Solved: Two Internal Networks w/ Only one connected to ASA 5510

mfruvous · ‎11-20-2009

Hello,

I have an ASA 5510. I have two internal networks: 192.168.1.0/24 is connected directly to the ASA. 192.168.10.0/24 is connected to 192.168.1.0/24 via a Cisco 1811 router. I would like both internal networks to be able to communicate with each other. As soon as I put the ASA into the picture neither network can communicate with each other. I found the information that informs to add “same security traffic permit intra-interface” which I have done. Next I get packets denied by the ACL. I add the ACL to allow the traffic and now I am getting two errors:

- portmap translation creation failed for udp src Internal:A-192.168.1.34/53 dst Internal:192.168.10.11/53761

- No matching connection for ICMP error message: icmp src Internal:A-192.168.1.15 dst Internal:192.168.10.11 (type 3, code 3) on Internal interface. Original IP payload: udp src 192.168.10.11/53761 dst A-192.168.1.15/53

I assume it needs some sort of NAT statement? I am very new to Cisco and I am not sure what NAT to add. Also, I guess I am also confused. I would think that since the 192.168.10/0 network in not attached to the firewall and not trying to reach the internet (at this point) that the ASA would not be monitoring the traffic.

Thank you,

Andrea

branfarm1 · ‎11-22-2009

Andrea,

Knowing that the one subnet is typically a guest/shared PC subnet makes the ASA a great option -- you'll be able to keep your guests and conference room PC's seperated from the rest of the network.

Good luck with your deployment.

Brandon

View solution in original post

branfarm1 · ‎11-20-2009

Hi there,

It sounds like you have a design issue to consider here. Based on what you reported, it sounds like your 192.168.1.0/24 network has a default route that points to the inside interface on your ASA, which then goes to the internet. And you have another network, 192.168.10.0/24 that is connected to the 192.168.1.0/24 network.

So you have 192.168.10.0/24 (Network A) -- Cisco 1811 -- 192.168.1.0/24 (Network B) -- ASA -- internet

Do you need to have the 1811 in place, or could you connect both networks to the ASA and use the ASA as your router & firewall?

If you can get rid of the 1811, your life would be pretty simple, in my opinion. Two networks off the ASA, one device to manage them all.

If you want to keep the 1811, I believe you would need to add a NAT exemption for the traffic that you want to hit the ASA and then go to the 1811, as well as a route on the ASA to point traffic destined for 192.168.10.0/24 to the 1811 interface on Network B. Actually, I'm not sure about the route for 192.168.10.0/24 -- the ASA might just redirect -- not 100% sure.

So something like:

nat 0 (inside) 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

route inside 192.168.10.0 255.255.255.0 192.168.1.x (1811 interface in the 192.168.1.0/24 network)

The reason you're seeing the traffic on the ASA is because, I assume, you have the default route on your hosts set to the ASA.

Hope that helps,

Brandon

Kureli Sankar · ‎11-20-2009

I agree with Brandon. You do have a design issue here.

Let us use the same topology:

192.168.10.0/24 (Network A) -- Cisco 1811 -- 192.168.1.0/24 (Network B) -- ASA -- internet

Let us say that all the PCs in the 192.168.1.0/24 are using 192.168.1.1 as their gateway.

Give that IP address to the Cisco 1811.

Get another unused IP address in the 192.168.1.0/24 network and assign it to the ASA.

Now, both networks should point to the 1811 for their default GW.

The router should have its default route pointing to the ASA.

You should not see packets from 192.168.1.0/24 when trying to talk to the 192.168.10.0/24 on the ASA at all.

branfarm1 · ‎11-20-2009

Thanks for the response Kusankar --

Another idea I had is to use a small /30 subnet between the 1811 and the ASA -- would that offer any additional benefits for this situation?

Kureli Sankar · ‎11-20-2009

Certainly. That would work as well. I do not see any additional benefit. That would involve a new (sub)interface config etc on the router and changing the ASA side config.

What I had suggested is very easy to do with no major additonal config. changes.

mfruvous · ‎11-22-2009

Hello,

Thank you very much for the assistance. I can't use the 1811 for the gateway on the 192.168.1.0 network as I do not believe it can't handle all the traffic. I guess my best option is to utlize another interface on the ASA and remove the 1811 from the picture?

Thank you,

Andrea

branfarm1 · ‎11-22-2009

Andrea,

How much traffic is there betweeen the two subnets, and how much traffic do you anticipate to/from the internet? If you really have a lot of traffic between your two subnets, you might need to consider purchasing a more powerful router. The benefit of having the router is that it offers features which aren't available on the ASA (i.e. PBR), and you can deal with all of the routing issues without having to worry about the extras that come with the firewall -- NATing, ACL's, inspection, security levels, etc. Unless, of course, you have a need to firewall between your two subnets -- then the ASA fits perfectly.

--Brandon

mfruvous · ‎11-22-2009

Brandon,

There is very little traffic between the two subnets. The 192.168.10.0 subnet almost never has more than a few PC's connected. It is mostly used for company meetings and occasionally for guest access. I had also been utilizing the 1811's firewall feature between the subnets. I was under the impression I should not utilize the ASA interfaces in this manner, but I realize now it is the best option. Huge learning curve coming from Watchguard.

Thank you for your assistance

Andrea

branfarm1 · ‎11-22-2009

Andrea,

Knowing that the one subnet is typically a guest/shared PC subnet makes the ASA a great option -- you'll be able to keep your guests and conference room PC's seperated from the rest of the network.

Good luck with your deployment.

Brandon