Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
0
Helpful
9
Replies

ASA routing problem for internal networks

Go to solution
miles0001
Level 1
Level 1

‎07-19-2013 12:42 PM - edited ‎03-11-2019 07:14 PM

Hi folks,

I'm setting up an ASA 5512-X, replacing our old Linux firewall/router.

In the old firewall, I had a port opened to an OpenVPN server inside the network. I've opened access to the same port in the ASA. The OpenVPN server is reachable from the outside through the ASA, but clients connecting through the OpenVPN server cannot connect to any devices on the internal network. Neither can devices on the internal network connect to OpenVPN clients.

This is understandable, as the ASA is the default gateway for the network, and all packets from devices intended for the OpenVPN clients, are sent to the default gateway. I have tried to create a static route to the OpenVPN server for traffic to/from VPN clients on the ASA inside interface, but the ASA does not seem to route the appropriate traffic to the OpenVPN server.

Our internal network is a 192.168.0.0/16 network, and OpenVPN has got a 10.0.1.0/24 network

I'm going to replace the OpenVPN server with AnyConnect subsequently, but the OpenVPN solution must unfortunately be in place for quite some time yet.

What am I doing wrong?

Best regards,

Peter

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to miles0001

‎07-20-2013 04:12 AM

Hi,

I am not 100% sure about your setup but from what I gather you have the users and the VPN server in the same LAN network behind the ASA. The VPN users get an IP address from a VPN pool which in turn causes the LAN hosts/servers to send their traffic to the default gateway which is ASA.

This in turn causes asymmetric routing and the ASA doesnt see the full TCP connection 3 way handshake and drops the connections.

At this point it might even drop the to lacking the global configurations "same-security-traffic permit intra-interface" which is required for traffic to enter and leave the same interface on the ASA.

If all this is true then it would seem to me that there are a couple of options atleast.

  • Configure TCP State Bypass on the ASA for traffic between the LAN and the VPN Pool. This will naturally eliminate some security that the ASA provides for this traffic but considering we are talking about 2 networks which should already be secure I guess it would suffice for as long as you have to keep the OpenVPN setup.
  • Other options would be to move the server out of the LAN and move it on a DMZ on the ASA so that there is no way that the ASA could not see all the traffic between the VPN users and LAN users. This would seem to me better choice than the above.

Here is a link to a Cisco document describing TCP State Bypass.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Its for the old 8.2 software but should give you the basic idea of how to configure it.

Hope this helps

- Jouni

View solution in original post

0 Helpful
9 Replies 9

Go to solution
deyster94
Level 5
Level 5

‎07-19-2013 01:07 PM

Do you see anything in the ASA log files that the traffic is getting to the ASA?

0 Helpful

Go to solution
miles0001
Level 1
Level 1
In response to deyster94

‎07-19-2013 01:33 PM

Hi,

Yes, I can see that packets from the inside network with destination to the OpenVPN client, are denied at the ASA inside interface. I have got an access rule that allows ip and icmp on the inside interface, with destination to the OpenVPN network, but it doesn't seem to help.

Peter

0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to miles0001

‎07-19-2013 01:37 PM

If you run packet tracer on the ACL's you have created for the traffic, do they pass? 

0 Helpful

Go to solution
miles0001
Level 1
Level 1
In response to deyster94

‎07-19-2013 01:44 PM

No, they do not pass. They get dropped by the implicit rule.

Peter

0 Helpful

Go to solution
miles0001
Level 1
Level 1
In response to deyster94

‎07-19-2013 01:57 PM

It seems the global implicit rule (deny all) is executed before the inside incoming rule in this case. And the rule that should allow the packets is the first incoming rule on the inside interface. It's weird...

Peter

0 Helpful

Go to solution
fb_webuser
Level 6
Level 6

‎07-19-2013 08:09 PM

You may need to open several more ports. Check what openvpn is using beyond the initial port. My guess is you need to allow isakmp/500 and possible other ports too.

Look at the client and server side of the openvpn to see where things are breaking.

---

Posted by WebUser Jesper Klit Jensen from Cisco Support Community App

0 Helpful

Go to solution
miles0001
Level 1
Level 1
In response to fb_webuser

‎07-19-2013 11:14 PM

Hi Jesper,

From tracing and logging it's completely clear that this is not a OpenVPN problem. The packets get dropped by the ASA. The global deny rule is erroneously applied before my rule that allows packets to the OpenVPN network.

Thanks for your input

Peter

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to miles0001

‎07-20-2013 04:12 AM

Hi,

I am not 100% sure about your setup but from what I gather you have the users and the VPN server in the same LAN network behind the ASA. The VPN users get an IP address from a VPN pool which in turn causes the LAN hosts/servers to send their traffic to the default gateway which is ASA.

This in turn causes asymmetric routing and the ASA doesnt see the full TCP connection 3 way handshake and drops the connections.

At this point it might even drop the to lacking the global configurations "same-security-traffic permit intra-interface" which is required for traffic to enter and leave the same interface on the ASA.

If all this is true then it would seem to me that there are a couple of options atleast.

  • Configure TCP State Bypass on the ASA for traffic between the LAN and the VPN Pool. This will naturally eliminate some security that the ASA provides for this traffic but considering we are talking about 2 networks which should already be secure I guess it would suffice for as long as you have to keep the OpenVPN setup.
  • Other options would be to move the server out of the LAN and move it on a DMZ on the ASA so that there is no way that the ASA could not see all the traffic between the VPN users and LAN users. This would seem to me better choice than the above.

Here is a link to a Cisco document describing TCP State Bypass.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Its for the old 8.2 software but should give you the basic idea of how to configure it.

Hope this helps

- Jouni

0 Helpful

Go to solution
miles0001
Level 1
Level 1
In response to Jouni Forss

‎07-20-2013 06:13 AM

Thanks again Jouni!

I applied the same-security-traffic rule, but that alone did not help (well, from inside to the VPN clients, but that wasn't what was intended). Then I applied the TCP bypass, which did the trick! Your assumption about the network topology is completely right. Moving out some of the servers to a DMZ had been overkill, and for some it's not even practically possible.

I wish you a nice day,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card