• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1673
  • Last Modified:

Cisco ASA 5505 Multiple Internal Subnets

I have two offices, office A which is the main office that consists of Cisco ASA 5505, Cisco MPLS router, and Layer 2 switch, and office B which consists of MPLS router and Layer 2 switch. MPLS router and Layer 2 switch configured and managed by Telephone company. We have four VLAN's defined in the switch - VLAN 1 - 192.168.2.0, VLAN2, 192.168.3.0, VLAN3 - 192.168.4.0, and VLAN4 - 192.168.5.0. VLAN2 and VLAN4 are VoIP and work fine. VLAN1 and VLAN3 are data and are causing issues. All data must touch the ASA since we do not have layer 3 switches. I added the following commands to my ASA configuration:

Static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
route inside 192.168.3.0 255.255.255.0 192.168.2.11
route inside 192.168.4.0 255.255.255.0 192.168.2.11
route inside 192.168.5.0 255.255.255.0 192.168.2.11

192.168.2.11 is the MPLS router, not the ASA. When I do this I am able to ping across the data MPLS and all is great except, my internal network VLAN1 goes all to pieces, internal traffic starts getting blocked, nobody can get DHCP leases, etc. Office B can get on the internet but can't access any hosts on the internal network at Office A. If I take out the Static (inside, inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 then Office A's internal network goes back to working fine as it should but we no longer have connectivity back to Office B.
0
SechristTech
Asked:
SechristTech
  • 8
  • 4
  • 3
1 Solution
 
SechristTechAuthor Commented:
Just to clarify, Internet is at Office A, no Internet connection at Office B - all traffic destined for Internet must travel across the MPLS.
0
 
fgasimzadeCommented:
What is the purpose of this command?

Static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
0
 
SechristTechAuthor Commented:
Without this command you can't ping across subnets.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
fgasimzadeCommented:
I understand, but do you know why you configured it this way?

What is you default gateway on ASA side? Can you post your ASA config?
0
 
SechristTechAuthor Commented:
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address <public ip address> 255.255.255.224
!
interface Vlan5
 no nameif
 security-level 50
 ip address dhcp
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 10.222.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.222.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.2.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255  
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.222.56.97 1
route inside 192.168.3.0 255.255.255.0 192.168.2.11 1
route inside 192.168.4.0 255.255.255.0 192.168.2.11 1
route inside 192.168.5.0 255.255.255.0 192.168.2.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 70.63.141.5
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd update dns both interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 70.63.141.5 type ipsec-l2l
tunnel-group 70.63.141.5 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e81d52446c5636344a20280f017b5df7
: end
0
 
fgasimzadeCommented:
What is your default gateway in 192.168.2.0?
0
 
SechristTechAuthor Commented:
The ASA is the default gateway in the 2.0 subnet - ASA ip is 192.168.2.1
0
 
fgasimzadeCommented:
Get rid of this line, you dont need it, the problem is somewhere else
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

This command configures NAT exempt

Your config looks fine, you should be able to reach all of your networks, no clue

Bear in mind, that ASA is NOT a router, so you should get a router to properly router between subnets
0
 
SechristTechAuthor Commented:
If I remove that line I no longer have access to the other subnets. I have tried it with and without that line.
0
 
fastcudaCommented:
Please do a 'show firewall' and post the results.
0
 
SechristTechAuthor Commented:
Result of the command: "show firewall"

Firewall mode: Router
0
 
fastcudaCommented:
Can you explain your physical topology? Where is ASA?

Because typically your router should be handling the routing for the vlans. So is the ASA in between the switch and the router?
0
 
SechristTechAuthor Commented:
MPLS Router --> Switch --> ASA ---> Internet

Best I could do from phone
0
 
fastcudaCommented:
Then through the internet is MPLS connection  to your other office?

It seems to me that what your are trying to do, your topology should be:

switch--> ASA-->MPLS Router-->Internet
0
 
SechristTechAuthor Commented:
Just FYI, the answer is below:


no static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0


static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (inside,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Set all hosts on the ASA side default gateway to 192.168.2.11, which is the MPLS router.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 8
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now