Solved

Cisco ASA5505 problems

Posted on 2016-08-05
24
51 Views
Last Modified: 2016-08-08
Hi - I am having a mare of a day here with this ASA ... I wonder if anyone can help

I basically have 2 domains running on the network and they all go via seperate ports on the cisco

domain1 - eth/1 - internal 10.0.9.x
domain2 - eth/2 - internal 10.0.1.x

I do not want the networks to communicate generally but the mailserver that hosts both is on the 10.0.1.x network

I have 6 usable Ip addresses 81.2.23.20-25 and I have configured eth/1 to listen for incoming traffic on .21 and the rest on .22-24

All traffic for some reason goes out via .22 (ideally I would like the eth/1 to send all traffic via .21 - but its not the end of the world) but the issue currently is when someone on the 10.0.9.x networks wants their email they resolve the IP address for the server (eg:mail.net) and this resolves 81.2.23.20 for example but they can never connect

users on the 10.0.1.x network are OK as in DNS i have an IP for the  mailserver which sits on the .1 network

I suspect this is because all the addresses .20 - .25 are really on the same network


I see there is a option to allow connections between 2 networks wit the same security weighting but I really dont want them to communcate generally but as both companies are on the same mail server .. they need to just for this (but happy to use the external address)

Please does anyone have an idea on how to do this !!!
0
Comment
Question by:Member_2_7970364
  • 12
  • 12
24 Comments
 
LVL 9

Expert Comment

by:Cheever000
ID: 41744670
I would love to provide some assistance for you on this question can you show a diagram showing even fake networks on each side and perhaps the firewall configuration.  This would really help, what you are describing isn't to out of the realms of difficulty, but I can't make heads or tails of the actual question sorry.
1
 

Author Comment

by:Member_2_7970364
ID: 41745195
Hi

Thanks for your comment and time - it is really appreciated.
below is the config and in essence what I am trying to acheive is to allow people who are on the linnaeus network (10.0.9.x) and public (192.168.10.x) access to certain servers on the inside network.

The main one being our mailserver, on the inside network this is simple as I have a DNS entry for the mainserver (eg: mailserver.me.com) to the internal address being 10.0.2.25 and everything works.

On the public and linnaeus network when they try and resolve mailserver.me.com the publc DNS record responds with the same external IP as itself and therefore no one on the linnaues or public network can ever get their email.

The public and linnaeus networks are on their own seperate switches so there is no internal route between them .. their only 'theorietical' route connecting them could be the cicso ASA or the internet

I hope this explains things a little better and I thank you for your time.



----
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.41.242.249 255.255.255.248
!
interface Vlan12
nameif public-wifi
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface Vlan22
nameif linnaeus
security-level 100
ip address 10.0.9.100 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.1.2
domain-name willows.local
object-group network EPA
description Email Systems IP Ranges
network-object EPA3 255.255.255.0
network-object EPA1 255.255.255.240
network-object EPA2 255.255.255.192
network-object EPA9 255.255.248.0
network-object EPA10 255.255.254.0
network-object EPA11 255.255.254.0
network-object EPA12 255.255.254.0
network-object EPA4 255.255.240.0
network-object EPA8 255.255.248.0
network-object EPA5 255.255.240.0
network-object EPA6 255.255.248.0
network-object EPA7 255.255.248.0
object-group service RDP tcp
description Remote Desktop
port-object eq 3386
object-group service VNC tcp
description VNC Viewer
port-object eq 3386
port-object eq 3387
port-object eq 3388
port-object eq 3389
object-group network Fuji
network-object host FUJI2
network-object host FUJI
network-object host FUJI3
network-object host curtis
object-group network EPA-LDAP
description LDAP auth for EPA
network-object host 176.34.228.109
network-object host 176.34.228.117
network-object host 176.34.228.121
network-object host 176.34.228.76
network-object host 46.137.116.147
network-object ldaps-1 255.255.252.0
network-object LDAPS-2 255.255.248.0
network-object LDAPS-3 255.255.255.0
network-object LDAPS-4 255.255.255.0
network-object MIKETEST 255.255.255.0
object-group service rdp2 tcp
group-object RDP
port-object eq 3385
port-object eq https
object-group service r3389 tcp
port-object eq 3389
object-group service https_and_6001 tcp
port-object eq 6001
port-object eq 6002
port-object eq 6003
port-object eq 6004
port-object eq https
object-group service fujIrequest tcp
port-object eq 2837
port-object eq 2861
port-object eq 2876
port-object eq 2898
port-object eq 3011
port-object eq 3030
port-object eq 5900
port-object eq 3387
object-group service oayrollpc tcp
description payrollpc
port-object eq 3375
object-group service port1433 tcp
port-object eq 1433
object-group service port1433single
service-object tcp eq 1433
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in remark Allow SMTP access from EPA
access-list outside_access_in extended permit tcp object-group EPA host 81.71.242.253 eq smtp
access-list outside_access_in remark Allow LDAPS access from EPA
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldaps
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldap inactive
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 81.41.242.252 object-group r3389
access-list outside_access_in extended permit tcp any host 81.41.242.251 object-group r3389
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 81.41.242.248 255.255.255.248
access-list outside_access_in remark VPN
access-list outside_access_in extended permit gre any 81.41.242.248 255.255.255.248
access-list outside_access_in remark Fuji RDP access to Synapse Server
access-list outside_access_in extended permit ip object-group Fuji 81.71.242.248 255.255.255.248
access-list outside_access_in remark GE
access-list outside_access_in extended permit udp host 195.177.212.157 host 81.41.242.252 eq isakmp
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq pptp
access-list outside_access_in extended permit gre any host 81.41.242.253
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group fujIrequest
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group oayrollpc inactive
access-list outside_access_in extended permit tcp any host 81.41.242.253 object-group port1433 inactive
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq 1433
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound remark VLAN6
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.192 255.255.255.192
access-list outside_2_cryptomap extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list public-wifi_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public-wifi 1500
mtu linnaeus 1500
ip local pool VPN 10.0.1.220-10.0.1.230 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public-wifi) 1 0.0.0.0 0.0.0.0
nat (linnaeus) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 81.41.242.252 3389 WillowsTS 3389 netmask 255.255.255.255
static (linnaeus,outside) tcp 81.41.242.251 3389 10.0.9.9 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group public-wifi_access_in in interface public-wifi
route outside 0.0.0.0 0.0.0.0 81.41.242.254 1
route inside 10.0.2.0 255.255.255.0 10.0.1.100 1
route inside 10.0.3.0 255.255.255.0 10.0.1.100 1
route inside 10.0.4.0 255.255.255.0 10.0.1.100 1
route inside 10.0.5.0 255.255.255.0 10.0.1.100 1
route inside 192.168.10.0 255.255.255.0 10.0.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.1.2 255.255.255.255 inside
http 10.0.0.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747188
Sorry  for the delay in responding, I see that all the internal networks are the same security level, and you would need to use the command same-security-traffic permit inter-interface otherwise the traffic cant flow between the interfaces.  Traffic flows from higher to lower with out any issue.  after that you would have to do a couple other small tasks.  

To control traffic you can use an access list on the interface permitting access to the server first, denying the rest of the subnet second and then allowing any any ip to permit internet traffic out.

You may need to do a no nat statement between the networks or nat the IPs to itself as it traverses the network.
1
 

Author Comment

by:Member_2_7970364
ID: 41747208
Thanks for the comment ... but I have nooo idea about how to do that !!  (Im the server guy and the network guy was involved in a car accident so is off for a few weeks .. so I have been tasked with it !!!
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747401
for the same security traffic portion
conf t
same-security-traffic permit inter-interface

access-list

conf t
access-list server_access extended permit ip any host SERVERIP
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any

access-group server_access int linnaeus in

access-list linnaeus_nat0_outbound extended permit ip 10.0.9.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.9.0 255.255.255.0
nat (linnaeus) 0 access-list linnaeus_nat0_outbound

for simplicity sake you can skip the server_access list section but that will allow full traffic between the network.
0
 

Author Comment

by:Member_2_7970364
ID: 41747617
Hi

All worked except:

access-list
ERROR: % Incomplete command

-AND-

access-group server_access int linnaeus in
                             ^
ERROR: % Invalid input detected at '^' marker.


Any suggestions :)
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747672
Sorry the first part was just a header forgot to bold it.... the access-list didn't need entered

access-group server_access int linnaeus in

References access-list server_access did you create the access list?
0
 

Author Comment

by:Member_2_7970364
ID: 41747678
Hi

Also .. with the commands entered all traffic from 10.0.1.x can get to 10.0.9.x (and vice versa) not just the traffic from 10.0.9.x to 10.0.1.178

Sorry if I sound confusing .. I am totally confused
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747685
Yes that was the what the access list was for.

access-list server_access extended permit ip any host SERVERIP   --- This was the server in this case 10.1.178 I just put the word there so you could put all you needed
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any

This line below applies that rule in the inbound direction I wrote it wrong the first time sorry just doing it from memeory

access-group server_access in int linnaeus
1
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747691
access-list server_access extended permit ip any host 10.0.1.178
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
1
 

Author Comment

by:Member_2_7970364
ID: 41747709
Ah ... I got it ... now I can only ping 10.0.1.178 from the PC opn the 10.0.9 network

So if I wanted to say allow a second machine on the 10.0.1.x network (say 10.0.1.159) .. I simply type:

access-list server_access extended permit ip any host 10.0.1.151 ?

I think I will be adding 10.0.1.151 and 10.0.1.161 as these are the 3 main servers (this way I have covered all issues and can forget all about this cisco and get back to playing with my servers)  :-)
0
 
LVL 9

Accepted Solution

by:
Cheever000 earned 500 total points
ID: 41747721
you will have to add into or use the ASDM to insert them in order or remove the entire list and write it int he order you wish add.

access-list server_access extended permit ip any host 10.0.1.178
access-list server_access extended permit ip any host 10.0.1.151
access-list server_access extended permit ip any host 10.0.1.161
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any

To add the rows use the command

access-list server_access extended line 1 permit ip any host 10.0.1.151
access-list server_access extended line 2 permit ip any host 10.0.1.161
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Closing Comment

by:Member_2_7970364
ID: 41747725
Excellent .. thanks for ALL your help ...

This thing has been doing my HEAD in for 3 days !!!!!

A1 ****
0
 

Author Comment

by:Member_2_7970364
ID: 41747739
Can I just ask 1 quick thing ..

From the 10.0.1.x network ... they can contact everything on the 10.0.9 network

Can I do the same to restrict to the 10.0.9 network .. .would it be   (so only people on the 10.0.1 network can for example contact 10.0.9.1)


access-list linnaeus_server_access extended permit ip any host 10.0.9.1
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any

This would create a new group called linnaeus_server_access ?

Or would I have to do something with the nat commands ?
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747743
you can do that access list the item on the other side should have been blocking the return traffic though.  just remember to switch the rule

access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
and so on

Then apply the list on on that side via the access group command

access-group linnaeus_server_access in int inside
0
 

Author Comment

by:Member_2_7970364
ID: 41747761
OK .. so its one of the other then ...

I apply that and it locks down so only 10.0.1.151 can ping a machine on the 10.0.9 network but then everything from the 10.0.9 network can no longer ping anything on the 10.0.1 network.

Its a shame I cant do both, so

Anything on the 10.0.9 network can contact 10.0.1.151, 161 and 178
-AND-
Anything on the 10.0.1 network can contact 10.0.9.9 and 10.0.9.10
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747778
you should be able to ping 10.0.1.151 from the 9 network.   You will need to write more in the list.

for example

access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.9
access-list linnaeus_server_access extended permit ip any host 10.0.9.10
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
0
 

Author Comment

by:Member_2_7970364
ID: 41747815
Ok, so I get now you delete the previous then readd.

This now works, if I understand .. 10.0.1.151 can contact anything on the 10.0.9 network but 10.0.1.10 cant do anything ..

so if I wanted to have this the other way around, so anything on the 10.0.1 network to access only specific things on the 10.0.9 network  (in a similar way as anything on the 10.0.9) ... eg: anything on the .1 to ping 10.0.9.5 would it be:

access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.5
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-group linnaeus_server_access in int inside
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747819
I do believe you have it.
0
 

Author Comment

by:Member_2_7970364
ID: 41747826
OK, tested it and if I am 10.0.1.151, 161 and 178 I can ping anything in the 10.0.9 network (RESULT) !!

But ... and I say this with great regret with a pair if wirecutters and hammer at hand :)

I am on another machine IP: 10.0.1.80 and I cant ping anything on the 10.0.9 network !!!
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747833
give the access list you wrote it should only ping the 9.5 but you would have to make that work from the other side too editing the list permiting the 10.0.9.5 server to reach everything on the other side, I was actually surprised it worked in the beginning, given that you were only allowing that network to reach the few IP addresses and them back,
0
 

Author Comment

by:Member_2_7970364
ID: 41747846
this would be the server_access or the linnaeus_server access ?

at the moment .. the machines on the 10.0.9 network can ping the 3 servers I want, so thats a semi result I think ...  

The servers .151, 161 and .178 can ping anything on the .9 network .. again another semi result

The only issue is the other machines on the .1 network they cant ping anything on the .9

not sure if I am making sense, I am not making sense to myself with all this
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41747857
The yeah you have to allow the access back and forth, so you allowed only .1 to 9.5 outside of the servers
but you need to allow 9.5 back to the whole 1 network.  I know it is confusing, by the time you are done this project you will be an ACL expert.
0
 

Author Comment

by:Member_2_7970364
ID: 41747875
So ... does this look OK ?
access-list server_access extended permit ip any host 10.0.1.178
access-list server_access extended permit ip any host 10.0.1.151
access-list server_access extended permit ip any host 10.0.1.161
access-list server_access extended permit ip host 10.0.9.5 10.0.1.0 255.255.255.0
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
access-group server_access in int linnaeus

then
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.5
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
access-group linnaeus_server_access in int inside
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now