08-03-2010 06:39 PM
I have an ASA, running 8.0(5). I am NOT able to Remote Control to the server 66.102.254.10 and I am NOT able to open the web server 66.102.102.15 when I connect through Cisco VPN client (marketing and full tunnel groups). I think the problem is the default gateway (66.102.86.10) is the same subnet as the outside interface (66.102.86.17). However, I am able to ping the default gateway 66.102.86.10 from the ASA. I am able to get to my internal networks except the servers on 66.102.254.0 and 66.102.102.0 subnets.
Cisco VPN client -----> ASA ---->Cisco 6509 (with firewall module) ---> internal networks
Attached is the config file. Do you have any suggestions?
Thanks.
Laura
08-03-2010 06:49 PM
Hello,
Your configuration on the firewall looks good. Can you please check the
device with IP 66.102.86.10 and make sure that it has a route to 10.x.x.x
(VPN) subnet and it points to the ASA inside interface? That should fix the
issue.
Hope this helps.
Regards,
NT
08-03-2010 07:02 PM
Hello,
On a second look at your route statements, it seems like you have configured
some of these routes incorrectly:
route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1
route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1
66.102.86.x is your outside interface IP. So, I think you need to change
these two statements to
no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1
no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1
route outside 66.102.102.0 255.255.255.0 66.102.86.10 1
route outside 66.102.254.0 255.255.255.0 66.102.86.10 1
Then you need to make sure that 66.102.86.10 device has a route to 10.x.x.x
subnet pointing to the outside interface of the firewall. To ensure that the
traffic goes un-natted, you need to configure nonat rules for the outside
interface:
access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0
255.255.255.0
access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0
255.255.255.0
access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0
255.255.255.0
nat (outside) 0 access-list outside_nonat
Hope this helps.
Regards,
NT
08-03-2010 09:18 PM
Thanks for your prompt response, Nagaraja
After I put in your statements, I am unable to ping the servers when I login to Cisco VPN client. I am still not able to open my web servers on subnet 66.102.102. and Remote Control to the server on subnet 66.102.254
===========================================================
no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1
no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1
route outside 66.102.102.0 255.255.255.0 66.102.86.10 1
route outside 66.102.254.0 255.255.255.0 66.102.86.10 1
access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0
255.255.255.0
access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0
255.255.255.0
access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0
255.255.255.0
nat (outside) 0 access-list outside_nonat
===================================================================
However, if I keep these statements, I am able to ping any servers on subnet 66.102.102 and 66.102.254. But, I am NOT able to open the web servers on subnet 66.102.102 and Remote Control to the servers on subnet 66.102.254. I am back to square one.
========================================================================
route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1
route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1
access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0
255.255.255.0
access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0
255.255.255.0
access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0
255.255.255.0
nat (outside) 0 access-list outside_nonat
=======================================================================
Do you have any other suggestions?
Thanks.
Laura
08-03-2010 09:44 PM
Hello,
Are you sharing a Layer 3 device between the inside and the outside
interface (i.e. 66.102.86.10 and 66.102.87.254 are on the same device)? The
symptoms you are explaining indicate that you might be having a asymmetric
routing issue. If you are using the same L3 device, can you try the
following configuration on the L3 device?
access-list 199 permit ip 66.102.102.0 0.0.0.255 10.10.10.0 0.0.0.255
route-map site1
match ip address 199
set ip next-hop 66.102.86.17
exit
access-list 198 permit ip 66.102.254.0 0.0.0.255 10.10.10.0 0.0.0.255
route-map site2
match ip address 198
set ip next-hop 66.102.86.17
exit
interface
ip address 66.102.254.y 255.255.255.0
ip policy route-map site2
exit
Then on the firewall, revert back to your original configurations (remove
the nonat access-lists) and change the route statements to point to correct
interface i.e. 66.102.86.10 on the outside.
no nat (outside) 0 access-list outside_nonat
no access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.102.0
255.255.255.0
no access-list outside_nonat permit ip 10.10.10.0 255.255.255.0 66.102.254.0
255.255.255.0
no access-list outside_nonat permit ip 66.102.102.0 255.255.255.0 10.10.10.0
255.255.255.0
no access-list outside_nonat permit ip 66.102.254.0 255.255.255.0 10.10.10.0
255.255.255.0
no route Inside 66.102.102.0 255.255.255.0 66.102.86.10 1
no route Inside 66.102.254.0 255.255.255.0 66.102.86.10 1
route outside 66.102.102.0 255.255.255.0 66.102.86.10 1
route outside 66.102.254.0 255.255.255.0 66.102.86.10 1
Hope this helps.
Regards,
NT
08-03-2010 09:58 PM
Thanks again for your prompt response and assistance, Nagaraja. It is possible that there is a layer 3 device that I am not aware not. I will check it out and get back to you tomorrow. I am sorry for giving you the wrong information. Thanks.
Laura
08-03-2010 10:39 PM
You are correct. We have the Cisco 7500. The IP address 66.102.86.10 is the default gateway of the Cisco 7500. The subnets 66.102.102.0 and 66.102.254.0 are on the DMZ of the Cisco 6500. Sorry for giving you the wrong information. What do I need to change on the configurations? Thanks.
Laura
08-04-2010 06:02 AM
Hello,
What is the default gateway of that 7500 device? Does it has a route to 10.x.x.x subnet? If it does not, can you add a route pointing the gateway to outside interface of the firewall i.e. 66.102.86.17?
Hope this helps.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: