02-01-2014 05:52 PM - edited 03-11-2019 08:39 PM
Hi Everyone. I have been working on a task for a few days now and cannot/do not understand why it is not working.
This is my first post so please be patient.
My employer has given me two ASA devices, a 5505 (ASA v8.4(7) and a 5510. I have basic firewall skills and I'm quite new to their full functionality.
Basically I am trying to route traffic from and back to HQ1 (main business entity) via R1 (Cisco 1841) through the ASA 5505 at the second site.
All connection are to be established from HQ1 to NEW site initially.
This is to allow staff access to the new site without having to come in via the internet service.
It is also to enable IT to control (via access lists on the ASA) who and what can access this new site from HQ1.
I have included a Network diag showing how the sites are connected and the static routes I have added.
As per my diag the ASA5505 inside Interface is pointing to HQ1. The outside interface is connected to a switch port on one of two L3 switches running VRRP.
The ASA5510 (internet facing) has it’s inside Interface connected to a switchport on the Second L3 switch.
Both switchports are set to switchport-access vlan 10 (production Vlan)
The Production network of the NEW site can get to and from internet as intended without a problem via the ASA5510.
What I CANNOT understand is why I can’t traceroute from HQ1 to the new site via ASA5505 and visa-versa.
I have tested Traceroute and pings from the ASA5505 Inside interface to HQ1 and all looks fine.I can ping servers in HQ1
The ASAs are not configured for Rip v2 as I was planning on adding static routes only.
Here are the route tables on both L3 switches and more of my testing follows
Switch-A#show ip route
Default Gateway is 172.17.10.2
S 0.0.0.0/0 [1/0] via 172.17.10.2, Vl10
S *.*.*.*/29 [1/0] via 172.17.10.2, Vl10 (DMZ)
C 172.17.10.0/24 [0/1] directly connected, Vl10
C 172.17.20.0/24 [0/1] directly connected, Vl20
C 172.17.100.0/24 [0/1] directly connected, Vl100
S 192.168.0.0/16 [1/0] via 172.17.10.1, Vl10
A tracert from a Srv1 on the NEW site to one on the HQ1 site stops at the Gateway of the server 192.168.10.254 (which is the VRRP redundant gateway for Vlan10)
Tracerote from either L3 switch towards next hope to HQ1 inside interface returns this.......
Switch-A#traceroute 192.168.0.29
Traceroute to 192.168.0.29 ,30 hops max 0 byte packets:
1 0.0.0.0 * * *
2 0.0.0.0 * *
Hop Count = 2 Last TTL = 2 Test attempt = 5 Test Success = 0
Firewall routes are below
ASA 5510
Sho Route
Gateway of last resort is *.*.*.2 to network 0.0.0.0
C *.*.*.96 255.255.255.248 is directly connected, DMZ
C *.*.*.1 255.255.255.252 is directly connected, outside
C 172.17.10.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via *.*.*.2, outside
ASA 5505
Sho Route
Gateway of last resort is not set
C 172.17.10.0 255.255.255.0 is directly connected, outside
C 192.168.0.28 255.255.255.252 is directly connected, inside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.29, inside
Do the ASAs need to be connected to interfaces on the same switch and not opposing switches?
I put them in opposite switches for a little redundancy.
Any suggestions and help would be greatly appreciated.
Many thanks,
Alan
Solved! Go to Solution.
02-01-2014 08:20 PM
Hello,
Please share show run access-group
What version are u running?
For ICMP do
fixup protocol icmp
fixup protocol icmp-error
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-01-2014 10:05 PM
Hello David,
RIP looks god bud.
Now that everything is good do u need something else? Otherwise u can mark it as answered
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-01-2014 07:20 PM
Hello David,
So the issue right now is from traffic comming from the HQ to the ASA 5505 Inside interface (VLAN 10).
Can you share the ACLs on the outside interface?
Can you share the show run policy-map?
Trace-routes across an ASA are really picky
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-01-2014 08:17 PM
Hi Julio. Thank you for the quick reply.
At the moment I cannot route from any servers at HQ1 to the Srv1 server (or any other servers) at the NEW site (in Vlan10) or visa-versa. HQ1 to New site will eventually need Terminal services, File transfer, etc etc. All these and more will need to be established from HQ1 for security.
The ASA5505 Outside interface is connected to Vlan10 in the NEW site not HQ site
The ASA5505 Inside interface (Sec-100 is connected to the Telco IP VPN service that my HQ1 site accesses.
We already use the Telco IP VPN service from HQ1 to our other business sites fine; but they have Cisco 1841 routers connected at those site. It's basically our Business WAN service carrier.
The ACL's on the ASA5505 are as follows. I have allowed IP any any on both interfaces to try a test. Planning to lock it down once I get it actually working.
access-list inside_access_in extended permit icmp any 172.17.10.0 255.255.255.0 object-group All_ICMP
access-list inside_access_in extended permit tcp any 172.17.10.0 255.255.255.0 eq 3389 inactive
access-list inside_access_in extended permit ip any any
access-list MMS_Admin_Group_splitTunnelAcl standard permit any
access-list outside_access_in extended permit icmp any any object-group All_ICMP
access-list outside_access_in extended permit tcp any any eq 3389 inactive
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any 172.17.10.0 255.255.255.0 object-group All_ICMP
access-list inside_access_in extended permit tcp any 172.17.10.0 255.255.255.0 eq 3389 inactive
access-list inside_access_in extended permit ip any any
access-list MMS_Admin_Group_splitTunnelAcl standard permit any
access-list outside_access_in extended permit icmp any any object-group All_ICMP
access-list outside_access_in extended permit tcp any any eq 3389 inactive
access-list outside_access_in extended permit ip any any
Result of the command: "sho run policy-map"
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
Sorry but I'm not sure how to go about adding these. I will search no these to learn more.
Thanks
02-01-2014 08:20 PM
Hello,
Please share show run access-group
What version are u running?
For ICMP do
fixup protocol icmp
fixup protocol icmp-error
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-01-2014 09:14 PM
Thanks. I've added the two fixup cmd as you suggested.
Versions on the ASA5505
ASA v8.4(7)
ASDM v7.1(4)
show run access-group
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
I tested pings from Srv1(New site) to 192.168.1.201 (server in HQ1) and see these in the ASA5505 ASDM syslog messages. I don't receive a rply to the SRv1 server though.
6 | Feb 02 2014 | 08:33:01 | 172.17.10.165 | 1 | 192.168.1.201 | 0 | Teardown ICMP connection for faddr 172.17.10.165/1 gaddr 192.168.1.201/0 laddr 192.168.1.201/0 |
6 | Feb 02 2014 | 08:32:59 | 172.17.10.165 | 1 | 192.168.1.201 | 0 | Built inbound ICMP connection for faddr 172.17.10.165/1 gaddr 192.168.1.201/0 laddr 192.168.1.201/0 |
02-01-2014 09:33 PM
Do the following
cap capin interface outside match icmp host 192.168.1.201 host 182.17.10.165
cap capout interface inside match icmp host 192.168.1.201 host 182.17.10.165
cap asp type asp-drop all circular-buffer
Then send an ICMP packet and provide
show cap capin
show cap capout
show cap asp | inc 192.168.1.201
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-01-2014 10:01 PM
Hi Julio.
I went and tested Tracert from HQ1 server to Srv1 in NEW site. I got the following results.
Seemed to be a loop.
Tracing route to 172.17.10.165 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.126
2 1 ms 1 ms 1 ms 192.168.0.5
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 102 ms 158 ms 125 ms 192.168.0.1
11 157 ms 156 ms 112 ms 192.168.0.1
12 133 ms 132 ms 133 ms 192.168.0.2
13 113 ms 113 ms 113 ms 192.168.0.1
14 135 ms 136 ms 135 ms 192.168.0.2
15 116 ms 116 ms 117 ms 192.168.0.1
I then added a static route at R1 in HQ1 but still the same.
I then thought why was the 172.17.0.0/16 network not being advertised to the R1 router in HQ1.
I remembered seeing a document my manager had that mentioned Telco IP VPN to be configured for RIP.
So I thought I would enable Rip V2 on the ASA5505 as shown in picture below.
As soon as I did this I can now route (ping, Tracert and RDP) to and from both sites.
Can you confirm I have configured RIP V2 on the ASA correctly? I have passive Interface outside (Interface to Vlan 10 on NEW site)
Thank you
02-01-2014 10:05 PM
Hello David,
RIP looks god bud.
Now that everything is good do u need something else? Otherwise u can mark it as answered
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-01-2014 10:22 PM
Thanks Julio. You have been an great help.
I will go a study inspection maps now and keep this mindfull in the future.
Cheers.
02-01-2014 10:23 PM
Hey David, No problem.
By the way if looking for networking post regarding cisco ASAs, etc check my own blog http://laguiadelnetworking.com you will find useful info there bud
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide