Public IPs and VLANs

Answered Question
Sep 9th, 2010

Hi to all the helpful people in this community!

I'm still in the learning phase with my ASA 5510 but have been able to switch from my PIX to the ASA thanks to the communitiy's help!

My next issue is with our video-conferencing system. I have set up the Catalyst switch with 2 VLANs.

VLAN2 has 8 ports to which my telco's router, the ASA and the Polycom video-conference system are connected to. It's connected to the outside interface (Ethernet0/0) of the ASA.

VLAN3, which doesn't concern us here has 8 ports for the DMZ machines and is connected to the DMZ interface (Ethernet0/2) of the ASA.

The rest of the ports are on the Untagged VLAN which is connected to the inside interface (Ethernet0/1) of the ASA.

The Polycom is configured with a static public IP. Since I don't want to NAT the video-conferencing traffic, it is connected to a VLAN2 port. My issues are that the Polycom unit is not reachable from the outside world and it can't ping the outside world either. The Polycom is configured with 204.xx.xx.29/255.255.255.240. I have tried adding a static ARP entry to no avail. I connected a laptop with a static external IP with the same problems. This sort of setup worked fine with the PIX but I guess I'm missing something (which is not surprising!).

I have attached a diagram hoping that someone can get me on the right track.

Thanks!

Dave

I have this problem too.
0 votes
Correct Answer by mvsheik123 about 6 years 3 months ago

Try changing the polycom gateway to .17 (your ISP router ip) and give a try.

hth

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
daverutz58 Thu, 09/09/2010 - 08:18

Oooops... Forgot the config!

ASA Version 8.2(3)
!
hostname cccc-asa
domain-name cccc.org
enable password qucvXv6yXeNYVlPA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.165.11.13 ad1 description File server
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 10.165.10.10 sdfs description SDFS server
name 10.165.10.3 web description Web server
name 204.xx.xx.21 mail-outside description Edge public
name 10.165.10.16 moodle description Moodle server
name 204.xx.xx.22 moodle-outside description Moodle public
name 204.xx.xx.26 owa-outside description OWA public
name 204.xx.xx.29 polycom-outside description Polycom
name 10.165.10.12 remacc description Remacc server
name 204.xx.xx.30 remacc-outside description Remacc public
name 204.xx.xx.23 sdfs-outside description SDFS public
name 204.xx.xx.20 web-outside description Web public
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 204.xx.xx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
dns server-group DefaultDNS
name-server ad1
domain-name cccc.org
same-security-traffic permit inter-interface
object-group service remacc-ports
description Ports for remote access
service-object gre
service-object tcp eq pptp
service-object udp eq isakmp
object-group service edge-in-ports
description Edge to LAN ports
service-object tcp range 1025 1026
service-object tcp eq 135
service-object tcp range 3268 3269
service-object tcp eq 445
service-object tcp eq 50636
service-object tcp eq 88
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service polycom-ports
description Ports for Polycom
service-object tcp eq h323
service-object udp range 1718 1719
service-object udp range 3230 3285
service-object tcp eq 1503
service-object tcp eq 1731
service-object tcp eq ldap
service-object tcp-udp range 3230 3288
service-object tcp eq 5001
service-object tcp eq www
object-group service icmp-service
description ICMP services
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp unreachable
service-object icmp6 echo-reply
object-group network DM_INLINE_NETWORK_1
network-object host web-outside
network-object host moodle-outside
network-object host sdfs-outside
network-object host owa-outside
network-object host remacc-outside
network-object host polycom-outside
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq 3268
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq smtp
access-list outside_access_in remark Public access to web server
access-list outside_access_in extended permit tcp any host web-outside eq www
access-list outside_access_in remark Public access to Moodle server
access-list outside_access_in extended permit tcp any host moodle-outside object-group DM_INLINE_TCP_1
access-list outside_access_in remark Incoming email
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list outside_access_in remark Public access to SDFS server
access-list outside_access_in extended permit tcp any host sdfs-outside eq www
access-list outside_access_in remark Public access to VPN server
access-list outside_access_in extended permit object-group remacc-ports any host remacc-outside
access-list outside_access_in remark Public access to Polycom
access-list outside_access_in extended permit object-group polycom-ports any host polycom-outside
access-list outside_access_in remark Outlook Web Access to Hub server
access-list outside_access_in extended permit tcp any host owa-outside eq https
access-list outside_access_in remark Public access to web server
access-list outside_access_in remark Public access to Moodle server
access-list outside_access_in remark Incoming email
access-list outside_access_in remark Public access to SDFS server
access-list outside_access_in remark Public access to VPN server
access-list outside_access_in remark Public access to Polycom
access-list outside_access_in remark Outlook Web Access to Hub server
access-list dmz_access_in remark Edge to LAN email transport and authentication
access-list dmz_access_in extended permit object-group edge-in-ports host edge 10.165.11.0 255.255.255.0
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list dmz_access_in remark VPN to LAN  transport and authentication
access-list dmz_access_in extended permit object-group remacc-ports host remacc 10.165.11.0 255.255.255.0
access-list dmz_access_in remark Outgoing email
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list dmz_access_in remark Edge to LAN email transport and authentication
access-list dmz_access_in remark VPN to LAN  transport and authentication
access-list dmz_access_in remark Outgoing email
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in remark Reply to authentication for VPN
access-list inside_access_in extended permit object-group remacc-ports host ad1 host remacc
access-list inside_access_in remark Reply to authentication for VPN
access-list toweb extended permit tcp any object-group DM_INLINE_NETWORK_1 inactive
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.50-10.165.10.220 netmask 255.255.255.0
nat (inside) 0 10.165.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
static (inside,outside) owa-outside hub netmask 255.255.255.255
static (dmz,outside) sdfs-outside sdfs netmask 255.255.255.255
static (dmz,outside) remacc-outside remacc netmask 255.255.255.255
static (dmz,outside) moodle-outside moodle netmask 255.255.255.255
static (dmz,outside) web-outside web netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 204.xx.xx.17 1
route inside 10.165.12.0 255.255.255.0 10.165.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.165.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server ad1 source inside prefer
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb6de4e1c97f95140e419b9d043687c4
: end

mvsheik123 Thu, 09/09/2010 - 08:40

Hi,

Unless I miss something here, I do not see why the polycom traffic pass thru ASA. As polycom setup with public IP and connected to your internet vlan (vla2), any issues appears to be in the polycom 'network settings' or ISP router blocking ports (do not see why). Please check settings.

hth

MS

daverutz58 Thu, 09/09/2010 - 08:56

Thanks MS,

It could be Polycom settings (which I've checked and changed a couple times) but then why can't I ping or tracert anything on the web with the Polycom or laptop?

Dave

mvsheik123 Thu, 09/09/2010 - 09:29

Hi,

What is the gateway ip for the Polycom/test laptop. were you able to browse Internet (apart from ping/tracert) from laptop? Also, the internet router- did you make any changes or got providers default config. lastly, can you post the network setting sreen for polycom?

Thanks

MS

Correct Answer
mvsheik123 Fri, 09/10/2010 - 07:44

Try changing the polycom gateway to .17 (your ISP router ip) and give a try.

hth

MS

daverutz58 Fri, 09/10/2010 - 09:54

That did it! I don't know how I overlooked that or why I didn't try it myself but Thanks!

daverutz58 Fri, 09/10/2010 - 07:16

Hi MS,

The telco router was delivered to us and we don't have any control over it.

Here's some of the info gathered for the troubleshooting:

Added the following to ASA:It seems that the Polycom traffic should go out directly to the telco router. Some sort of weird routing going on it looks like...

            object-group service icmp-service

              description ICMP services

              service-object icmp echo-reply

              service-object icmp source-quench

              service-object icmp time-exceeded

              service-object icmp unreachable

               access-list outside_access_in extended permit object-group icmp-service any any

Configuration

A.   Polycom info

-       IP: 204.xx.xx.29/255.255.255.240

-       GW: 204.xx.xx.18

-       HTTP access enabled on port 12345

B.   LAN connected computer (inside interface)

-       IP: 10.165.11.27/255.255.255.0

-       GW: 10.165.11.1

-       Polycom PVX client software installed

C.   VLAN2 connected computer (outside interface)

-       IP: 204.xx.xx.28/255.255.255.240

-       GW: 204.xx.xx.18

X & Z. Remote working sites with the same Polycom equipment

Tests

-       B can ping 204.xx.xx.29

-       B can ping X and Z

-       B can connect to http://204.xx.xx.29:12345 Polycom interface

-       B can connect to 204.xx.xx.29 with PVX

o   No image on B

o   Image on A

-       B can connect to X and Z with PVX

o   No image on B

o   Image on X and Z

-       C cannot ping the outside world

-       C cannot surf the web

-       C can ping A and 204.xx.xx.18

-       C can connect to http://204.xx.xx.20, 22 and 23 which are web servers in the DMZ

-       A cannot connect to X or Z (or any other working Polycom system)

-       A cannot ping the outside world

-       http://204.xx.xx.29:12345 cannot connect to X or Z

-       http://204.xx.xx.29:12345 cannot ping X or Z

Thanks for the help!

Dave

Actions

This Discussion