LVMB1417
asked on
Issues with Cisco routing and MPLS network
Hi,
We just changed internet companies recently. I have attached a diagram of our new MPLS network. I edited some private info but you should get an idea of what kind of service we get from our ISP. We have managed to configure our ASA 5505 router to give internet access to all our remote location (the internet resides on our main site on the left of the diagram). Computers can also ping each other both way from the main site and remote location. But for whatever reason we are unable to remote desktop from one site to the other. Here is the copy of the ASA configuration...
Just to make it a little clearer we have a pc on the main site with IP 192.168.0.6... I can remote desktop to that computer with no issues when I use the outside interface IP (public IP). So I know the computer is listening on port 3389. But yet when I try to remote desktop from a computer on the 192.168.2.x network I get no answer.
PLS Help
P.S.
If you are in the Montreal, PQ, we might have something for you if you are interested.
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name XXXX
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq 3389
access-list test extended permit ip host 192.168.0.6 host 192.168.2.100
access-list test extended permit ip host 192.168.2.100 host 192.168.0.6
access-list test extended permit ip host 192.168.0.6 host 192.168.2.102
access-list test extended permit ip host 192.168.2.102 host 192.168.0.6
pager lines 24
logging enable
logging buffer-size 16384
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.0.6 3389 netmask 255.255.255.255
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.96.218.177 1
route inside 192.168.1.0 255.255.255.0 192.168.0.254 1
route inside 192.168.2.0 255.255.255.0 192.168.0.254 1
route inside 192.168.3.0 255.255.255.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 524efb52
308201d9 30820142 a0030201 02020452 4efb5230 0d06092a 864886f7 0d010105
05003031 3111300f 06035504 03130863 6973636f 61736131 1c301a06 092a8648
86f70d01 0902160d 63697363 6f617361 2e535042 30301e17 0d313430 32313231
30343434 315a170d 32343032 31303130 34343431 5a303131 11300f06 03550403
13086369 73636f61 7361311c 301a0609 2a864886 f70d0109 02160d63 6973636f
6173612e 53504230 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081
89028181 00a3e612 b5038e33 58fe836d f6cc292e 44de4b4b 35a05e90 f9bf6a98
18b6f3f8 f4d0ca31 5eb1d887 6e41561f 72047b33 caacc4ee 04077fdf b9fe7079
eaa50ee9 f8fdf40d ff231f0d e9431ecb fa4e5286 3b004a10 6c314ec7 92257535
2c62febd 29236739 bc537b9f bd0a56d9 35dfd8e4 bb664735 8d60e8e0 cb688533
d3b8f97d e3020301 0001300d 06092a86 4886f70d 01010505 00038181 0096022f
5530ee71 31df0a76 d6ac123b 2af15592 76487777 b6f72976 25083858 2ff2e47d
3e222358 da252686 f0789a43 66f0bc7d 24d1ccea 7e8dcd6b 1ab10bf2 20e1dc54
a24e4423 1456db47 fa3d82c8 da04fbf1 c3f63c1a 87fb2f48 be1f3715 0b333236
30fb811d 854321b3 09d24306 94720cba 005049f4 2ee08ee1 ae8224ed 52
quit
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 205.151.222.250 205.151.222.251
dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.10 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password xxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5a99bd0b8cb
: end
ciscoasa#
Visio-Network-Diagram.pdf
We just changed internet companies recently. I have attached a diagram of our new MPLS network. I edited some private info but you should get an idea of what kind of service we get from our ISP. We have managed to configure our ASA 5505 router to give internet access to all our remote location (the internet resides on our main site on the left of the diagram). Computers can also ping each other both way from the main site and remote location. But for whatever reason we are unable to remote desktop from one site to the other. Here is the copy of the ASA configuration...
Just to make it a little clearer we have a pc on the main site with IP 192.168.0.6... I can remote desktop to that computer with no issues when I use the outside interface IP (public IP). So I know the computer is listening on port 3389. But yet when I try to remote desktop from a computer on the 192.168.2.x network I get no answer.
PLS Help
P.S.
If you are in the Montreal, PQ, we might have something for you if you are interested.
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name XXXX
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq 3389
access-list test extended permit ip host 192.168.0.6 host 192.168.2.100
access-list test extended permit ip host 192.168.2.100 host 192.168.0.6
access-list test extended permit ip host 192.168.0.6 host 192.168.2.102
access-list test extended permit ip host 192.168.2.102 host 192.168.0.6
pager lines 24
logging enable
logging buffer-size 16384
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.0.6 3389 netmask 255.255.255.255
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.96.218.177 1
route inside 192.168.1.0 255.255.255.0 192.168.0.254 1
route inside 192.168.2.0 255.255.255.0 192.168.0.254 1
route inside 192.168.3.0 255.255.255.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 524efb52
308201d9 30820142 a0030201 02020452 4efb5230 0d06092a 864886f7 0d010105
05003031 3111300f 06035504 03130863 6973636f 61736131 1c301a06 092a8648
86f70d01 0902160d 63697363 6f617361 2e535042 30301e17 0d313430 32313231
30343434 315a170d 32343032 31303130 34343431 5a303131 11300f06 03550403
13086369 73636f61 7361311c 301a0609 2a864886 f70d0109 02160d63 6973636f
6173612e 53504230 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081
89028181 00a3e612 b5038e33 58fe836d f6cc292e 44de4b4b 35a05e90 f9bf6a98
18b6f3f8 f4d0ca31 5eb1d887 6e41561f 72047b33 caacc4ee 04077fdf b9fe7079
eaa50ee9 f8fdf40d ff231f0d e9431ecb fa4e5286 3b004a10 6c314ec7 92257535
2c62febd 29236739 bc537b9f bd0a56d9 35dfd8e4 bb664735 8d60e8e0 cb688533
d3b8f97d e3020301 0001300d 06092a86 4886f70d 01010505 00038181 0096022f
5530ee71 31df0a76 d6ac123b 2af15592 76487777 b6f72976 25083858 2ff2e47d
3e222358 da252686 f0789a43 66f0bc7d 24d1ccea 7e8dcd6b 1ab10bf2 20e1dc54
a24e4423 1456db47 fa3d82c8 da04fbf1 c3f63c1a 87fb2f48 be1f3715 0b333236
30fb811d 854321b3 09d24306 94720cba 005049f4 2ee08ee1 ae8224ed 52
quit
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 205.151.222.250 205.151.222.251
dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.10 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password xxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5a99bd0b8cb
: end
ciscoasa#
Visio-Network-Diagram.pdf
ASKER
Understand that on each of our remote sites our ISP handles the DHCP with their equipment. Only on the main site do we need our own Firewall. Not sure why you are talking about 2 ASA.
Ok so if you don't have a firewall at each site the routing should be sorted by the ISP if they manage the routers at each site.
You just need to make sure traffic leaving the main site isn't being NAT'ed when it goes to the remote sites.
You just need to make sure traffic leaving the main site isn't being NAT'ed when it goes to the remote sites.
ASKER
Any idea on how to configure the ASA? And why can I ping from one site to the other but no luck with RDP or SMB?
I think you need to look at the design again.
If I'm looking at it correctly you have two links from the Longueuil LAN to the internet - one via the ASA and one via the router directly??
So what I think is happening is all traffic on your LAN at Longueuil is using the ASA as the default gateway. When traffic comes to the outside interface of the ASA, NAT translates the traffic, and the internal hosts send the return traffic via the ASA.
The issue here is that when you try to use the internal IP address the traffic is going directly towards the Longueuil LAN via the ISP router. All return traffic will go via the ASA though, so the routing gets broken.
As a test, change the default gateway on the RDP server to 192.168.0.254 and try again from a remote site.
If I'm looking at it correctly you have two links from the Longueuil LAN to the internet - one via the ASA and one via the router directly??
So what I think is happening is all traffic on your LAN at Longueuil is using the ASA as the default gateway. When traffic comes to the outside interface of the ASA, NAT translates the traffic, and the internal hosts send the return traffic via the ASA.
The issue here is that when you try to use the internal IP address the traffic is going directly towards the Longueuil LAN via the ISP router. All return traffic will go via the ASA though, so the routing gets broken.
As a test, change the default gateway on the RDP server to 192.168.0.254 and try again from a remote site.
ASKER
To make it a little clearer... We were given at the main site an Cisco switch by our ISP. Port 1 is used to connect that switch to the fiber POI of the ISP. Port 2 is giving us access to the internet. (If I setup a pc with a static public ip in the range given to us by the ISP with the public gateway we have access to the internet.) Port 3 is the port that I can use if I want to communicate with my remote location. So our challenge is to connect port 2 (internet) to eth0, and port 3 to eth1.
I dont know if that is clear, and so far everything is ok as per the remote site connecting to the internet as well as seeing the pc on the different subnet. But that is it after that... Why can't I remote desktop???
I dont know if that is clear, and so far everything is ok as per the remote site connecting to the internet as well as seeing the pc on the different subnet. But that is it after that... Why can't I remote desktop???
Do a traceroute from each site to a remote PC. Post the result here.
ASKER
Here you go...
tracert.jpg
tracert.jpg
ASKER
By the way it is from 192.168.0.6...
Ok and what about the other way from 192.168.2.102 to 192.168.0.6?
ASKER
Unfortunately I am not on site so I no longer have access to the 192.168.2.102 machine... Doesn't really matter, I have access to the 192.168.0.6 pc and I cannot RDP to the 192.168.2.102 pc. If I solve that then it should work both ways...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Each ASA will need to know which other ASA it needs to go through to get to each 192.168.x network.
You'll also need to create some no-nat rules on each ASA so you don't NAT traffic to the 192.168.x subnets.