxxxxxx encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group xxxx type remote-access
tunnel-group xxxx general-attributes
 address-pool VPN_Pool
 authentication-server-group authent_group LOCAL
 default-group-policy xxxxGP
tunnel-group xxxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
!
!
policy-map global_policy
 class inspection_default
  inspect pptp 
policy-map inspection_default
 class inspection_default
  inspect icmp 
!
prompt hostname context 
: end

Open in new window


Thanks in advance for your help!
0
valheru_m
Asked:
valheru_m
  • 5
  • 2
  • 2
1 Solution
 
InteraXCommented:
Which license have you installed. Only the sec plus license allows 3 or more fully routed interfaces. All other licenses allow 2 fully routed interfaces and one interface that can only route to 1 other interface. This sounds exactly like your situation.
0
 
valheru_mAuthor Commented:
Thanks for your reply. It is the Sec Plus license, so it shouldn't be a licensing issue.
0
 
shbasmCommented:
use packet tracer to see what module stops traffic
asdm-tools-packet tracer
http://www.cisco.com/E-Learning/bulk/public/celc/QLM_ASA_72_01_Final/course_skin.html
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
InteraXCommented:
Do you have the 'no forward interface' command in your config anywhere?
0
 
valheru_mAuthor Commented:
The "no forward interface" command is not present.  The entire config is listed in the original question, with only the sensitive info xxxxx'd out.

shbasm:  I tried the packet tracer and it shows the packet as allowed.  Just for comparison purposes, I also ran a packet trace from a host on the 50.x network since that's working.  There is an interesting difference I see in the packet tracer.

Here's the relevant section from the working 50.x host:
 50.x packet tracer
And here's the same section from the non-working 51.x host:
 51.x packet tracer
It may be nothing, but that part about not having a matching global pool got me thinking.

Here's one more weird thing...  I got on one of the machines on the 51.x network and just for giggles again tried to ping 8.8.8.8 (google's DNS server).  I GOT ONE PING RESPONSE..... then the rest timed out.  The same test works 100% from the 50.x network.  Why would 1 packet make it and then no more?
0
 
valheru_mAuthor Commented:
More weirdness - Now some internal (50.x) hosts are getting denied and the logs show that the packets are being denied as they are being considered from the development interface, which they aren't even on.  

See screenshot:


 comm log
Host 4 is on the 50.x network.  Why would the ASA think it's on the dev network now?
0
 
shbasmCommented:

access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
  access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0
  according to your configuration 192.168.51.0 is allowed to access 192.168.50.0 only correct it
0
 
valheru_mAuthor Commented:
The problem ended up being a bad switch. Thanks for trying, everyone!
0
 
valheru_mAuthor Commented:
Problem was solved by phone call to Cisco TAC.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now