Can't Access Some Internal Networks

Unanswered Question
Aug 3rd, 2010

I have an ASA, running 8.0(5).  I am NOT able to Remote Control to the server 66.102.254.10 and I am NOT able to open the web server 66.102.102.15 when I connect through Cisco VPN client (marketing and full tunnel groups).  I think the problem is the default gateway (66.102.86.10) is the same subnet as the outside interface (66.102.86.17).  However, I am able to ping the default gateway 66.102.86.10 from the ASA.  I am able to get to my internal networks except the servers on 66.102.254.0 and 66.102.102.0 subnets.


Cisco VPN client  -----> ASA ---->Cisco 6509 (with firewall module) ---> internal networks


Attached is the config file.  Do you have any suggestions?


Thanks.


Laura

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Tue, 08/03/2010 - 18:49

Hello,


Your configuration on the firewall looks good. Can you please check the

device with IP 66.102.86.10 and make sure that it has a route to 10.x.x.x

(VPN) subnet and it points to the ASA inside interface? That should fix the

issue.


Hope this helps.


Regards,


NT

Nagaraja Thanthry Tue, 08/03/2010 - 19:02

Hello,


On a second look at your route statements, it seems like you have configured

some of these routes incorrectly:


route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1


66.102.86.x is your outside interface IP. So, I think you need to change

these two statements to


no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

route outside 66.102.102.0 255.255.255.0 66.102.86.10 1

route outside 66.102.254.0 255.255.255.0 66.102.86.10 1


Then you need to make sure that 66.102.86.10 device has a route to 10.x.x.x

subnet pointing to the outside interface of the firewall. To ensure that the

traffic goes un-natted, you need to configure nonat rules for the outside

interface:


access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0


nat (outside) 0 access-list outside_nonat


Hope this helps.


Regards,


NT

laurabolda Tue, 08/03/2010 - 21:18

Thanks for your prompt response, Nagaraja


After I put in your statements, I am unable to ping the servers when I login to Cisco VPN client.  I am still not able to open my web servers on subnet 66.102.102. and Remote Control to the server on subnet  66.102.254


===========================================================


no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

route outside 66.102.102.0 255.255.255.0 66.102.86.10 1

route outside 66.102.254.0 255.255.255.0 66.102.86.10 1


access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0


nat (outside) 0 access-list outside_nonat

===================================================================



However, if I keep these statements, I am able to ping any servers on subnet 66.102.102 and 66.102.254.  But, I am NOT able to open the web servers on subnet 66.102.102 and Remote Control to the servers on subnet 66.102.254.  I am back to square one.


========================================================================

route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1


access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0


nat (outside) 0 access-list outside_nonat

=======================================================================


Do you have any other suggestions?


Thanks.


Laura

Nagaraja Thanthry Tue, 08/03/2010 - 21:44

Hello,


Are you sharing a Layer 3 device between the inside and the outside

interface (i.e. 66.102.86.10 and 66.102.87.254 are on the same device)? The

symptoms you are explaining indicate that you might be having a asymmetric

routing issue. If you are using the same L3 device, can you try the

following configuration on the L3 device?


access-list 199 permit ip 66.102.102.0 0.0.0.255 10.10.10.0 0.0.0.255


route-map site1

match ip address 199

set ip next-hop 66.102.86.17

exit


access-list 198 permit ip 66.102.254.0 0.0.0.255 10.10.10.0 0.0.0.255


route-map site2

match ip address 198

set ip next-hop 66.102.86.17

exit


interface

ip address 66.102.254.y 255.255.255.0

ip policy route-map site2

exit


Then on the firewall, revert back to your original configurations (remove

the nonat access-lists) and change the route statements to point to correct

interface i.e. 66.102.86.10 on the outside.


no nat (outside) 0 access-list outside_nonat


no access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

no access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

no access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

no access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0

 

no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

route outside 66.102.102.0 255.255.255.0 66.102.86.10 1

route outside 66.102.254.0 255.255.255.0 66.102.86.10 1


Hope this helps.


Regards,


NT

laurabolda Tue, 08/03/2010 - 21:58

Thanks again for your prompt response and assistance,  Nagaraja.  It is possible that there is a layer 3 device that I am not aware not.   I will check it out and get back to you tomorrow.  I am sorry for giving you the wrong information.  Thanks.


Laura

laurabolda Tue, 08/03/2010 - 22:39

You are correct.  We have the Cisco 7500.  The IP address 66.102.86.10 is the default gateway of the Cisco 7500.  The subnets 66.102.102.0 and 66.102.254.0 are on the DMZ of the Cisco 6500.   Sorry for giving you the wrong information. What do I need to change on the configurations?  Thanks.


Laura

Nagaraja Thanthry Wed, 08/04/2010 - 06:02

Hello,


What is the default gateway of that 7500 device? Does it has a route to 10.x.x.x subnet? If it does not, can you add a route pointing the gateway to outside interface of the firewall i.e. 66.102.86.17?



Hope this helps.


Regards,


NT

Actions

This Discussion