06-21-2009 08:00 PM
Hi
I cannot ping from one internal network (10.1.1.0/24) to another internal network (10.1.2.0/24 or 10.1.3.0/24 and so on).
The static route is in place and its working fine. I can ping these network from ASA but not from any workstations.
The error I get on ASA is: packet dropped due to access list implicit deny.
Here is config file:
:
ASA Version 8.0(2)
!
hostname asa
domain-name test.com
enable password YLmDtv0bLkbX2VFy encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 20x.20x.16.xxx 255.255.255.224
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.200.1 255.255.255.248
management-only
!
access-list acl_outside remark Allows ping from outside (must enable internal ICMP rule#3)
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any any eq ftp inactive
access-list acl_outside extended permit tcp any any object-group DM_INLINE_TCP_1 inactive
access-list inside_access_in remark Internal nodes access to outside world (all ports)
access-list inside_access_in extended permit object-group TCPUDP any any object-group Any
access-list inside_access_in remark Allows ping from inside network to outside network (internet).
access-list inside_access_in extended permit icmp any any echo inactive
access-list inside_access_in remark Allow ping reply both ways - from inside to outside and from
access-list inside_access_in remark outside to inside (nat public address nodes)
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.192
access-list nonat extended permit ip any 172.16.100.0 255.255.255.192
access-list group1_splitTunnelAcl standard permit any
pager lines 24
mtu inside 1500
mtu management 1500
ip local pool VPN-Pool 172.16.100.0-172.16.100.62 mask 255.255.255.192
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 20x.20x.16.xxx
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 20x.20x.16.xxx 1
route inside 10.1.2.0 255.255.255.0 10.1.1.248 1
route inside 10.1.3.0 255.255.255.0 10.1.1.248 1
route inside 10.1.4.0 255.255.255.0 10.1.1.248 1
route inside 10.1.7.0 255.255.255.0 10.1.1.248 1
route inside 10.1.9.0 255.255.255.0 10.1.1.248 1
route inside 10.1.14.0 255.255.255.0 10.1.1.248 1
route inside 10.1.15.0 255.255.255.0 10.1.1.247 1
route inside 192.168.1.0 255.255.255.0 10.1.1.248 1
route inside 192.168.20.0 255.255.255.240 10.1.1.248 1
route inside 192.168.30.0 255.255.255.240 10.1.1.248 1
route inside 192.168.40.0 255.255.255.240 10.1.1.248 1
route inside 192.168.50.0 255.255.255.240 10.1.1.248 1
route inside 192.168.70.0 255.255.255.240 10.1.1.248 1
route inside 192.168.80.0 255.255.255.240 10.1.1.248 1
-------------------------------------
Any help or advice will be appreciated.
Thanks
Solved! Go to Solution.
06-21-2009 09:27 PM
You need couple of statements
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.4.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.7.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.14.0 255.255.255.0 10.1.1.0 255.255.255.0
and so on...
apply nonat exept to inside interface which you already have nat (inside) 0 access-list nonat
Regards
06-21-2009 09:27 PM
You need couple of statements
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.4.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.7.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.14.0 255.255.255.0 10.1.1.0 255.255.255.0
and so on...
apply nonat exept to inside interface which you already have nat (inside) 0 access-list nonat
Regards
06-22-2009 12:11 PM
Hello jorgemcse
You suggestion worked like a charm. Problem Resolved. The internal network is now working as expected and able to access each other nodes without any issues.
Thanks ton for your help
Best Regards
06-22-2009 12:16 PM
Raj, glad is resolved - thanks for the rating.
Regards
Jorge
06-21-2009 09:27 PM
Hi,
add the command "same-security-traffic permit intra-interface" as the previous post mentioned.
It looks like you are planning to do asymmetric routing on the ASA? If so, you might run into some issues with TCP traffic. In case you do, check out the following link:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1d776/4#selected_message
I would advise to upgrade to ASA 8.2(1) and use the newly added feature TCP state bypass:
http://6200networks.com/2009/05/12/asa-new-feature-tcp-state-bypass/
06-22-2009 09:58 AM
Raj,
Are you all set with your issue reaching hosts from 10.1.1.0 through inside gateways? let us know to assist fruther.
Regards
06-22-2009 04:40 PM
Hello jorgemcse
One problem is still there, we cannot browse the systems on other network. We can ping from 10.1.1.0 to 10.1.2.0 and vice versa but cannot connect to any system from network neighborhood.
Is there any other setting I need to do.
Any help would be appreciated.
Thanks
06-22-2009 05:30 PM
which network can you not reach from the 10.1.1.0.. can you provide more details, load your asdm real time log and see the traffic, post the log to see it.
Regards
06-22-2009 06:09 PM
06-22-2009 07:54 PM
Raj,
TCP Reset-O is not a good sign, tcp three way handchacke gets broken somewhere, tcp RESET-O Outside, are these the two only networks 10.1.2.0 and 10.1.3.0 you are having issues with towards 10.1.1.0 ? http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280675
can you access any other hosts beside 10.1.3.6 from 10.1.1.156, how about other network you are routing through 10.1.1.248
do you have a sanatized net diagram to better understand your topology, are all those network behind asa off 10.1.1.248 gateway SVIs from a L3 switch?
06-22-2009 09:06 PM
Hi,
check out the attachment. If that is your network setup, wou will most likely run into the problem you are having...TCP sessions getting torn down. Ping works because it is handles statelessly. TCP is however handled statefully.
Take a look at the links I postet earlier ;)
hth
Ingo
06-22-2009 10:48 PM
Ingo, I realized the good link you posted,rated, indeed very informative.I had set up similar scenario not exactly the same with a customer worked with no issues.. would like to know from Raj's actual topology and whether works for some subnets and not others perhaps we are missing additional info.
Regards
06-23-2009 08:05 AM
Hi jorgemcse...thanks for the rating :) unfortunately this setup with the asa is a bit tricky. Which ASA version did you run while you were not being confronted with this problem? I had this problem with ver 7.2(4), but since its only been "fixed" in 8.2, I think Raj (running 8.0(2)) is also having this problem.
It might help if Raj tried configuring the following just for one of the networks (e.g. 10.1.2.0) to see if it does the trick.
static (inside,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 norandom nailed
static (inside,inside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 norandom nailed
same-security-traffic permit intra-interface
sysopt noproxyarp inside
failover timeout -1
Note that there is a risk of these commands disrupting network traffic as I have not tried these on ASA 8.0(2).
Ingo
06-23-2009 07:09 AM
Yes. This is exactly the topology is.
06-23-2009 07:36 AM
I can only access 10.1.1.0 network. I cannot access any other 10.1.2.0, 10.1.3.0 and so on.....
Ping works for all.
10.1.1.0 is directly connected to the ASA. Other network are behind a cisco router 10.1.1.248
ASA (10.1.1.2)
|
|
10.1.1.0 network (GT-10.1.1.2)
|
|
Cisco Router: 10.1.1.248
| | | |
| | | |
10.1.2.0 10.1.3.0 10.1.4.0 .....so on are connected via this cisco router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide