Two Internal Networks w/ Only one connected to ASA 5510

Answered Question

Hello,

I have an ASA 5510.  I have two internal networks:  192.168.1.0/24 is connected directly to the ASA.  192.168.10.0/24 is connected to 192.168.1.0/24 via a Cisco 1811 router.  I would like both internal networks to be able to communicate with each other.  As soon as I put the ASA into the picture neither network can communicate with each other. I found the information that informs to add “same security traffic permit intra-interface” which I have done.  Next I get packets denied by the ACL.  I add the ACL to allow the traffic and now I am getting two errors:

- portmap translation creation failed for udp src Internal:A-192.168.1.34/53 dst Internal:192.168.10.11/53761

-  No matching connection for ICMP error message: icmp src Internal:A-192.168.1.15 dst Internal:192.168.10.11 (type 3, code 3) on Internal interface. Original IP payload: udp src 192.168.10.11/53761 dst A-192.168.1.15/53

I assume it needs some sort of NAT statement?  I am very new to Cisco and I am not sure what NAT to add.  Also, I guess I am also confused. I would think that since the 192.168.10/0 network in not attached to the firewall and not trying to reach the internet (at this point) that the ASA would not be monitoring the traffic.

Thank you,

Andrea

Correct Answer by branfarm1 about 7 years 5 months ago

Andrea,


Knowing that the one subnet is typically a guest/shared PC subnet makes the ASA a great option -- you'll be able to keep your guests and conference room PC's seperated from the rest of the network.


Good luck with your deployment.



Brandon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
branfarm1 Fri, 11/20/2009 - 11:48
User Badges:
  • Bronze, 100 points or more

Hi there,


It sounds like you have a design issue to consider here.  Based on what you reported, it sounds like your 192.168.1.0/24 network has a default route that points to the inside interface on your ASA, which then goes to the internet.     And you have another network, 192.168.10.0/24 that is connected to the 192.168.1.0/24 network.


So you have 192.168.10.0/24 (Network A) -- Cisco 1811 -- 192.168.1.0/24 (Network B) -- ASA -- internet


Do you need to have the 1811 in place, or could you connect both networks to the ASA and use the ASA as your router & firewall?


If you can get rid of the 1811, your life would be pretty simple, in my opinion. Two networks off the ASA, one device to manage them all.


If you want to keep the 1811, I believe you would need to add a NAT exemption for the traffic that you want to hit the ASA and then go to the 1811, as well as a route on the ASA to point traffic destined for 192.168.10.0/24 to the 1811 interface on Network B.  Actually, I'm not sure about the route for 192.168.10.0/24 -- the ASA might just redirect -- not 100% sure.


So something like:


nat 0 (inside) 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

route inside 192.168.10.0 255.255.255.0 192.168.1.x (1811 interface in the 192.168.1.0/24 network)


The reason you're seeing the traffic on the ASA is because, I assume, you have the default route on your hosts set to the ASA.


Hope that helps,


Brandon

Kureli Sankar Fri, 11/20/2009 - 16:52
User Badges:
  • Cisco Employee,

I agree with Brandon.  You do have a design issue here.


Let us use the same topology:


192.168.10.0/24 (Network A) -- Cisco 1811 -- 192.168.1.0/24 (Network B) -- ASA -- internet


Let us say that all the PCs in the 192.168.1.0/24 are using 192.168.1.1 as their gateway.

Give that IP address to the Cisco 1811.


Get another unused IP address in the 192.168.1.0/24 network and assign it to the ASA.


Now, both networks should point to the 1811 for their default GW.

The router should have its default route pointing to the ASA.


You should not see packets from 192.168.1.0/24 when trying to talk to the 192.168.10.0/24 on the ASA at all.

branfarm1 Fri, 11/20/2009 - 16:57
User Badges:
  • Bronze, 100 points or more

Thanks for the response Kusankar --


Another idea I had is to use a small /30 subnet between the 1811 and the ASA -- would that offer any additional benefits for this situation?

Kureli Sankar Fri, 11/20/2009 - 17:34
User Badges:
  • Cisco Employee,

Certainly. That would work as well.  I do not see any additional benefit. That would involve a new (sub)interface config etc on the router and changing the ASA side config.


What I had suggested is very easy to do with no major additonal config. changes.

branfarm1 Sun, 11/22/2009 - 09:34
User Badges:
  • Bronze, 100 points or more

Andrea,


How much traffic is there betweeen the two subnets, and how much traffic do you anticipate to/from the internet?    If you really have a lot of traffic between your two subnets, you might need to consider purchasing a more powerful router. The benefit of having the router is that it offers features which aren't available on the ASA (i.e. PBR), and you can deal with all of the routing issues without having to worry about the extras that come with the firewall -- NATing, ACL's, inspection, security levels, etc. Unless, of course, you have a need to firewall between your two subnets -- then the ASA fits perfectly.


--Brandon

Brandon,


There is very little traffic between the two subnets.  The 192.168.10.0 subnet almost never has more than a few PC's connected.  It is mostly used for company meetings and occasionally for guest access.  I had also been utilizing the 1811's firewall feature between the subnets.  I was under the impression I should not utilize the ASA interfaces in this manner, but I realize now it is the best option.  Huge learning curve coming from Watchguard.


Thank you for your assistance

Andrea

Correct Answer
branfarm1 Sun, 11/22/2009 - 14:54
User Badges:
  • Bronze, 100 points or more

Andrea,


Knowing that the one subnet is typically a guest/shared PC subnet makes the ASA a great option -- you'll be able to keep your guests and conference room PC's seperated from the rest of the network.


Good luck with your deployment.



Brandon

Actions

This Discussion