01-20-2010 06:52 AM - edited 03-06-2019 09:22 AM
Let me explain the topology a little.
We have these 2 networks that consist of seperate medical device networks that communicate with each other via there own VLAN'd network. (SIP phones and some Nursecall servers and switch) each VLAN houses these 2 types of equipment, then the little ASA acts as a layer3 switch and sends the needed data to a server outside on the hospital LAN, that then can be utilized.
the 2 networks on the ASA are 192.168.27.* and 10.0.0.*
Currently on my ASA config, if i am on the 192 network i can ping all the devices on the 10.0.0.* network.
If i set my laptop to the 10 network, i can still not ping anything on the 192 network. -the interface setups look identical to me..?
I am new to the ASA 5505 so perhaps there is some security feature or practice i am unaware of.
Here is my latest config. you can see we tried to open up ICMP and SIP/IP traffic across the 2 VLANs. No security is really needed on these 2 networks tied together by the ASA. They are standalone and not connected to the internet. -So for the moment security is not my concern
Does anybody see something we do not?
: Saved
:
ASA Version 8.2(1)
!
hostname STA-ASA
domain-name default.domain.invalid
enable password Ih0TuXZV20NfVVIP encrypted
passwd Ih0TuXZV20NfVVIP encrypted
names
!
interface Vlan1
nameif Rauland
security-level 100
ip address 192.168.27.1 255.255.255.0
!
interface Vlan12
nameif ASCOM
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group icmp-type ICMP
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
access-list ASCOM_access_in extended permit icmp any any
access-list ASCOM_access_in extended permit icmp any any object-group ICMP
access-list ASCOM_access_in extended permit ip any any
access-list ASCOM_access_in extended permit object-group TCPUDP any any eq sip
access-list Rauland_access_in extended permit icmp any any
access-list Rauland_access_in extended permit icmp any any object-group ICMP
access-list Rauland_access_in extended permit ip any any
access-list Rauland_access_in extended permit udp any any eq sip
access-list Rauland_nat0_outbound extended permit ip any any
access-list ASCOM_nat0_outbound extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Rauland 1500
mtu ASCOM 1500
icmp unreachable rate-limit 5 burst-size 5
icmp permit any Rauland
icmp permit any ASCOM
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (Rauland) 0 access-list Rauland_nat0_outbound
nat (Rauland) 1 0.0.0.0 0.0.0.0
nat (ASCOM) 0 access-list ASCOM_nat0_outbound
access-group Rauland_access_in in interface Rauland
access-group ASCOM_access_in in interface ASCOM
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.27.0 255.255.255.0 Rauland
http 10.0.0.0 255.255.255.0 ASCOM
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8a9d197bbcd257b597a3c25de3186758
: end
asdm image disk0:/asdm-621.bin
no asdm history enable
01-20-2010 06:58 AM
Hey Brad-
You have the same-security-traffic permit intra-interface which would alleviate any need for NAT and your ACL looks OK (some redundancy). What's in your logs?
01-20-2010 08:58 AM
Here is a ping from my laptop on the 10.0.0.* network to the gateway 192.168.27.1 network.
Version:0.9 StartHTML:-1 EndHTML:-1 StartFragment:0000000111 EndFragment:0000000429
6 | Jan 20 2010 | 08:39:51 | 302021 | 10.0.0.19 | 1 | 192.168.27.5 | 0 | Teardown ICMP connection for faddr 10.0.0.19/1 gaddr 192.168.27.5/0 laddr 192.168.27.5/0 |
Version:0.9 StartHTML:-1 EndHTML:-1 StartFragment:0000000111 EndFragment:0000000434
6 | Jan 20 2010 | 08:39:51 | 302020 | 10.0.0.19 | 1 | 192.168.27.5 | 0 | Built inbound ICMP connection for faddr 10.0.0.19/1 gaddr 192.168.27.5/0 laddr 192.168.27.5/0 |
:::::: Another message i have seen is this egress error that i am unsure what it means.
Version:0.9 StartHTML:-1 EndHTML:-1 StartFragment:0000000111 EndFragment:0000001709
%ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
.An error occurred when the adaptive security appliance tried to find the interface through which to send the packet.
• protocol—The protocol of the packet
• src interface—The interface from which the packet was received
• src IP—The source IP address of the packet
• src port—The source port number
• dest IP—The destination IP address of the packet
• dest port—The destination port number
Is there a better way to generate more informative logging? I'm at a loss here as to why i have one way communication across these vlans
01-20-2010 09:03 AM
Please turn on debug level logging-
logging buffered debug
Then from a workstation in the 10 network, try and access a device in the other network using TCP. For example a web server. Then please post the log.
01-20-2010 09:16 AM
Lets see if i got this correct.
I tried to browse first: http://192.168.27.250
then i tried to run: \\192.168.27.250
01-20-2010 09:24 AM
It's failing to establish the TCP session. Just for verification, from the firewall, you can ping 10.0.0.19 and 192.168.27.250 and each of those servers are accessible on their respective LANs. Also the the 10.0.0.19 server can access 192.168.27.250 right? I have a feeling I know what's it's going to look like, but can you post the results of show asp drop
01-20-2010 10:18 AM
That is mainly correct, everything can communicate on there respective networks
And the 192.168.27.* network can talk to the 10 network.
the 10 network can not talk to the 192 side..
that command shows this:
Result of the command: "show asp drop"
Frame drop:
No route to host (no-route) 268
Flow is denied by configured rule (acl-drop) 16266
First TCP packet not SYN (tcp-not-syn) 126
Slowpath security checks failed (sp-security-failed) 150
Interface is down (interface-down) 2
Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode) 1
Dropped pending packets in a closed socket (np-socket-closed) 297
Last clearing: Never
Flow drop:
SSL received close alert (ssl-received-close-alert) 4
Last clearing: Never
01-20-2010 10:23 AM
Got it. The ASP table was not what I expected. Can you clear the counters
clear asp drop
Try a connection from the 10 network to the 192. Then show the asp table-
show asp drop
and post those results. Thanks.
01-20-2010 10:34 AM
Result of the command: "clear asp drop"
The command has been sent to the device
Result of the command: "show asp drop"
Frame drop:
Flow is denied by configured rule (acl-drop) 1
First TCP packet not SYN (tcp-not-syn) 2
Dropped pending packets in a closed socket (np-socket-closed) 2
Last clearing: 10:24:43 UTC Jan 20 2010 by enable_15
Flow drop:
Last clearing: 10:24:43 UTC Jan 20 2010 by enable_15
01-20-2010 11:01 AM
just to confirm, my notebook is on the 192 network and is able to ping across both VLANs
C:\Users\b>ping 10.0.0.10
Pinging 10.0.0.10 with 32 bytes of data:
Reply from 10.0.0.10: bytes=32 time<1ms TTL=128
Reply from 10.0.0.10: bytes=32 time<1ms TTL=128
Reply from 10.0.0.10: bytes=32 time<1ms TTL=128
Ping statistics for 10.0.0.10:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Users\b>ping 192.168.27.5
Pinging 192.168.27.5 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.27.5:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\b>
01-20-2010 11:03 AM
Can you please post-
show access-list
01-20-2010 11:07 AM
Result of the command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ASCOM_access_in; 23 elements; name hash: 0x5ad0398b
access-list ASCOM_access_in line 1 extended permit icmp any any (hitcnt=20) 0x5174ada4
access-list ASCOM_access_in line 2 extended permit icmp any any object-group ICMP 0x4b4dad3b
access-list ASCOM_access_in line 2 extended permit icmp any any alternate-address (hitcnt=0) 0x301ff017
access-list ASCOM_access_in line 2 extended permit icmp any any conversion-error (hitcnt=0) 0xcf1c1536
access-list ASCOM_access_in line 2 extended permit icmp any any echo (hitcnt=0) 0x7f7daa33
access-list ASCOM_access_in line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x91b5a7ef
access-list ASCOM_access_in line 2 extended permit icmp any any information-reply (hitcnt=0) 0x59f3e8e3
access-list ASCOM_access_in line 2 extended permit icmp any any information-request (hitcnt=0) 0x66b95dea
access-list ASCOM_access_in line 2 extended permit icmp any any mask-reply (hitcnt=0) 0x91009602
access-list ASCOM_access_in line 2 extended permit icmp any any mask-request (hitcnt=0) 0xe74694e6
access-list ASCOM_access_in line 2 extended permit icmp any any mobile-redirect (hitcnt=0) 0x349fbac7
access-list ASCOM_access_in line 2 extended permit icmp any any parameter-problem (hitcnt=0) 0xb708da57
access-list ASCOM_access_in line 2 extended permit icmp any any redirect (hitcnt=0) 0x75036ce0
access-list ASCOM_access_in line 2 extended permit icmp any any router-advertisement (hitcnt=0) 0xa1dd8c3c
access-list ASCOM_access_in line 2 extended permit icmp any any router-solicitation (hitcnt=0) 0x833b2c13
access-list ASCOM_access_in line 2 extended permit icmp any any source-quench (hitcnt=0) 0x4ec77e01
access-list ASCOM_access_in line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0xc9c6248b
access-list ASCOM_access_in line 2 extended permit icmp any any timestamp-reply (hitcnt=0) 0x0d5b06f5
access-list ASCOM_access_in line 2 extended permit icmp any any timestamp-request (hitcnt=0) 0x60240eef
access-list ASCOM_access_in line 2 extended permit icmp any any traceroute (hitcnt=0) 0x5aac26df
access-list ASCOM_access_in line 2 extended permit icmp any any unreachable (hitcnt=0) 0x6a05a85f
access-list ASCOM_access_in line 3 extended permit ip any any (hitcnt=13) 0x48407d4b
access-list ASCOM_access_in line 4 extended permit object-group TCPUDP any any eq sip 0xd6b75c92
access-list ASCOM_access_in line 4 extended permit udp any any eq sip (hitcnt=0) 0x3142228c
access-list ASCOM_access_in line 4 extended permit tcp any any eq sip (hitcnt=0) 0x18c72a6d
access-list Rauland_access_in; 22 elements; name hash: 0x16aeb564
access-list Rauland_access_in line 1 extended permit icmp any any (hitcnt=43) 0xb9cef060
access-list Rauland_access_in line 2 extended permit icmp any any object-group ICMP 0x78898b64
access-list Rauland_access_in line 2 extended permit icmp any any alternate-address (hitcnt=0) 0x064d961c
access-list Rauland_access_in line 2 extended permit icmp any any conversion-error (hitcnt=0) 0x3e24d4be
access-list Rauland_access_in line 2 extended permit icmp any any echo (hitcnt=0) 0xa34c8f52
access-list Rauland_access_in line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x9b8a90e3
access-list Rauland_access_in line 2 extended permit icmp any any information-reply (hitcnt=0) 0xd8b6d214
access-list Rauland_access_in line 2 extended permit icmp any any information-request (hitcnt=0) 0x1d34e9d4
access-list Rauland_access_in line 2 extended permit icmp any any mask-reply (hitcnt=0) 0x776bdf32
access-list Rauland_access_in line 2 extended permit icmp any any mask-request (hitcnt=0) 0xc478c4de
access-list Rauland_access_in line 2 extended permit icmp any any mobile-redirect (hitcnt=0) 0xaefba2d8
access-list Rauland_access_in line 2 extended permit icmp any any parameter-problem (hitcnt=0) 0x70ec1c92
access-list Rauland_access_in line 2 extended permit icmp any any redirect (hitcnt=0) 0x129c858e
access-list Rauland_access_in line 2 extended permit icmp any any router-advertisement (hitcnt=0) 0xc726ae85
access-list Rauland_access_in line 2 extended permit icmp any any router-solicitation (hitcnt=0) 0x0ac27f30
access-list Rauland_access_in line 2 extended permit icmp any any source-quench (hitcnt=0) 0xc86092a3
access-list Rauland_access_in line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x3055757c
access-list Rauland_access_in line 2 extended permit icmp any any timestamp-reply (hitcnt=0) 0xcd36db79
access-list Rauland_access_in line 2 extended permit icmp any any timestamp-request (hitcnt=0) 0x62d0ac80
access-list Rauland_access_in line 2 extended permit icmp any any traceroute (hitcnt=0) 0x867e0ee3
access-list Rauland_access_in line 2 extended permit icmp any any unreachable (hitcnt=0) 0x8a83673c
access-list Rauland_access_in line 3 extended permit ip any any (hitcnt=13) 0x7f6e7b71
access-list Rauland_access_in line 4 extended permit udp any any eq sip (hitcnt=0) 0x461c9c06
access-list Rauland_nat0_outbound; 1 elements; name hash: 0x1c36d54b
access-list Rauland_nat0_outbound line 1 extended permit ip any any (hitcnt=0) 0xe32cb9a0
access-list ASCOM_nat0_outbound; 1 elements; name hash: 0x1ea1bff5
access-list ASCOM_nat0_outbound line 1 extended permit ip any any (hitcnt=0) 0x7ec23727
01-20-2010 11:19 AM
This is simply a read out of an echo request from the 10 network, and an attempt on the 192 network.
-just making sure im not nuts yet
C:\Users\b>ping 10.0.0.10
Pinging 10.0.0.10 with 32 bytes of data:
Reply from 10.0.0.10: bytes=32 time<1ms TTL=128
Reply from 10.0.0.10: bytes=32 time<1ms TTL=128
Ping statistics for 10.0.0.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Users\b>ping 192.168.27.5
Pinging 192.168.27.5 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.27.5:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Users\b>ping 192.168.27.1
Pinging 192.168.27.1 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 192.168.27.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
C:\Users\b>
01-21-2010 06:24 AM
The ACLs are cool, wierd that asp is showing dropped packets becuase of it. In the 10 network do you have any other routers/gateways/routes?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: