ASA5505 and multiple internal networks

Answered Question
Dec 15th, 2009

I have an ASA5505 with the base license.  It is connected to a Cisco 1760 router with multple internal networks.

I have setup RIP between the ASA and the 1760, the ASA is properly feeding a default route to the 1760.

The ASA5505 has an internal IP of 192.168.1.1 and is being assigned an external IP via DHCP from the ISP.

What is odd is about this is clients on any of the other internal networks, can access the internet via a web browser.  For example a client with an IP address of 192.168.2.59 can access the internet.  However DNS and HTTP connections internally do not work.  I can ping my internal DNS server with an IP address, but cannot ping it or any other internal clients by name.  Nslookup only looks at the external DNS server (208.67.220.220) for name resolution requests.  Even though there are two internal DNS servers defined.  Any HTTP requests to servers on the 192.168.1.x subnet timeout using either IP address or DNS names.

I am aware of NAT exemption and I think I have properly configured it.

I have been working on this for a number of weeks, performing searches on CCO, scanning this Forum and the web and I cannot find an explanation for what is going on.

I am running version 7.2 of the ASA software.

Any help would be greatly appreciated.

I have attached a diagram of the network.  Hopefully someone has configured this kind of setup before and will be able to give me an idea of what I am missing.

I have the same-security-traffic permit inter-interface and intra-interface commands in the ASA.

Thanks.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 1 month ago

Very glad to hear.

You do not need the U-Turn statics any more. Stati(inside,inside) is to U-Turn a packet off the same interface it arrived. Like your 192.168.1.0/24 host with the FW as the gateway that wanted to reach 192.168.2.0/24 network.  The FW has to send it right back out the same interface right?

I gave you those commands to fix the problem when you had everything broken - Gateway pointing the FW instead of the router.

Now, I have asked you to fix it the right way.  So, you do not need those U-Turn translations or that sysopt command.

You can put back dns inspection.

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Tue, 12/15/2009 - 18:46

Your efforts to search the forum to find a solution yourself is much appreciated.

I believe you need the following along with the same security intra that you have configured:

static (inside,inside) 192.168.1.0 192.168.1.0 net 255.255.255.0

sysopt noproxyarp  inside

Give that a shot and let us know.

-KS

lusbyr Wed, 12/16/2009 - 10:24

KS,

No that did not work.  In fact when I put in the static command, all clients on the other subnets lost internet access.  Still no internal DNS resolution for clients on networks other than 192.168.1.x

As requested I am posting the configs of the ASA and Router and the resolv.conf file of a Unix host I have on the 192.168.128.0 subnet

[email protected]-solaris /etc> cat resolv.conf
domain  nw.practice.com
search  nw.practice.com
nameserver      192.168.1.10
nameserver      192.168.1.35
nameserver      208.67.220.220


One other thing I should mention is that before I installed the ASA 5505, everything was working perfectly.  I was using a Linksys WRT54G.

I know this issue has something to do with the ASA.  It is doing something with DNS requests on the internal network that is not expected.

Thanks for your help.

Attachment: 
lusbyr Wed, 12/16/2009 - 16:36

OK,

I decided to run the Packet Tracer utiltiy against DNS on the inside interface.  The Packet Tracer showed the DNS packet was dropped and the error message was 'inspect-invalid-dns-pak'.

Once I had this error message I did a search for this text.  The issue is tied into the inspection policies in this part of the configuration:

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy global_policy global

The problem area is the inspect dns entry.  As a test I removed the 'inspect dns preset_dns_map' from the inspection_default class.

Internal DNS resolution now works.   However, I suspect this is not the best approach, so does anyone have some ideas regarding how to fix this and still have dns inspection?

Thanks.

lusbyr Thu, 12/17/2009 - 16:28

Support Community,

I still need some help.  Access to external websites (those on the outside interface) works fine.  However, clients on the inside network cannot access web servers on the internal network.  The connection times out.  This is with http or https.  I cannot figure out why.  I thought there might be an inspect http parameter in the policy map.

I should also point out that SIP connections between internal networks 192.168.2.0 and 192.168.1.0 do not work anymore either.  I have a test IP telephony network setup and it is using Exchange 2007 as the voice mail service.  It worked before I installed the ASA.

I tried to remove the 'inspect sip' from the policy map thinking that it might fix the issue, like removing the 'inspect dns preset_dns_map' did, but no luck.

Thanks for helping me solve this issue.

Kureli Sankar Thu, 12/17/2009 - 17:44

lusbyr,

We need to see what the logs show when 192.168.1.0/24 tries to talk to 192.168.2.0/24. Enable logging on the firewall.

conf t

loggin enable

loggin buffered 7

exit

sh logg | i 192.168.1.x

Pls. confirm the gateway IP that the 192.168.1.0/24 network is using, whether it is the firewall.

Make sure that when the internal networks talk to each other the traffic does not come to the firewall (it shouldn't).

-KS

Dear Guys,

I guess the default gateway for Vlan1 is ASA but not Router.

So the traffic between vlan1 and vlans will through ASA, that is why the exemption resides.

If the traffic internal (from vlans to vlan1) is trusted, I think the default gateway for vlan1 will be the router and can resolve the problems.

Maybe can creat a new vlan for the link between the ASA and the router.

THX

Keisikka

lusbyr Fri, 12/18/2009 - 11:10

Support Community,

OK,  after some more searching online I found a post that indicated that a static route had to be setup on a server in order to get this to work.

So I setup a static route on the SIP voice messaging server and pointed it to the loopback address space of the CME router.

command was:

route add -p 192.168.20.0 mask 255.255.255.0 192.168.1.2 metric 1

After I did this the SIP communication between CME and Exchange 2007 worked.

So to summarize the solution so far (2 of 3 issues have been solved)

1.  No DNS name resolution from internal networks to primary internal network 192.168.1.x

Solution:  remove inspect dns dns_preset_map from the policy-map class inspection_default on the ASA

2. No SIP communication between CME router and Exchange 2007

Solution:  Add static route on the Exchange 2007 server pointing to the CME server:

               route add command on Windows

3.  No communication (except ping) between other internal networks and the primary network.

Solution:  none at this point, but I am thinking it has something to do with routing issues

So this is what I did next, as an experiment I have a web server on the primary network.  I added a static route on that web server pointing to one of the other internal networks.  I opened a browser up on the client on the other internal network.  The internal website came up instantly.

So this seems a bit odd to me, why would I have to add static routes on all the web servers on the primary internal network pointing to all the other internal networks?  I did not have to do this with the WRT54G.  I just had the WRT54G in gateway mode and placed static routes on it to the internal networks.

This is not a solution that is going to work very well for me, since I have some devices that use web servers to configure them and I cannot set static routes on them.

Why would ping work and no other protocols, like http or ftp for communication between hosts on the internal network?

Thanks.

Kureli Sankar Fri, 12/18/2009 - 11:17

You haven't answered the question regarding GW used by the VLAN1 hosts.  It should not be pointing at the firewall. I assumed that was the case and that is the reason I provided U-Turn translation wtih proxy arp disabled on the inside along with the same security intra that you had configured.

All internal network traffic should not arrive on the firewall. If you can accomplish this you will be fine.

Make sure all the hosts in all networks are pointing the FW at the corresponding VLAN interface IP on the router.

Router should route traffic between the internal network and only send the traffic if it doesn't know where the destination lives - which is only for the hosts that live on the internet.

-KS

lusbyr Fri, 12/18/2009 - 11:26

KS,

Sorry for not understanding what you were asking.  Are you saying that all hosts (on every internal network) should be pointing to the internal Cisco 1760 router as their gateway and NOT the firewall?

If this is the case the default gateway should be 192.168.1.2 instead of 192.168.1.1?

Thanks.

Kureli Sankar Fri, 12/18/2009 - 11:32

Yes that is eaxctly what I mean.  No host should point to the FW for the default GW especially when there are other inside networks that they need to get to.

Let the router do its job - which is routing.

Any network that the router does not know should come to the firewall.  Configure the default gateway on the router to point to the FW.

So, yes, change the GW on the hosts in VLAN1 to point to the router's interface IP and let me know how it goes.

-KS

lusbyr Fri, 12/18/2009 - 15:28

KS,

I works now!   Thanks a bunch for your help....  

The operation of ASAs is somewhat new to me, but I am beginning to get the impression that the ASA is not a router, even though it can run the RIP routing protocol and its Firewall mode is called 'Routed'.

By just changing all the clients on the 192.168.1.x subnet to a new default gateway of 192.168.1.2 seemed to fix all the connectivity problems for the other subnets.

I did not have to put the command:

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

In to get it to work.   What does this U-turn, as you called it command do?

Should I put the inspect dns preset_dns_map back into the global policy map?

Thanks.

Correct Answer
Kureli Sankar Fri, 12/18/2009 - 16:00

Very glad to hear.

You do not need the U-Turn statics any more. Stati(inside,inside) is to U-Turn a packet off the same interface it arrived. Like your 192.168.1.0/24 host with the FW as the gateway that wanted to reach 192.168.2.0/24 network.  The FW has to send it right back out the same interface right?

I gave you those commands to fix the problem when you had everything broken - Gateway pointing the FW instead of the router.

Now, I have asked you to fix it the right way.  So, you do not need those U-Turn translations or that sysopt command.

You can put back dns inspection.

-KS

Actions

This Discussion

Related Content