06-29-2007 12:51 PM - edited 02-21-2020 01:35 AM
We have installed an ASA5510 with the CSC module. CSC Module IP is set to 192.168.10.254. The inside IP of the ASA5510 is 192.168.10.1.
Our LAN is on 192.168.1.0 subnet. Given that all the routes are setup properly, we are not able to ping the CSC interface 192.168.10.254. We can access 192.168.10.1 without any issue. The following is from the log of the ASA when we try to ping it.
3|Jun 29 2007 17:40:06|305006: regular translation creation failed for icmp src inside:192.168.10.254 dst inside:192.168.1.181 (type 0, code 0)
and this is the log when we try to access it within ASDM.
3|Jun 29 2007 17:41:13|305006: portmap translation creation failed for tcp src inside:192.168.10.254/8443 dst inside:192.168.1.181/1677
6|Jun 29 2007 17:41:10|106015: Deny TCP (no connection) from 192.168.10.254/8443 to 192.168.1.181/1677 flags SYN ACK on interface inside
However, I can connect to the ASA via VPN from home and everything works fine.
Solved! Go to Solution.
06-30-2007 05:30 PM
1. To solve the issue of not being able to ping any websites you must allow the ping reply in your outside access-list
access-list outside extended permit icmp any any echo-reply
06-30-2007 05:38 PM
2. The other issue is more confusing. I guess 1.181 above is the client that is attempting to ping the csc module? Does the csc module have a physical interface and is it plugged onto the same network as the inside interface of the ASA?
It looks like the ping for 10.254 is hitting the inside of the ASA. The ASA is attempting to hairpin the traffic back out it's same interface(inside). The ASA will not do this by default. You need to allow hairpinning. Pay close attention to where is says souce:inside destination:inside.
But if everything else was set up properly, the request for 10.254 would not be hitting the inside interface of the ASA anyhow.
06-30-2007 06:08 PM
Ok, so the ping is making it to the CSC, but the CSC gateway is the inside of the pix. Therefore the reply is hitting the inside of the pix and the pix won't route that back out the inside interface.
Solutions
1. Set the default gateway for the CSC to your inside router(192.168.10.2), not the inside of the ASA. This will allow the ping reply from the CSC to be routed towards 192.168.1.181 via the inside router.
2. Enable hairpinning.
I would choose option 1 as it is less complicated and less involved.
06-30-2007 06:19 PM
"Just want to make sure that it will work as the way it should.?"
Is that a question to me? I would check to make sure you can still access it via vpn, then you know it is still routing properly.
Can you add specific routes to the CSC module? If so another option would be to leave the default gateway as the inside ASA and add specific routes towards 10.2.
06-30-2007 06:42 PM
Hairpinning-
1. add "same-security-traffic permit intra-interface" to allow traffic out same interface
2. create translation for host
static (inside,inside) 192.168.1.181 192.168.1.181 netmask 255.255.255.255
06-29-2007 08:32 PM
do you have nat exemppted on traffic from your local lan to the ASA/CSC network..
posting your run config would help too ..
06-30-2007 03:27 AM
I've tried with the nat exempt but without luck.
I can't even ping anything external such as http://www.google.com nor our own external subnet. But yet I can access them with browser.
multicast-routing
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.66.66.130 255.255.255.224
!
interface Ethernet0/1
description rock internal connection from firewall to switch
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd xxx
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name rock.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service ExchangeOWA tcp
description Exchange Web and Mobile Access
port-object eq smtp
port-object eq https
port-object eq www
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list dzm extended permit ip any any
access-list dzm extended permit icmp any any
access-list ouside extended permit ip any any
access-list cont_in extended permit ip host 66.66.66.135 any
access-list outside extended permit tcp any host 66.66.66.134
access-list outside extended permit tcp any host 66.66.66.132 eq 3103
access-list outside extended permit tcp any host 66.66.66.133 eq smtp
access-list outside extended permit tcp any host 66.66.66.133 eq www
access-list outside extended permit tcp any host 66.66.66.133 eq https
access-list outside extended permit udp any host 66.66.66.133 eq www
access-list outside extended permit gre any host 66.66.66.137
access-list outside extended permit tcp any host 66.66.66.137 eq pptp
access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0
access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool rock-pool 192.168.100.1-192.168.100.50 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255
static (inside,outside) 66.66.66.132 192.168.1.15 netmask 255.255.255.255
static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255
static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.66.66.129 1
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
route inside 172.30.1.0 255.255.255.0 192.168.10.2 1
route inside 172.20.20.0 255.255.255.0 192.168.10.2 1
route inside 192.168.101.0 255.255.255.0 192.168.10.2 1
route inside 192.168.102.0 255.255.255.0 192.168.10.2 1
route inside 192.168.103.0 255.255.255.0 192.168.10.2 1
route inside 192.168.106.0 255.255.255.0 192.168.10.2 1
06-30-2007 03:28 AM
route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
route inside 192.168.2.0 255.255.255.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
port-forward sf 1222 192.168.1.1 243
group-policy rock-ra internal
group-policy rock-ra attributes
dns-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value rocktelecom.com
split-dns none
client-firewall none
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.0.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 69.69.82.44
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 69.69.17.66
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 60 set phase1-mode aggressive
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 77.77.77.220
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set phase1-mode aggressive
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group rock-ra type ipsec-ra
tunnel-group rock-ra general-attributes
address-pool rock-pool
default-group-policy rock-ra
tunnel-group rock-ra ipsec-attributes
pre-shared-key *
tunnel-group 69.69.82.44 type ipsec-l2l
tunnel-group 69.69.82.44 ipsec-attributes
pre-shared-key *
tunnel-group 77.77.77.220 type ipsec-l2l
tunnel-group 77.77.77.220 ipsec-attributes
pre-shared-key *
tunnel-group 69.69.17.66 type ipsec-l2l
tunnel-group 69.69.17.66 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
policy-map global-policy
class class-default
csc fail-close
!
service-policy global-policy global
webvpn
csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg
csd enable
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
url-list webserver "cicsoc" http://www.cisco.com 1
cache
disable
This is the config. Another issue we have is that we can't do
static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255
it gives error about overlapping NAT
and that's why we are forced to do at the meantime.
access-list outside extended permit gre any host 66.66.66.137
access-list outside extended permit tcp any host 66.66.66.137 eq pptp
06-30-2007 05:30 PM
1. To solve the issue of not being able to ping any websites you must allow the ping reply in your outside access-list
access-list outside extended permit icmp any any echo-reply
06-30-2007 05:38 PM
Thanks again!
The only thing left is to access the CSC module at 192.168.10.254 from our LAN.
It works with VPN connect from home or site-site VPN.
06-30-2007 05:38 PM
2. The other issue is more confusing. I guess 1.181 above is the client that is attempting to ping the csc module? Does the csc module have a physical interface and is it plugged onto the same network as the inside interface of the ASA?
It looks like the ping for 10.254 is hitting the inside of the ASA. The ASA is attempting to hairpin the traffic back out it's same interface(inside). The ASA will not do this by default. You need to allow hairpinning. Pay close attention to where is says souce:inside destination:inside.
But if everything else was set up properly, the request for 10.254 would not be hitting the inside interface of the ASA anyhow.
06-30-2007 05:57 PM
1.181 was a client trying to ping the csc.
The csc has a physical interface and is setup as 192.168.10.254/24 gateway 192.168.10.1. and it's plugged onto the same network as the inside (ip is 192.168.10.1).
This is the traceroute from a client
C:\>tracert 192.168.10.1
Tracing route to 192.168.10.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 3 ms 3 ms 3 ms 172.20.20.5
3 4 ms 4 ms 4 ms 172.20.20.22
4 4 ms 4 ms 4 ms 172.20.20.130
5 4 ms 4 ms 4 ms 192.168.10.1
Trace complete.
C:\>tracert 192.168.10.254
Tracing route to 192.168.10.254 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 3 ms 3 ms 3 ms 172.20.20.5
3 4 ms 4 ms 4 ms 172.20.20.22
4 4 ms 4 ms 4 ms 172.20.20.130
5 * * * Request timed out.
Should I enable hairpinning? Could you provide an example?
If not, where else could the problem be?
06-30-2007 06:08 PM
Ok, so the ping is making it to the CSC, but the CSC gateway is the inside of the pix. Therefore the reply is hitting the inside of the pix and the pix won't route that back out the inside interface.
Solutions
1. Set the default gateway for the CSC to your inside router(192.168.10.2), not the inside of the ASA. This will allow the ping reply from the CSC to be routed towards 192.168.1.181 via the inside router.
2. Enable hairpinning.
I would choose option 1 as it is less complicated and less involved.
06-30-2007 06:16 PM
could you show me an example n how to enable hairpining please?
06-30-2007 06:13 PM
I've changed the gateway on the CSC module to 192.168.10.2 (where the switch interface is) instead of ASA and it's fine.
Just want to make sure that it will work as the way it should.?
Again, thanks for your pointer!
06-30-2007 06:19 PM
"Just want to make sure that it will work as the way it should.?"
Is that a question to me? I would check to make sure you can still access it via vpn, then you know it is still routing properly.
Can you add specific routes to the CSC module? If so another option would be to leave the default gateway as the inside ASA and add specific routes towards 10.2.
06-30-2007 06:34 PM
Yes, I can access it via LAN, VPN.
I will investigate the 3rd option later.
It's good enough for now.
Thank you for your great help.
06-30-2007 06:42 PM
Hairpinning-
1. add "same-security-traffic permit intra-interface" to allow traffic out same interface
2. create translation for host
static (inside,inside) 192.168.1.181 192.168.1.181 netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: