Solved: Help with CSC in ASA

kpoon · ‎06-29-2007

We have installed an ASA5510 with the CSC module. CSC Module IP is set to 192.168.10.254. The inside IP of the ASA5510 is 192.168.10.1.

Our LAN is on 192.168.1.0 subnet. Given that all the routes are setup properly, we are not able to ping the CSC interface 192.168.10.254. We can access 192.168.10.1 without any issue. The following is from the log of the ASA when we try to ping it.

3|Jun 29 2007 17:40:06|305006: regular translation creation failed for icmp src inside:192.168.10.254 dst inside:192.168.1.181 (type 0, code 0)

and this is the log when we try to access it within ASDM.

3|Jun 29 2007 17:41:13|305006: portmap translation creation failed for tcp src inside:192.168.10.254/8443 dst inside:192.168.1.181/1677

6|Jun 29 2007 17:41:10|106015: Deny TCP (no connection) from 192.168.10.254/8443 to 192.168.1.181/1677 flags SYN ACK on interface inside

However, I can connect to the ASA via VPN from home and everything works fine.

acomiskey · ‎06-30-2007

1. To solve the issue of not being able to ping any websites you must allow the ping reply in your outside access-list

access-list outside extended permit icmp any any echo-reply

View solution in original post

acomiskey · ‎06-30-2007

2. The other issue is more confusing. I guess 1.181 above is the client that is attempting to ping the csc module? Does the csc module have a physical interface and is it plugged onto the same network as the inside interface of the ASA?

It looks like the ping for 10.254 is hitting the inside of the ASA. The ASA is attempting to hairpin the traffic back out it's same interface(inside). The ASA will not do this by default. You need to allow hairpinning. Pay close attention to where is says souce:inside destination:inside.

But if everything else was set up properly, the request for 10.254 would not be hitting the inside interface of the ASA anyhow.

View solution in original post

acomiskey · ‎06-30-2007

Ok, so the ping is making it to the CSC, but the CSC gateway is the inside of the pix. Therefore the reply is hitting the inside of the pix and the pix won't route that back out the inside interface.

Solutions

1. Set the default gateway for the CSC to your inside router(192.168.10.2), not the inside of the ASA. This will allow the ping reply from the CSC to be routed towards 192.168.1.181 via the inside router.

2. Enable hairpinning.

I would choose option 1 as it is less complicated and less involved.

View solution in original post

acomiskey · ‎06-30-2007

"Just want to make sure that it will work as the way it should.?"

Is that a question to me? I would check to make sure you can still access it via vpn, then you know it is still routing properly.

Can you add specific routes to the CSC module? If so another option would be to leave the default gateway as the inside ASA and add specific routes towards 10.2.

View solution in original post

acomiskey · ‎06-30-2007

Hairpinning-

1. add "same-security-traffic permit intra-interface" to allow traffic out same interface

2. create translation for host

static (inside,inside) 192.168.1.181 192.168.1.181 netmask 255.255.255.255

View solution in original post

a.shaukat · ‎06-29-2007

do you have nat exemppted on traffic from your local lan to the ASA/CSC network..

posting your run config would help too ..

kpoon · ‎06-30-2007

I've tried with the nat exempt but without luck.

I can't even ping anything external such as http://www.google.com nor our own external subnet. But yet I can access them with browser.

multicast-routing

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 66.66.66.130 255.255.255.224

!

interface Ethernet0/1

description rock internal connection from firewall to switch

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name rock.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service ExchangeOWA tcp

description Exchange Web and Mobile Access

port-object eq smtp

port-object eq https

port-object eq www

access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0

access-list dzm extended permit ip any any

access-list dzm extended permit icmp any any

access-list ouside extended permit ip any any

access-list cont_in extended permit ip host 66.66.66.135 any

access-list outside extended permit tcp any host 66.66.66.134

access-list outside extended permit tcp any host 66.66.66.132 eq 3103

access-list outside extended permit tcp any host 66.66.66.133 eq smtp

access-list outside extended permit tcp any host 66.66.66.133 eq www

access-list outside extended permit tcp any host 66.66.66.133 eq https

access-list outside extended permit udp any host 66.66.66.133 eq www

access-list outside extended permit gre any host 66.66.66.137

access-list outside extended permit tcp any host 66.66.66.137 eq pptp

access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0

access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0

access-list outside_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool rock-pool 192.168.100.1-192.168.100.50 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255

static (inside,outside) 66.66.66.132 192.168.1.15 netmask 255.255.255.255

static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255

static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.66.66.129 1

route inside 192.168.1.0 255.255.255.0 192.168.10.2 1

route inside 172.30.1.0 255.255.255.0 192.168.10.2 1

route inside 172.20.20.0 255.255.255.0 192.168.10.2 1

route inside 192.168.101.0 255.255.255.0 192.168.10.2 1

route inside 192.168.102.0 255.255.255.0 192.168.10.2 1

route inside 192.168.103.0 255.255.255.0 192.168.10.2 1

route inside 192.168.106.0 255.255.255.0 192.168.10.2 1

kpoon · ‎06-30-2007

route inside 192.168.6.0 255.255.255.0 192.168.10.2 1

route inside 192.168.3.0 255.255.255.0 192.168.10.2 1

route inside 192.168.2.0 255.255.255.0 192.168.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

port-forward sf 1222 192.168.1.1 243

group-policy rock-ra internal

group-policy rock-ra attributes

dns-server none

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_tunnel_ACL

default-domain value rocktelecom.com

split-dns none

client-firewall none

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.0.0 255.255.0.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 69.69.82.44

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 69.69.17.66

crypto map outside_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 60 set phase1-mode aggressive

crypto map outside_map 80 match address outside_cryptomap_80

crypto map outside_map 80 set peer 77.77.77.220

crypto map outside_map 80 set transform-set ESP-3DES-SHA

crypto map outside_map 80 set phase1-mode aggressive

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group rock-ra type ipsec-ra

tunnel-group rock-ra general-attributes

address-pool rock-pool

default-group-policy rock-ra

tunnel-group rock-ra ipsec-attributes

pre-shared-key *

tunnel-group 69.69.82.44 type ipsec-l2l

tunnel-group 69.69.82.44 ipsec-attributes

pre-shared-key *

tunnel-group 77.77.77.220 type ipsec-l2l

tunnel-group 77.77.77.220 ipsec-attributes

pre-shared-key *

tunnel-group 69.69.17.66 type ipsec-l2l

tunnel-group 69.69.17.66 ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 10

console timeout 0

management-access inside

dhcpd lease 3600

dhcpd ping_timeout 50

!

policy-map global-policy

class class-default

csc fail-close

!

service-policy global-policy global

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

csd enable

svc image disk0:/sslclient-win-1.1.0.154.pkg 1

url-list webserver "cicsoc" http://www.cisco.com 1

cache

disable

This is the config. Another issue we have is that we can't do

static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255

it gives error about overlapping NAT

and that's why we are forced to do at the meantime.

access-list outside extended permit gre any host 66.66.66.137

access-list outside extended permit tcp any host 66.66.66.137 eq pptp

acomiskey · ‎06-30-2007

1. To solve the issue of not being able to ping any websites you must allow the ping reply in your outside access-list

access-list outside extended permit icmp any any echo-reply

kpoon · ‎06-30-2007

Thanks again!

The only thing left is to access the CSC module at 192.168.10.254 from our LAN.

It works with VPN connect from home or site-site VPN.

acomiskey · ‎06-30-2007

2. The other issue is more confusing. I guess 1.181 above is the client that is attempting to ping the csc module? Does the csc module have a physical interface and is it plugged onto the same network as the inside interface of the ASA?

It looks like the ping for 10.254 is hitting the inside of the ASA. The ASA is attempting to hairpin the traffic back out it's same interface(inside). The ASA will not do this by default. You need to allow hairpinning. Pay close attention to where is says souce:inside destination:inside.

But if everything else was set up properly, the request for 10.254 would not be hitting the inside interface of the ASA anyhow.

kpoon · ‎06-30-2007

1.181 was a client trying to ping the csc.

The csc has a physical interface and is setup as 192.168.10.254/24 gateway 192.168.10.1. and it's plugged onto the same network as the inside (ip is 192.168.10.1).

This is the traceroute from a client

C:\>tracert 192.168.10.1

Tracing route to 192.168.10.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.1

2 3 ms 3 ms 3 ms 172.20.20.5

3 4 ms 4 ms 4 ms 172.20.20.22

4 4 ms 4 ms 4 ms 172.20.20.130

5 4 ms 4 ms 4 ms 192.168.10.1

Trace complete.

C:\>tracert 192.168.10.254

Tracing route to 192.168.10.254 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.1

2 3 ms 3 ms 3 ms 172.20.20.5

3 4 ms 4 ms 4 ms 172.20.20.22

4 4 ms 4 ms 4 ms 172.20.20.130

5 * * * Request timed out.

Should I enable hairpinning? Could you provide an example?

If not, where else could the problem be?

acomiskey · ‎06-30-2007

Ok, so the ping is making it to the CSC, but the CSC gateway is the inside of the pix. Therefore the reply is hitting the inside of the pix and the pix won't route that back out the inside interface.

Solutions

1. Set the default gateway for the CSC to your inside router(192.168.10.2), not the inside of the ASA. This will allow the ping reply from the CSC to be routed towards 192.168.1.181 via the inside router.

2. Enable hairpinning.

I would choose option 1 as it is less complicated and less involved.

kpoon · ‎06-30-2007

could you show me an example n how to enable hairpining please?

kpoon · ‎06-30-2007

I've changed the gateway on the CSC module to 192.168.10.2 (where the switch interface is) instead of ASA and it's fine.

Just want to make sure that it will work as the way it should.?

Again, thanks for your pointer!

acomiskey · ‎06-30-2007

"Just want to make sure that it will work as the way it should.?"

Is that a question to me? I would check to make sure you can still access it via vpn, then you know it is still routing properly.

Can you add specific routes to the CSC module? If so another option would be to leave the default gateway as the inside ASA and add specific routes towards 10.2.

kpoon · ‎06-30-2007

Yes, I can access it via LAN, VPN.

I will investigate the 3rd option later.

It's good enough for now.

Thank you for your great help.

acomiskey · ‎06-30-2007

Hairpinning-

1. add "same-security-traffic permit intra-interface" to allow traffic out same interface

2. create translation for host

static (inside,inside) 192.168.1.181 192.168.1.181 netmask 255.255.255.255