Can not get two interfaces to comunicate on asa 5510

Unanswered Question
Jun 15th, 2009

Problem:

I am having problems geting the two interfaces to comunicate with each other. I can ping my Linksys Router from the outside interface of the firewall, but I am unable to do this from the inside interface. Also I heard that I need ACL's. What are they? Do I have to have them? How do you implement them?

Setup:

I currently have a Linksys RV082 connected to two ISP's, connected on the LAN side of that is a Cisco ASA 5510 firewall, connected on the lan side of that is a Cisco 2821 router.

NAT:

Original:

Interface: interior

Source Network: interior:any/0

Destination Network: any

Translated:

Interface: Exterior

Address: interface PAT

Static routes:

Linksys to Firewall:

Destination IP: 192.168.6.0

Subnet mask: 255.255.255.0

Default Gateway: 192.168.0.101

Hop count: 1

Interface: lan

Firewall to Linksys

Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1

IP Addresses:

Inside firewall: 192.168.6.0

Outside firewall: 192.168.0.101

Linksys: 192.168.0.1

Cisco Router Outside: 192.168.6.101

Cisco Router Inside: 192.168.4.0

____________Cisco ASA 5510 Configuration_____________________________

Firewall# show running-config

: Saved

:

ASA Version 7.0(8)

!

hostname Firewall

domain-name default.domain.invalid

enable password 6efABQ2cPmP7OKuA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Interior

security-level 0

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet0/1

nameif Exterior

security-level 100

ip address dhcp setroute

!

interface Ethernet0/2

shutdown

nameif 0

security-level 0

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging asdm informational

mtu management 1500

mtu Exterior 1500

mtu Interior 1500

mtu 0 1500

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (Exterior) 100 interface

nat (Interior) 100 0.0.0.0 0.0.0.0

nat (Interior) 100 0.0.0.0 0.0.0.0 outside

route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp 0

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd address 192.168.6.2-192.168.6.10 Interior

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

dhcpd enable Interior

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp error

inspect mgcp

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect ils

!

service-policy global_policy global

Cryptochecksum:ff820992c3c5d0aa4866e518fe0f9766

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 06/15/2009 - 12:58

Well, I've helped you in another post, but I think I see something in this one. You're eth0/0 is labeled as "Interior", yet is has the security level of 0, and your eth0/1 is labeled as exterior with a level of 100. This would be backwards.

Your public side, less secure, is usually set to 0 by default. The inside is 100 by default. On an ASA, traffic is always allowed out from a higher security to lower security (100 -> 0) without the need for an ACL. You will NEED an acl if you are going from 0 -> 100. In your case, if the labels are correct, you'd need an acl and statics to let yourself out of your network. I would suggest reversing the security levels to see if it fixes your issue.

HTH,

John

*BTW - let's stick to one thread. =)

mebernstein Mon, 06/15/2009 - 13:03

Sorry about the threads, this is one of my first times ever using a forum. Unfortunatly the switching of security levels did not work however. Is there anything else wrong?

John Blakley Mon, 06/15/2009 - 13:12

Is there a way that you can draw a diagram of the way that you have everything connected?

mebernstein Tue, 06/16/2009 - 05:05

Here is where I am, I am DEAD stuck. I can not get trafic of any kind to pass through the ASA 5510. I have tried what I beleive to be everything. Below I have posted my new configuration file. I need to know what is wrong with it and how to fix it. I have also cut the 2821 out of the equation so now the computer is connected directly to the asa 5510. Before this all came about I did have the Linksys and the 2821 communicating, I also have heard that you can put the asa 5510 in the middle in transparent mode (not routed) and keep the packet flow the way it was before. Any help is greatly appreciated.

Cisco ASA 5510 configuration:

ASA Version 7.0(8)

!

hostname Firewall

domain-name default.domain.invalid

enable password 6efABQ2cPmP7OKuA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Interior

security-level 100

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet0/1

nameif Exterior

security-level 0

ip address dhcp setroute

!

interface Ethernet0/2

shutdown

nameif 0

security-level 0

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

access-list Exterior_access_in extended permit tcp interface Exterior interface Interior

access-list Exterior_access_in extended permit icmp interface Exterior interface Interior

access-list Exterior_access_in extended permit ip interface Exterior interface Interior

access-list Exterior_access_out extended permit tcp interface Interior interface Exterior

access-list Exterior_access_out extended permit icmp interface Interior interface Exterior

access-list Exterior_access_out extended permit ip interface Interior interface Exterior

access-list Interior_access_in extended permit tcp interface Interior interface Exterior

access-list Interior_access_in extended permit icmp interface Interior interface Exterior

access-list Interior_access_in extended permit ip interface Interior interface Exterior

access-list Interior_access_out extended permit tcp interface Exterior interface Interior

access-list Interior_access_out extended permit icmp interface Exterior interface Interior

access-list Interior_access_out extended permit ip interface Exterior interface Interior

access-list 0_access_in extended permit tcp any interface Exterior

pager lines 24

logging asdm informational

mtu management 1500

mtu Exterior 1500

mtu Interior 1500

mtu 0 1500

icmp permit any management

icmp permit any Exterior

icmp permit any Interior

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (Exterior) 100 interface

global (Interior) 101 192.168.6.2-192.168.6.10

nat (Interior) 100 0.0.0.0 0.0.0.0 dns

nat (Interior) 100 0.0.0.0 0.0.0.0 outside

access-group Exterior_access_in in interface Exterior per-user-override

access-group Exterior_access_out out interface Exterior

access-group Interior_access_in in interface Interior per-user-override

access-group Interior_access_out out interface Interior

access-group 0_access_in in interface 0

route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp 0

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd address 192.168.6.2-192.168.6.10 Interior

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd auto_config Interior

dhcpd enable management

dhcpd enable Interior

Cryptochecksum:...

John Blakley Tue, 06/16/2009 - 05:35

First thing is you should get back to basics. Take all of your access groups off. All traffic coming from the inside going out is allowed out by default IF you don't have an access-list applied to the inside interface.

Next, try getting rid of these two lines:

nat (Interior) 100 0.0.0.0 0.0.0.0 dns

nat (Interior) 100 0.0.0.0 0.0.0.0 outside

add only:

nat (interior) 100 0 0

Get rid of these:

access-group Exterior_access_in in interface Exterior per-user-override

access-group Exterior_access_out out interface Exterior

access-group Interior_access_in in interface Interior per-user-override

access-group Interior_access_out out interface Interior

access-group 0_access_in in interface 0

Make sure the gateway on your workstation is set to 192.168.6.1.

HTH,

John

mebernstein Tue, 06/16/2009 - 05:50

I still can not ping within the inside interface of the ASA 5510 to the outside interface of the Linksys RV082.

John Blakley Tue, 06/16/2009 - 05:53

Can you ping the Linksys from the ASA?

Can you ping the ASA from your workstation?

ivarnhagen Tue, 06/16/2009 - 05:40

Hi,

I suppose you have this setup going now:

Linksys rv082

|

(Exterior)

Asa 5510

(Interior)

|

Computer

Just to add to Johns Post:

Looking at the ACL statementsyou posted, you seem to have specified the Exterior and Interior interfaces as source and destination.

You will either need to substitute these with "any", or create objectes referencing the networks/hosts you want to permit.

e.g. These ACL statements should allow ping through your ASA:

access-list Interior_access_in extended permit icmp any any echo

access-list Exterior_access_in extended permit icmp any any echo-reply

The first statement allows ping (echo) from the inside to the outside, and the second statements allows the echo-reply to come back (since ping is handled stateless by default on the ASA).

ivarnhagen Tue, 06/16/2009 - 06:00

what do your logs show? normally packets blocked by ACLs show up in the ASA log.

ivarnhagen Tue, 06/16/2009 - 06:26

easiest would be to start up ASDM and check the realtime logs while pinging through the device.

with CLI you could enable logging to the buffer, console, or monitor (telnet session). It depends how youre connected. The logging level set to warnings should be enough. When logging to monitor, be sure to turn on terminal monitor in global config

e.g.

ASA(config)# logging monitor warnings

ASA# terminal monitor

now logs should display in you telnet session.

mebernstein Tue, 06/16/2009 - 06:30

I think I figured out how to log and this is the results:

6|Jun 16 2009 07:24:14|302014: Teardown TCP connection 711 for management:192.168.1.2/55375 to NP Identity Ifc:192.168.1.1/443 duration 0:00:10 bytes 945 TCP FINs

5|Jun 16 2009 07:24:14|111008: User 'enable_15' executed the 'ping Interior 192.168.0.1' command.

6|Jun 16 2009 07:24:04|110003: Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.6.1/0 to Interior:192.168.0.1/0

6|Jun 16 2009 07:24:04|605005: Login permitted from 192.168.1.2/55375 to management:192.168.1.1/https for user "enable_15"

6|Jun 16 2009 07:24:04|302013: Built inbound TCP connection 711 for management:192.168.1.2/55375 (192.168.1.2/55375) to NP Identity Ifc:192.168.1.1/443 (192.168.1.1/443)

John Blakley Tue, 06/16/2009 - 06:34

I'm assuming that your management station isn't the one that you're trying to get on the internet from, is it? Do you have a workstation on the 192.168.6.0 subnet?

mebernstein Tue, 06/16/2009 - 06:38

Not yet but I can put one on if need be. Should I? Currently I do not have a management station on that subnet just the 2821 router(not configured yet). Shouldn't the ping just work with out a management computer on the subnet?

John Blakley Tue, 06/16/2009 - 06:40

Your nat statements don't cover your management subnet.

Try:

nat (management) 100 0 0

Then ping from your management station outbound.

ivarnhagen Tue, 06/16/2009 - 07:06

Also: I see your extrior interface is getting an IP from DHCP. Try setting this statically, as well as a static default route pointing to the linksys. The route back from the linksys to the asa should correspong to this config...

Unless you have a static DHCP reservation, the route back from the Linksys to the ASA will not work, since the default gateway (ASA Exterior) IP could change.

"Routing failed to locate next hop for icmp from" tells me the ASA might not be getting an IP and default route via DHCP.

Actions

This Discussion