Solved

Cisco ASA not routing

Posted on 2016-09-01
16
42 Views
Last Modified: 2016-09-10
Hi

I have 3 networks on my ASA  internals = 10.0.1.x and 10.0.9.x  with a guest network on 192.168.x.x

I want the 2 internal networks to be able to communicate with each other ...  (obviouslly I want the guest network to be totally separate and not have any inter network communication)

I have tried loads of commands but I cant seem to get the 10.0.9.x network to pass traffic to 10.0.1.x and vice versa

PLEASE can anyone help !!!

I tried with this but it didn't work :

access-list server_access extended permit ip host 10.0.9.0 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
access-group server_access in int linnaeus
access-list linnaeus_nat0_outbound extended permit ip 10.0.9.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.9.0 255.255.255.0
nat (linnaeus) 0 access-list linnaeus_nat0_outbound
access-list linnaeus_server_access extended permit ip host 10.0.1.0 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
access-group linnaeus_server_access in int inside


Below is the original config:



--
-
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.41.242.249 255.255.255.248
!
interface Vlan12
nameif public-wifi
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface Vlan22
nameif linnaeus
security-level 100
ip address 10.0.9.100 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.1.2
domain-name willows.local
object-group network EPA
description Email Systems IP Ranges
network-object EPA3 255.255.255.0
network-object EPA1 255.255.255.240
network-object EPA2 255.255.255.192
network-object EPA9 255.255.248.0
network-object EPA10 255.255.254.0
network-object EPA11 255.255.254.0
network-object EPA12 255.255.254.0
network-object EPA4 255.255.240.0
network-object EPA8 255.255.248.0
network-object EPA5 255.255.240.0
network-object EPA6 255.255.248.0
network-object EPA7 255.255.248.0
object-group service RDP tcp
description Remote Desktop
port-object eq 3386
object-group service VNC tcp
description VNC Viewer
port-object eq 3386
port-object eq 3387
port-object eq 3388
port-object eq 3389
object-group network Fuji
network-object host FUJI2
network-object host FUJI
network-object host FUJI3
network-object host curtis
object-group network EPA-LDAP
description LDAP auth for EPA
network-object host 176.34.228.109
network-object host 176.34.228.117
network-object host 176.34.228.121
network-object host 176.34.228.76
network-object host 46.137.116.147
network-object ldaps-1 255.255.252.0
network-object LDAPS-2 255.255.248.0
network-object LDAPS-3 255.255.255.0
network-object LDAPS-4 255.255.255.0
network-object MIKETEST 255.255.255.0
object-group service rdp2 tcp
group-object RDP
port-object eq 3385
port-object eq https
object-group service r3389 tcp
port-object eq 3389
object-group service https_and_6001 tcp
port-object eq 6001
port-object eq 6002
port-object eq 6003
port-object eq 6004
port-object eq https
object-group service fujIrequest tcp
port-object eq 2837
port-object eq 2861
port-object eq 2876
port-object eq 2898
port-object eq 3011
port-object eq 3030
port-object eq 5900
port-object eq 3387
object-group service oayrollpc tcp
description payrollpc
port-object eq 3375
object-group service port1433 tcp
port-object eq 1433
object-group service port1433single
service-object tcp eq 1433
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in remark Allow SMTP access from EPA
access-list outside_access_in extended permit tcp object-group EPA host 81.71.242.253 eq smtp
access-list outside_access_in remark Allow LDAPS access from EPA
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldaps
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldap inactive
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 81.41.242.252 object-group r3389
access-list outside_access_in extended permit tcp any host 81.41.242.251 object-group r3389
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 81.41.242.248 255.255.255.248
access-list outside_access_in remark VPN
access-list outside_access_in extended permit gre any 81.41.242.248 255.255.255.248
access-list outside_access_in remark Fuji RDP access to Synapse Server
access-list outside_access_in extended permit ip object-group Fuji 81.71.242.248 255.255.255.248
access-list outside_access_in remark GE
access-list outside_access_in extended permit udp host 195.177.212.157 host 81.41.242.252 eq isakmp
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq pptp
access-list outside_access_in extended permit gre any host 81.41.242.253
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group fujIrequest
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group oayrollpc inactive
access-list outside_access_in extended permit tcp any host 81.41.242.253 object-group port1433 inactive
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq 1433
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound remark VLAN6
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.192 255.255.255.192
access-list outside_2_cryptomap extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list public-wifi_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public-wifi 1500
mtu linnaeus 1500
ip local pool VPN 10.0.1.220-10.0.1.230 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public-wifi) 1 0.0.0.0 0.0.0.0
nat (linnaeus) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 81.41.242.252 3389 WillowsTS 3389 netmask 255.255.255.255
static (linnaeus,outside) tcp 81.41.242.251 3389 10.0.9.9 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group public-wifi_access_in in interface public-wifi
route outside 0.0.0.0 0.0.0.0 81.41.242.254 1
route inside 10.0.2.0 255.255.255.0 10.0.1.100 1
route inside 10.0.3.0 255.255.255.0 10.0.1.100 1
route inside 10.0.4.0 255.255.255.0 10.0.1.100 1
route inside 10.0.5.0 255.255.255.0 10.0.1.100 1
route inside 192.168.10.0 255.255.255.0 10.0.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.1.2 255.255.255.255 inside
http 10.0.0.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
0
Comment
Question by:Member_2_7970364
  • 5
  • 4
  • 4
  • +2
16 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 41780147
http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html

Start with permitting same-security traffic. For you, this should probably be inter-interface as opposed to intra-interface.

Also, I don't think you need an ACL on the interfaces to allow this traffic, but if you put an acl on the interface for something else, you might need to permit interface to interface traffic so that you don't hit the implicit deny all at the end of the ACL. Be careful of NAT as well to make sure you don't translate traffic between those interfaces.
0
 

Author Comment

by:Member_2_7970364
ID: 41780207
thanks - this does not work (this was my 1st plan) ...
0
 
LVL 16
ID: 41780250
Looks like a ASA 5505? On base license or security plus license? Can you send a show version output? Also, you might consider updating your firmware to something more current. Looks like you're using firmware pre 8.3.x.

What you're asking to do should be as simple as making sure the two internal VLANs are set with the same security level and then add the same-security-traffic permit inter command.

MO
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 41780254
How is routing being handled from end device to end device? If two end hosts use the ASA as a default gateway, your configuration and possibly the addition of the same-security command should work. However, If one end host has a default gateway of an L3 switch, and the other host uses the ASA, we could experience asymmetric routing. This could happen if the L3 switch also has both subnets configured for the end hosts in question. In one direction, the host goes to the L3 switch, and that will route traffic directly to the other host. The opposite direction, however, would first go to the ASA, then to the L3 switch.

Also, I don't see a nat exemption for traffic going between those interfaces. The exemption needs to happen both directions.
0
 
LVL 16
ID: 41780258
Rauenpc,

The Cisco ASA platform uses "same-security-traffic" to replace the need for NAT/ACLs in cases like these. There is likely a license issue on the ASA or something irregular about how the present older firmware handles this function.

MO
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 41780265
I think if this were the base license, putting in a third interface would require you to add the command 'no forward interface X'.

Regardless, the author can fill us in on the license level and we'll know if this is an issue.
0
 

Author Comment

by:Member_2_7970364
ID: 41780355
we are on an old version of firmware but i dont have the login to get the newer firmware ..

the show ver presents this:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

WILLOWS-FW up 20 days 11 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is 5087.899f.1bec, irq 11
 1: Ext: Ethernet0/0         : address is 5087.899f.1be4, irq 255
 2: Ext: Ethernet0/1         : address is 5087.899f.1be5, irq 255
 3: Ext: Ethernet0/2         : address is 5087.899f.1be6, irq 255
 4: Ext: Ethernet0/3         : address is 5087.899f.1be7, irq 255
 5: Ext: Ethernet0/4         : address is 5087.899f.1be8, irq 255
 6: Ext: Ethernet0/5         : address is 5087.899f.1be9, irq 255
 7: Ext: Ethernet0/6         : address is 5087.899f.1bea, irq 255
 8: Ext: Ethernet0/7         : address is 5087.899f.1beb, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 20, DMZ Unrestricted
Inside Hosts                   : Unlimited
Failover                       : Active/Standby
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 25        
Dual ISPs                      : Enabled  
VLAN Trunk Ports               : 8        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled  

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1826Z0Q4
Running Activation Key: 0xbc1cc444 0x401d91bb 0x9c22a9bc 0x91c0ccf4 0xce2c38b9
Configuration register is 0x3
Configuration last modified by admin at 18:54:59.846 GMT/BDT Thu Sep 1 2016


any idea how I can get the latest version ?
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41780461
Is that a full config?

Please remove the config you put in the first post, enable same security traffic communication (same-security-traffic permit inter-interface).

1. Start a continuous ping from 10.0.9.x to 10.0.1.x (substitute x in the last octet with the live host's on both networks).
2. Open ASDM, go to Monitoring, logging and make sure logging level is debugging and click view. In filter by enter the source IP address 10.0.9.x and then click filter.
Do you see the traffic from 10.0.9.x?
Is it being denied? Passed through? What do the messages say?
If you don't see the traffic than you need to check your routing.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 16
ID: 41780476
@SIM50,

packet-tracer shows that it's hitting the global NAT and dropping, which is unexpected behavior. The next step is to get this ASA on more current firmware. That's what the author is working on.

MO
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41780494
I would like to see either logs or the result from the packet tracer. With nat control communication between interfaces with the same security level is allowed without NAT.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 41780503
In the original post, there was a blurb about some attempted ACL's, and then the original configuration was posted. could we get a current [scrubbed] running config? Also, post the results of running two packet tracer commands, replacing the x's with IP's of two valid hosts:

packet-tracer input inside icmp 10.0.1.x 8 0 10.0.9.x
packet-tracer input linnaeus icmp 10.0.9.x 8 0 10.0.1.x
0
 
LVL 16
ID: 41780681
@SIM50 & @RAUENPC,

packet-tracer is showing the packet dropped by the global NAT appropriate to each interface when running from both networks. There is nothing from a configuration standpoint that should be causing this. This is an unexpected behavior and likely a bug in the firmware. The author is set to upgrade the firmware to 9.2.x asap, and then test again.

MO
0
 

Accepted Solution

by:
Member_2_7970364 earned 0 total points
ID: 41781059
Many thanks for everyones help .. I actually found a workaround ...

same-security-traffic permit inter-interface
access-list linnaeus_nat0_outbound extended permit ip 10.0.9.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.9.0 255.255.255.0
nat (linnaeus) 0 access-list linnaeus_nat0_outbound

now people on 10.0.1.x can contact 10.0.9.x and vice versa
0
 
LVL 7

Expert Comment

by:kellemann
ID: 41781119
You shouldn't view the commands you implemented as a workaround; they are necessary for the setup to work. This is due to how NAT is handled on older firmware.

nat (inside) 1 0.0.0.0 0.0.0.0

That commands tells the firewall that all traffic from the inside interface should be translated to :

global (outside) 1 interface

That means that all traffic is translated to the public ip address regardless of where it is routed to. This is expected behavior.

In the newer versions you can also easily designate the destination, giving you more granular control.

The behavior is therefore expected, and the bit you put in with the nat0 access-lists tells the firewall to bypass NAT for that type of traffic.

Regarding DHCP, you shouldn't worry about it. DHCP uses broadcasts and is therefore filtered out by the firewall when trying to cross zones. You don't need to do anything to prevent it.
1
 
LVL 16
ID: 41781894
On newer firmware, I don't believe you would have had to enter that NAT configuration.

Your global dynamic NAT would be something like:

object network NET_INSIDE
 subnet 10.0.1.0 255.255.255.0
!
object network NET_LINNAEUS
 subnet 10.0.9.0 255.255.255.0
!
object network NET_INSIDE
 nat (inside,outside) dynamic interface
!
object network NET_LINNAEUS
 nat (linnaeus,outside) dynamic interface

All you'd need to do is issue the same-security-traffic permit inter-interface, and since both trusted LANs are security level 100 there would be nothing else to do.

It's a much easier, cleaner way of managing things, in my opinion, which is why I was motivating you to update the system software.

MO
0
 

Author Closing Comment

by:Member_2_7970364
ID: 41792494
investigations
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 24
High Receive Utilization on my Cisco 3560 V2 10 44
The purpose of Root Bridge 7 28
Cisco prime 3 20
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now