Solved: ASA 5510 - cannot access or ping internal networks

raj.mathur · ‎06-21-2009

Hi

I cannot ping from one internal network (10.1.1.0/24) to another internal network (10.1.2.0/24 or 10.1.3.0/24 and so on).

The static route is in place and its working fine. I can ping these network from ASA but not from any workstations.

The error I get on ASA is: packet dropped due to access list implicit deny.

Here is config file:

:

ASA Version 8.0(2)

!

hostname asa

domain-name test.com

enable password YLmDtv0bLkbX2VFy encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 20x.20x.16.xxx 255.255.255.224

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.16.0.254 255.255.255.0

!

interface Ethernet0/3

nameif inside

security-level 100

ip address 10.1.1.2 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.200.1 255.255.255.248

management-only

!

access-list acl_outside remark Allows ping from outside (must enable internal ICMP rule#3)

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit tcp any any eq ftp inactive

access-list acl_outside extended permit tcp any any object-group DM_INLINE_TCP_1 inactive

access-list inside_access_in remark Internal nodes access to outside world (all ports)

access-list inside_access_in extended permit object-group TCPUDP any any object-group Any

access-list inside_access_in remark Allows ping from inside network to outside network (internet).

access-list inside_access_in extended permit icmp any any echo inactive

access-list inside_access_in remark Allow ping reply both ways - from inside to outside and from

access-list inside_access_in remark outside to inside (nat public address nodes)

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.192

access-list nonat extended permit ip any 172.16.100.0 255.255.255.192

access-list group1_splitTunnelAcl standard permit any

pager lines 24

mtu inside 1500

mtu management 1500

ip local pool VPN-Pool 172.16.100.0-172.16.100.62 mask 255.255.255.192

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 20x.20x.16.xxx

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl_outside in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 20x.20x.16.xxx 1

route inside 10.1.2.0 255.255.255.0 10.1.1.248 1

route inside 10.1.3.0 255.255.255.0 10.1.1.248 1

route inside 10.1.4.0 255.255.255.0 10.1.1.248 1

route inside 10.1.7.0 255.255.255.0 10.1.1.248 1

route inside 10.1.9.0 255.255.255.0 10.1.1.248 1

route inside 10.1.14.0 255.255.255.0 10.1.1.248 1

route inside 10.1.15.0 255.255.255.0 10.1.1.247 1

route inside 192.168.1.0 255.255.255.0 10.1.1.248 1

route inside 192.168.20.0 255.255.255.240 10.1.1.248 1

route inside 192.168.30.0 255.255.255.240 10.1.1.248 1

route inside 192.168.40.0 255.255.255.240 10.1.1.248 1

route inside 192.168.50.0 255.255.255.240 10.1.1.248 1

route inside 192.168.70.0 255.255.255.240 10.1.1.248 1

route inside 192.168.80.0 255.255.255.240 10.1.1.248 1

-------------------------------------

Any help or advice will be appreciated.

Thanks

JORGE RODRIGUEZ · ‎06-21-2009

You need couple of statements

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.4.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.7.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.14.0 255.255.255.0 10.1.1.0 255.255.255.0

and so on...

apply nonat exept to inside interface which you already have nat (inside) 0 access-list nonat

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎06-21-2009

You need couple of statements

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.4.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.7.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.1.14.0 255.255.255.0 10.1.1.0 255.255.255.0

and so on...

apply nonat exept to inside interface which you already have nat (inside) 0 access-list nonat

Regards

Jorge Rodriguez

raj.mathur · ‎06-22-2009

Hello jorgemcse

You suggestion worked like a charm. Problem Resolved. The internal network is now working as expected and able to access each other nodes without any issues.

Thanks ton for your help

Best Regards

JORGE RODRIGUEZ · ‎06-22-2009

Raj, glad is resolved - thanks for the rating.

Regards

Jorge

Jorge Rodriguez

i.va · ‎06-21-2009

Hi,

add the command "same-security-traffic permit intra-interface" as the previous post mentioned.

It looks like you are planning to do asymmetric routing on the ASA? If so, you might run into some issues with TCP traffic. In case you do, check out the following link:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1d776/4#selected_message

I would advise to upgrade to ASA 8.2(1) and use the newly added feature TCP state bypass:

http://6200networks.com/2009/05/12/asa-new-feature-tcp-state-bypass/

JORGE RODRIGUEZ · ‎06-22-2009

Raj,

Are you all set with your issue reaching hosts from 10.1.1.0 through inside gateways? let us know to assist fruther.

Regards

Jorge Rodriguez

raj.mathur · ‎06-22-2009

Hello jorgemcse

One problem is still there, we cannot browse the systems on other network. We can ping from 10.1.1.0 to 10.1.2.0 and vice versa but cannot connect to any system from network neighborhood.

Is there any other setting I need to do.

Any help would be appreciated.

Thanks

JORGE RODRIGUEZ · ‎06-22-2009

which network can you not reach from the 10.1.1.0.. can you provide more details, load your asdm real time log and see the traffic, post the log to see it.

Regards

Jorge Rodriguez

raj.mathur · ‎06-22-2009

I am trying to access a file server from 10.1.1.156 to 10.1.3.6.

See the log attached.

Thanks

JORGE RODRIGUEZ · ‎06-22-2009

Raj,

TCP Reset-O is not a good sign, tcp three way handchacke gets broken somewhere, tcp RESET-O Outside, are these the two only networks 10.1.2.0 and 10.1.3.0 you are having issues with towards 10.1.1.0 ? http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280675

can you access any other hosts beside 10.1.3.6 from 10.1.1.156, how about other network you are routing through 10.1.1.248

do you have a sanatized net diagram to better understand your topology, are all those network behind asa off 10.1.1.248 gateway SVIs from a L3 switch?

Jorge Rodriguez

i.va · ‎06-22-2009

Hi,

check out the attachment. If that is your network setup, wou will most likely run into the problem you are having...TCP sessions getting torn down. Ping works because it is handles statelessly. TCP is however handled statefully.

Take a look at the links I postet earlier ;)

hth

Ingo

JORGE RODRIGUEZ · ‎06-22-2009

Ingo, I realized the good link you posted,rated, indeed very informative.I had set up similar scenario not exactly the same with a customer worked with no issues.. would like to know from Raj's actual topology and whether works for some subnets and not others perhaps we are missing additional info.

Regards

Jorge Rodriguez

i.va · ‎06-23-2009

Hi jorgemcse...thanks for the rating :) unfortunately this setup with the asa is a bit tricky. Which ASA version did you run while you were not being confronted with this problem? I had this problem with ver 7.2(4), but since its only been "fixed" in 8.2, I think Raj (running 8.0(2)) is also having this problem.

It might help if Raj tried configuring the following just for one of the networks (e.g. 10.1.2.0) to see if it does the trick.

static (inside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 norandom nailed

static (inside,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 norandom nailed

same-security-traffic permit intra-interface

sysopt noproxyarp inside

failover timeout -1

Note that there is a risk of these commands disrupting network traffic as I have not tried these on ASA 8.0(2).

Ingo

raj.mathur · ‎06-23-2009

Yes. This is exactly the topology is.

raj.mathur · ‎06-23-2009

I can only access 10.1.1.0 network. I cannot access any other 10.1.2.0, 10.1.3.0 and so on.....

Ping works for all.

10.1.1.0 is directly connected to the ASA. Other network are behind a cisco router 10.1.1.248

ASA (10.1.1.2)

|

10.1.1.0 network (GT-10.1.1.2)

|

Cisco Router: 10.1.1.248

| | | |

10.1.2.0 10.1.3.0 10.1.4.0 .....so on are connected via this cisco router.