Solved: ASA Routing Help

GPNetwork · ‎02-01-2014

Hi Everyone. I have been working on a task for a few days now and cannot/do not understand why it is not working.

This is my first post so please be patient.

My employer has given me two ASA devices, a 5505 (ASA v8.4(7) and a 5510. I have basic firewall skills and I'm quite new to their full functionality.

Basically I am trying to route traffic from and back to HQ1 (main business entity) via R1 (Cisco 1841) through the ASA 5505 at the second site.

All connection are to be established from HQ1 to NEW site initially.

This is to allow staff access to the new site without having to come in via the internet service.

It is also to enable IT to control (via access lists on the ASA) who and what can access this new site from HQ1.

I have included a Network diag showing how the sites are connected and the static routes I have added.

As per my diag the ASA5505 inside Interface is pointing to HQ1. The outside interface is connected to a switch port on one of two L3 switches running VRRP.

The ASA5510 (internet facing) has it’s inside Interface connected to a switchport on the Second L3 switch.

Both switchports are set to switchport-access vlan 10 (production Vlan)

The Production network of the NEW site can get to and from internet as intended without a problem via the ASA5510.

What I CANNOT understand is why I can’t traceroute from HQ1 to the new site via ASA5505 and visa-versa.

I have tested Traceroute and pings from the ASA5505 Inside interface to HQ1 and all looks fine.I can ping servers in HQ1

The ASAs are not configured for Rip v2 as I was planning on adding static routes only.

Here are the route tables on both L3 switches and more of my testing follows

Switch-A#show ip route

Default Gateway is 172.17.10.2

S 0.0.0.0/0 [1/0] via 172.17.10.2, Vl10

S *.*.*.*/29 [1/0] via 172.17.10.2, Vl10 (DMZ)

C 172.17.10.0/24 [0/1] directly connected, Vl10

C 172.17.20.0/24 [0/1] directly connected, Vl20

C 172.17.100.0/24 [0/1] directly connected, Vl100

S 192.168.0.0/16 [1/0] via 172.17.10.1, Vl10

A tracert from a Srv1 on the NEW site to one on the HQ1 site stops at the Gateway of the server 192.168.10.254 (which is the VRRP redundant gateway for Vlan10)

Tracerote from either L3 switch towards next hope to HQ1 inside interface returns this.......

Switch-A#traceroute 192.168.0.29

Traceroute to 192.168.0.29 ,30 hops max 0 byte packets:

1 0.0.0.0 * * *

2 0.0.0.0 * *

Hop Count = 2 Last TTL = 2 Test attempt = 5 Test Success = 0

Firewall routes are below

ASA 5510

Sho Route

Gateway of last resort is *.*.*.2 to network 0.0.0.0

C *.*.*.96 255.255.255.248 is directly connected, DMZ

C *.*.*.1 255.255.255.252 is directly connected, outside

C 172.17.10.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via *.*.*.2, outside

ASA 5505

Sho Route

Gateway of last resort is not set

C 172.17.10.0 255.255.255.0 is directly connected, outside

C 192.168.0.28 255.255.255.252 is directly connected, inside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.29, inside

Do the ASAs need to be connected to interfaces on the same switch and not opposing switches?

I put them in opposite switches for a little redundancy.

Any suggestions and help would be greatly appreciated.

Many thanks,

Alan

Julio Carvajal · ‎02-01-2014

Hello,

Please share show run access-group

What version are u running?

For ICMP do

fixup protocol icmp

fixup protocol icmp-error

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎02-01-2014

Hello David,

RIP looks god bud.

Now that everything is good do u need something else? Otherwise u can mark it as answered

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎02-01-2014

Hello David,

So the issue right now is from traffic comming from the HQ to the ASA 5505 Inside interface (VLAN 10).

Can you share the ACLs on the outside interface?

Can you share the show run policy-map?

Trace-routes across an ASA are really picky

Need fixup protocol ICMP
Need fixup protocol icmp-error
If the ASA needs to shown the ASA needs to be configured to decrement the TTL

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

GPNetwork · ‎02-01-2014

Hi Julio. Thank you for the quick reply.

At the moment I cannot route from any servers at HQ1 to the Srv1 server (or any other servers) at the NEW site (in Vlan10) or visa-versa. HQ1 to New site will eventually need Terminal services, File transfer, etc etc. All these and more will need to be established from HQ1 for security.

The ASA5505 Outside interface is connected to Vlan10 in the NEW site not HQ site

The ASA5505 Inside interface (Sec-100 is connected to the Telco IP VPN service that my HQ1 site accesses.

We already use the Telco IP VPN service from HQ1 to our other business sites fine; but they have Cisco 1841 routers connected at those site. It's basically our Business WAN service carrier.

The ACL's on the ASA5505 are as follows. I have allowed IP any any on both interfaces to try a test. Planning to lock it down once I get it actually working.

access-list inside_access_in extended permit icmp any 172.17.10.0 255.255.255.0 object-group All_ICMP

access-list inside_access_in extended permit tcp any 172.17.10.0 255.255.255.0 eq 3389 inactive

access-list inside_access_in extended permit ip any any

access-list MMS_Admin_Group_splitTunnelAcl standard permit any

access-list outside_access_in extended permit icmp any any object-group All_ICMP

access-list outside_access_in extended permit tcp any any eq 3389 inactive

access-list outside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any 172.17.10.0 255.255.255.0 object-group All_ICMP
access-list inside_access_in extended permit tcp any 172.17.10.0 255.255.255.0 eq 3389 inactive
access-list inside_access_in extended permit ip any any
access-list MMS_Admin_Group_splitTunnelAcl standard permit any
access-list outside_access_in extended permit icmp any any object-group All_ICMP
access-list outside_access_in extended permit tcp any any eq 3389 inactive
access-list outside_access_in extended permit ip any any

Result of the command: "sho run policy-map"

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

Sorry but I'm not sure how to go about adding these. I will search no these to learn more.

Need fixup protocol ICMP
Need fixup protocol icmp-error
If the ASA needs to shown the ASA needs to be configured to decrement the TTL

Thanks

Julio Carvajal · ‎02-01-2014

Hello,

Please share show run access-group

What version are u running?

For ICMP do

fixup protocol icmp

fixup protocol icmp-error

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

GPNetwork · ‎02-01-2014

Thanks. I've added the two fixup cmd as you suggested.

Versions on the ASA5505

ASA v8.4(7)

ASDM v7.1(4)

show run access-group

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

I tested pings from Srv1(New site) to 192.168.1.201 (server in HQ1) and see these in the ASA5505 ASDM syslog messages. I don't receive a rply to the SRv1 server though.

6

Feb 02 2014

08:33:01

172.17.10.165

1

192.168.1.201

0

Teardown ICMP connection for faddr 172.17.10.165/1 gaddr 192.168.1.201/0 laddr 192.168.1.201/0

6

Feb 02 2014

08:32:59

172.17.10.165

1

192.168.1.201

0

Built inbound ICMP connection for faddr 172.17.10.165/1 gaddr 192.168.1.201/0 laddr 192.168.1.201/0

Julio Carvajal · ‎02-01-2014

Do the following

cap capin interface outside match icmp host 192.168.1.201 host 182.17.10.165

cap capout interface inside match icmp host 192.168.1.201 host 182.17.10.165

cap asp type asp-drop all circular-buffer

Then send an ICMP packet and provide

show cap capin

show cap capout

show cap asp | inc 192.168.1.201

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

GPNetwork · ‎02-01-2014

Hi Julio.

I went and tested Tracert from HQ1 server to Srv1 in NEW site. I got the following results.

Seemed to be a loop.

Tracing route to 172.17.10.165 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms 192.168.2.126
2     1 ms     1 ms     1 ms 192.168.0.5
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.
8     *        *        *     Request timed out.
9     *        *        *     Request timed out.
10   102 ms   158 ms   125 ms 192.168.0.1
11   157 ms   156 ms   112 ms 192.168.0.1
12   133 ms   132 ms   133 ms 192.168.0.2
13   113 ms   113 ms   113 ms 192.168.0.1
14   135 ms   136 ms   135 ms 192.168.0.2
15   116 ms   116 ms   117 ms 192.168.0.1

I then added a static route at R1 in HQ1 but still the same.

I then thought why was the 172.17.0.0/16 network not being advertised to the R1 router in HQ1.

I remembered seeing a document my manager had that mentioned Telco IP VPN to be configured for RIP.

So I thought I would enable Rip V2 on the ASA5505 as shown in picture below.

As soon as I did this I can now route (ping, Tracert and RDP) to and from both sites.

Can you confirm I have configured RIP V2 on the ASA correctly? I have passive Interface outside (Interface to Vlan 10 on NEW site)

Thank you

Julio Carvajal · ‎02-01-2014

Hello David,

RIP looks god bud.

Now that everything is good do u need something else? Otherwise u can mark it as answered

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

GPNetwork · ‎02-01-2014

Thanks Julio. You have been an great help.

I will go a study inspection maps now and keep this mindfull in the future.

Cheers.

Julio Carvajal · ‎02-01-2014

Hey David, No problem.

By the way if looking for networking post regarding cisco ASAs, etc check my own blog http://laguiadelnetworking.com you will find useful info there bud

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC