ASA 5510 - cannot access or ping internal networks

Answered Question
Jun 21st, 2009

Hi

I cannot ping from one internal network (10.1.1.0/24) to another internal network (10.1.2.0/24 or 10.1.3.0/24 and so on).

The static route is in place and its working fine. I can ping these network from ASA but not from any workstations.

The error I get on ASA is: packet dropped due to access list implicit deny.

Here is config file:

:

ASA Version 8.0(2)

!

hostname asa

domain-name test.com

enable password YLmDtv0bLkbX2VFy encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 20x.20x.16.xxx 255.255.255.224

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.16.0.254 255.255.255.0

!

interface Ethernet0/3

nameif inside

security-level 100

ip address 10.1.1.2 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.200.1 255.255.255.248

management-only

!

access-list acl_outside remark Allows ping from outside (must enable internal ICMP rule#3)

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit tcp any any eq ftp inactive

access-list acl_outside extended permit tcp any any object-group DM_INLINE_TCP_1 inactive

access-list inside_access_in remark Internal nodes access to outside world (all ports)

access-list inside_access_in extended permit object-group TCPUDP any any object-group Any

access-list inside_access_in remark Allows ping from inside network to outside network (internet).

access-list inside_access_in extended permit icmp any any echo inactive

access-list inside_access_in remark Allow ping reply both ways - from inside to outside and from

access-list inside_access_in remark outside to inside (nat public address nodes)

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.192

access-list nonat extended permit ip any 172.16.100.0 255.255.255.192

access-list group1_splitTunnelAcl standard permit any

pager lines 24

mtu inside 1500

mtu management 1500

ip local pool VPN-Pool 172.16.100.0-172.16.100.62 mask 255.255.255.192

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 20x.20x.16.xxx

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl_outside in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 20x.20x.16.xxx 1

route inside 10.1.2.0 255.255.255.0 10.1.1.248 1

route inside 10.1.3.0 255.255.255.0 10.1.1.248 1

route inside 10.1.4.0 255.255.255.0 10.1.1.248 1

route inside 10.1.7.0 255.255.255.0 10.1.1.248 1

route inside 10.1.9.0 255.255.255.0 10.1.1.248 1

route inside 10.1.14.0 255.255.255.0 10.1.1.248 1

route inside 10.1.15.0 255.255.255.0 10.1.1.247 1

route inside 192.168.1.0 255.255.255.0 10.1.1.248 1

route inside 192.168.20.0 255.255.255.240 10.1.1.248 1

route inside 192.168.30.0 255.255.255.240 10.1.1.248 1

route inside 192.168.40.0 255.255.255.240 10.1.1.248 1

route inside 192.168.50.0 255.255.255.240 10.1.1.248 1

route inside 192.168.70.0 255.255.255.240 10.1.1.248 1

route inside 192.168.80.0 255.255.255.240 10.1.1.248 1

-------------------------------------

Any help or advice will be appreciated.

Thanks

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 5 months ago

You need couple of statements

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.4.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.7.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.14.0 255.255.255.0 10.1.1.0 255.255.255.0

and so on...

apply nonat exept to inside interface which you already have nat (inside) 0 access-list nonat

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Sun, 06/21/2009 - 21:27

You need couple of statements

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.4.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.7.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.14.0 255.255.255.0 10.1.1.0 255.255.255.0

and so on...

apply nonat exept to inside interface which you already have nat (inside) 0 access-list nonat

Regards

raj.mathur Mon, 06/22/2009 - 12:11

Hello jorgemcse

You suggestion worked like a charm. Problem Resolved. The internal network is now working as expected and able to access each other nodes without any issues.

Thanks ton for your help

Best Regards

ivarnhagen Sun, 06/21/2009 - 21:27

Hi,

add the command "same-security-traffic permit intra-interface" as the previous post mentioned.

It looks like you are planning to do asymmetric routing on the ASA? If so, you might run into some issues with TCP traffic. In case you do, check out the following link:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1d776/4#selected_message

I would advise to upgrade to ASA 8.2(1) and use the newly added feature TCP state bypass:

http://6200networks.com/2009/05/12/asa-new-feature-tcp-state-bypass/

JORGE RODRIGUEZ Mon, 06/22/2009 - 09:58

Raj,

Are you all set with your issue reaching hosts from 10.1.1.0 through inside gateways? let us know to assist fruther.

Regards

raj.mathur Mon, 06/22/2009 - 16:40

Hello jorgemcse

One problem is still there, we cannot browse the systems on other network. We can ping from 10.1.1.0 to 10.1.2.0 and vice versa but cannot connect to any system from network neighborhood.

Is there any other setting I need to do.

Any help would be appreciated.

Thanks

JORGE RODRIGUEZ Mon, 06/22/2009 - 17:30

which network can you not reach from the 10.1.1.0.. can you provide more details, load your asdm real time log and see the traffic, post the log to see it.

Regards

JORGE RODRIGUEZ Mon, 06/22/2009 - 19:54

Raj,

TCP Reset-O is not a good sign, tcp three way handchacke gets broken somewhere, tcp RESET-O Outside, are these the two only networks 10.1.2.0 and 10.1.3.0 you are having issues with towards 10.1.1.0 ? http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280675

can you access any other hosts beside 10.1.3.6 from 10.1.1.156, how about other network you are routing through 10.1.1.248

do you have a sanatized net diagram to better understand your topology, are all those network behind asa off 10.1.1.248 gateway SVIs from a L3 switch?

ivarnhagen Mon, 06/22/2009 - 21:06

Hi,

check out the attachment. If that is your network setup, wou will most likely run into the problem you are having...TCP sessions getting torn down. Ping works because it is handles statelessly. TCP is however handled statefully.

Take a look at the links I postet earlier ;)

hth

Ingo

Attachment: 
JORGE RODRIGUEZ Mon, 06/22/2009 - 22:48

Ingo, I realized the good link you posted,rated, indeed very informative.I had set up similar scenario not exactly the same with a customer worked with no issues.. would like to know from Raj's actual topology and whether works for some subnets and not others perhaps we are missing additional info.

Regards

ivarnhagen Tue, 06/23/2009 - 08:05

Hi jorgemcse...thanks for the rating :) unfortunately this setup with the asa is a bit tricky. Which ASA version did you run while you were not being confronted with this problem? I had this problem with ver 7.2(4), but since its only been "fixed" in 8.2, I think Raj (running 8.0(2)) is also having this problem.

It might help if Raj tried configuring the following just for one of the networks (e.g. 10.1.2.0) to see if it does the trick.

static (inside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Note that there is a risk of these commands disrupting network traffic as I have not tried these on ASA 8.0(2).

Ingo

raj.mathur Tue, 06/23/2009 - 07:36

I can only access 10.1.1.0 network. I cannot access any other 10.1.2.0, 10.1.3.0 and so on.....

Ping works for all.

10.1.1.0 is directly connected to the ASA. Other network are behind a cisco router 10.1.1.248

ASA (10.1.1.2)

|

|

10.1.1.0 network (GT-10.1.1.2)

|

|

Cisco Router: 10.1.1.248

| | | |

| | | |

10.1.2.0 10.1.3.0 10.1.4.0 .....so on are connected via this cisco router.

Attachment: 
JORGE RODRIGUEZ Tue, 06/23/2009 - 09:43

Raj, this is new problem I've come acrross, you will have to try Ingo's suggestions under your current 8.0(2) code , you may need to remove nat excempt access-list you previously configure for all your networks and implement the static nat Ingo posted..

raj.mathur Tue, 06/23/2009 - 09:59

I tried lngo's suggestion but did not work.

I will try removing nat excempt and see.

JORGE RODRIGUEZ Tue, 06/23/2009 - 11:48

Thanks for posting results, let us know PLS, observe real time logs while accessing networks after the changes.

servicel Tue, 06/23/2009 - 21:24

Hi Raj,

Who knew something so simple can turn out to be a problem like this ;)

First of all backup your exsiting config. Then the existing nat commands concerning the branch office networks should be removed as jorgemcse already pointed out regarding nat exempt. i.e. remove the branch-office-networks from the nonat ACL.

Its important copy/paste the following commands exactly via CLI....with every keyword. Also check if any of them get rejected (I know they look strange...explanation can be found in the link I posted).

static (inside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

After you've entered them you should add the security policy:

access-list inside_access_in extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list inside_access_in extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

Try your tcp connection to host 10.1.2.x. If it still doesnt work, and if circumstances allow, save the config and try rebooting the asa. Better would be to pull the power plug for 10sec. (I had issues before where this helped)

If youve done this config, and other services arent disrupted, please leave the config like that and post the asa config here so we can double-check.

If all of this doesnt work you might be running into some version differences as I can only confirm this config working on 7.2(4). I suggest to upgrade to 8.2(1)...or downgrade to 7.2(4).

hth

Ingo

raj.mathur Wed, 06/24/2009 - 18:41

Ingo

I tried all the options but did not work. I upgraded to 8.2 and even downgraded but same problem. I can ping branch office network but cannot browse or access any nodes.

Thx

Attachment: 

Actions

This Discussion