Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
7
Replies

Can't Access Some Internal Networks

laurabolda
Level 1
Level 1

‎08-03-2010 06:39 PM

I have an ASA, running 8.0(5).  I am NOT able to Remote Control to the server 66.102.254.10 and I am NOT able to open the web server 66.102.102.15 when I connect through Cisco VPN client (marketing and full tunnel groups).  I think the problem is the default gateway (66.102.86.10) is the same subnet as the outside interface (66.102.86.17).  However, I am able to ping the default gateway 66.102.86.10 from the ASA.  I am able to get to my internal networks except the servers on 66.102.254.0 and 66.102.102.0 subnets.

Cisco VPN client  -----> ASA ---->Cisco 6509 (with firewall module) ---> internal networks

Attached is the config file.  Do you have any suggestions?

Thanks.

Laura

Labels:
69971-config20100802.txt.zip
0 Helpful
7 Replies 7

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-03-2010 06:49 PM

Hello,

Your configuration on the firewall looks good. Can you please check the

device with IP 66.102.86.10 and make sure that it has a route to 10.x.x.x

(VPN) subnet and it points to the ASA inside interface? That should fix the

issue.

Hope this helps.

Regards,

NT

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-03-2010 07:02 PM

Hello,

On a second look at your route statements, it seems like you have configured

some of these routes incorrectly:

route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

66.102.86.x is your outside interface IP. So, I think you need to change

these two statements to

no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

route outside 66.102.102.0 255.255.255.0 66.102.86.10 1

route outside 66.102.254.0 255.255.255.0 66.102.86.10 1

Then you need to make sure that 66.102.86.10 device has a route to 10.x.x.x

subnet pointing to the outside interface of the firewall. To ensure that the

traffic goes un-natted, you need to configure nonat rules for the outside

interface:

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0

nat (outside) 0 access-list outside_nonat

Hope this helps.

Regards,

NT

0 Helpful

laurabolda
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-03-2010 09:18 PM

Thanks for your prompt response, Nagaraja

After I put in your statements, I am unable to ping the servers when I login to Cisco VPN client.  I am still not able to open my web servers on subnet 66.102.102. and Remote Control to the server on subnet  66.102.254

===========================================================

no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

route outside 66.102.102.0 255.255.255.0 66.102.86.10 1

route outside 66.102.254.0 255.255.255.0 66.102.86.10 1

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0

nat (outside) 0 access-list outside_nonat

===================================================================

However, if I keep these statements, I am able to ping any servers on subnet 66.102.102 and 66.102.254.  But, I am NOT able to open the web servers on subnet 66.102.102 and Remote Control to the servers on subnet 66.102.254.  I am back to square one.

========================================================================

route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0

nat (outside) 0 access-list outside_nonat

=======================================================================

Do you have any other suggestions?

Thanks.

Laura

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to laurabolda

‎08-03-2010 09:44 PM

Hello,

Are you sharing a Layer 3 device between the inside and the outside

interface (i.e. 66.102.86.10 and 66.102.87.254 are on the same device)? The

symptoms you are explaining indicate that you might be having a asymmetric

routing issue. If you are using the same L3 device, can you try the

following configuration on the L3 device?

access-list 199 permit ip 66.102.102.0 0.0.0.255 10.10.10.0 0.0.0.255

route-map site1

match ip address 199

set ip next-hop 66.102.86.17

exit

access-list 198 permit ip 66.102.254.0 0.0.0.255 10.10.10.0 0.0.0.255

route-map site2

match ip address 198

set ip next-hop 66.102.86.17

exit

interface

ip address 66.102.254.y 255.255.255.0

ip policy route-map site2

exit

Then on the firewall, revert back to your original configurations (remove

the nonat access-lists) and change the route statements to point to correct

interface i.e. 66.102.86.10 on the outside.

no nat (outside) 0 access-list outside_nonat

no access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0

255.255.255.0

no access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0

255.255.255.0

no access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0

255.255.255.0

no access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0

255.255.255.0

 

no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1

no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1

route outside 66.102.102.0 255.255.255.0 66.102.86.10 1

route outside 66.102.254.0 255.255.255.0 66.102.86.10 1

Hope this helps.

Regards,

NT

0 Helpful

laurabolda
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-03-2010 09:58 PM

Thanks again for your prompt response and assistance,  Nagaraja.  It is possible that there is a layer 3 device that I am not aware not.   I will check it out and get back to you tomorrow.  I am sorry for giving you the wrong information.  Thanks.

Laura

0 Helpful

laurabolda
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-03-2010 10:39 PM

You are correct.  We have the Cisco 7500.  The IP address 66.102.86.10 is the default gateway of the Cisco 7500.  The subnets 66.102.102.0 and 66.102.254.0 are on the DMZ of the Cisco 6500.   Sorry for giving you the wrong information. What do I need to change on the configurations?  Thanks.

Laura

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to laurabolda

‎08-04-2010 06:02 AM

Hello,

What is the default gateway of that 7500 device? Does it has a route to 10.x.x.x subnet? If it does not, can you add a route pointing the gateway to outside interface of the firewall i.e. 66.102.86.17?


Hope this helps.

Regards,

NT

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents