Solved

Issues with Cisco routing and MPLS network

Posted on 2014-02-14
12
870 Views
Last Modified: 2014-02-21
Hi,

We just changed internet companies recently.  I have attached a diagram of our new MPLS network.  I edited some private info but you should get an idea of what kind of service we get from our ISP.  We have managed to configure our ASA 5505 router to give internet access to all our remote location (the internet resides on our main site on the left of the diagram).  Computers can also ping each other both way from the main site and remote location.  But for whatever reason we are unable to remote desktop from one site to the other.  Here is the copy of the ASA configuration...

Just to make it a little clearer we have a pc on the main site with IP 192.168.0.6...  I can remote desktop to that computer with no issues when I use the outside interface IP (public IP).  So I know the computer is listening on port 3389.  But yet when I try to remote desktop from a computer on the 192.168.2.x network I get no answer.

PLS Help

P.S.  

If you are in the Montreal, PQ,  we might have something for you if you are interested.


:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name XXXX
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxx
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq 3389
access-list test extended permit ip host 192.168.0.6 host 192.168.2.100
access-list test extended permit ip host 192.168.2.100 host 192.168.0.6
access-list test extended permit ip host 192.168.0.6 host 192.168.2.102
access-list test extended permit ip host 192.168.2.102 host 192.168.0.6
pager lines 24
logging enable
logging buffer-size 16384
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.0.6 3389 netmask 255.255.255.255
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.96.218.177 1
route inside 192.168.1.0 255.255.255.0 192.168.0.254 1
route inside 192.168.2.0 255.255.255.0 192.168.0.254 1
route inside 192.168.3.0 255.255.255.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 524efb52
    308201d9 30820142 a0030201 02020452 4efb5230 0d06092a 864886f7 0d010105
    05003031 3111300f 06035504 03130863 6973636f 61736131 1c301a06 092a8648
    86f70d01 0902160d 63697363 6f617361 2e535042 30301e17 0d313430 32313231
    30343434 315a170d 32343032 31303130 34343431 5a303131 11300f06 03550403
    13086369 73636f61 7361311c 301a0609 2a864886 f70d0109 02160d63 6973636f
    6173612e 53504230 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081
    89028181 00a3e612 b5038e33 58fe836d f6cc292e 44de4b4b 35a05e90 f9bf6a98
    18b6f3f8 f4d0ca31 5eb1d887 6e41561f 72047b33 caacc4ee 04077fdf b9fe7079
    eaa50ee9 f8fdf40d ff231f0d e9431ecb fa4e5286 3b004a10 6c314ec7 92257535
    2c62febd 29236739 bc537b9f bd0a56d9 35dfd8e4 bb664735 8d60e8e0 cb688533
    d3b8f97d e3020301 0001300d 06092a86 4886f70d 01010505 00038181 0096022f
    5530ee71 31df0a76 d6ac123b 2af15592 76487777 b6f72976 25083858 2ff2e47d
    3e222358 da252686 f0789a43 66f0bc7d 24d1ccea 7e8dcd6b 1ab10bf2 20e1dc54
    a24e4423 1456db47 fa3d82c8 da04fbf1 c3f63c1a 87fb2f48 be1f3715 0b333236
    30fb811d 854321b3 09d24306 94720cba 005049f4 2ee08ee1 ae8224ed 52
  quit
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 205.151.222.250 205.151.222.251
dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.10 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password xxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5a99bd0b8cbf7950fbe705af92992073
: end
ciscoasa#
Visio-Network-Diagram.pdf
0
Comment
Question by:LVMB1417
  • 6
  • 6
12 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39860206
You'll need some routing configured if your ASAs can see each-other directly over the MPLS.

Each ASA will need to know which other ASA it needs to go through to get to each 192.168.x network.

You'll also need to create some no-nat rules on each ASA so you don't NAT traffic to the 192.168.x subnets.
0
 

Author Comment

by:LVMB1417
ID: 39860220
Understand that on each of our remote sites our ISP handles the DHCP with their equipment.  Only on the main site do we need our own Firewall.  Not sure why you are talking about 2 ASA.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39860223
Ok so if you don't have a firewall at each site the routing should be sorted by the ISP if they manage the routers at each site.

You just need to make sure traffic leaving the main site isn't being NAT'ed when it goes to the remote sites.
0
 

Author Comment

by:LVMB1417
ID: 39860247
Any idea on how to configure the ASA?  And why can I ping from one site to the other but no luck with RDP or SMB?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39860288
I think you need to look at the design again.

If I'm looking at it correctly you have two links from the Longueuil LAN to the internet - one via the ASA and one via the router directly??

So what I think is happening is all traffic on your LAN at Longueuil is using the ASA as the default gateway.  When traffic comes to the outside interface of the ASA, NAT translates the traffic, and the internal hosts send the return traffic via the ASA.

The issue here is that when you try to use the internal IP address the traffic is going directly towards the Longueuil LAN via the ISP router.  All return traffic will go via the ASA though, so the routing gets broken.

As a test, change the default gateway on the RDP server to 192.168.0.254 and try again from a remote site.
0
 

Author Comment

by:LVMB1417
ID: 39860400
To make it a little clearer...  We were given at the main site an Cisco switch by our ISP.  Port 1 is used to connect that switch to the fiber POI of the ISP.  Port 2 is giving us access to the internet. (If I setup a pc with a static public ip in the range given to us by the ISP with the public gateway  we have access to the internet.)  Port 3 is the port that I can use if I want to communicate with my remote location.  So our challenge is to connect port 2 (internet) to eth0, and port 3 to eth1.  

I dont know if that is clear,  and so far everything is ok as per the remote site connecting to the internet as well as seeing the pc on the different subnet.  But that is it after that...  Why can't I remote desktop???
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39860409
Do a traceroute from each site to a remote PC.  Post the result here.
0
 

Author Comment

by:LVMB1417
ID: 39860466
Here you go...
tracert.jpg
0
 

Author Comment

by:LVMB1417
ID: 39860469
By the way it is from 192.168.0.6...
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39860492
Ok and what about the other way from 192.168.2.102 to 192.168.0.6?
0
 

Author Comment

by:LVMB1417
ID: 39860506
Unfortunately I am not on site so I no longer have access to the 192.168.2.102 machine...  Doesn't really matter,  I have access to the 192.168.0.6 pc and I cannot RDP to the 192.168.2.102 pc.  If I solve that then it should work both ways...
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39860529
That's what we're trying to solve.  Just because ICMP works doesn't mean that TCP-based traffic will.

I need to see which way the traffic comes back from the 2.102 PC - that is important.  I can wait until you can get to the PC to do the traceroute.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now