12-18-2006 08:33 AM - edited 03-11-2019 02:10 AM
Hi
I am new to the firewalls and I have configured a VPN between ASA and PIX and seems like I have some basic issues. I cannot browse the internet(with IP and with name) or ping internet IPs from local LAN. My network and configs are as below
network
--------
switch - ASA - local router - internet(T1) - ISProuter - pix - switch
LAN to ASA inside - y.y.y.y/24
ASA outside to router - x.x.x.x/30
router to internet - k.k.k.k/30
remote LAN - a.a.a.a/24
LAN DG - x.x.x.1 (ASA)
ASA DG - k.k.k.2 (router)
Router DG - k.k.k.1 (ISP)
config
----------
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.1 255.255.255.252
interface Ethernet0/1
nameif inside
security-level 100
ip address y.y.y.1 255.255.255.0
access-list nonat extended permit ip y.y.y.0.255.255.255.0 a.a.a.0 255.255.255.0
access-list CRYPTO extended permit ip y.y.y.0.255.255.255.0 a.a.a.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 y.y.y.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.2 (DG of ASA is configured to router LAN address)
crypto map map1 20 match address CRYPTO
no other acls from inside to outside, so I believe everything is allowed from inside to outside
other crypto commands, isakmps and shared key etc are all configured properly on both sites.
I used multiple statics for outside world to talk to 1 global IP (k.k.k.2-routers WAN IP towards internet) to reach different internal servers for different ports
static (inside,outside) tcp k.k.k.2 www y.y.y.4 www netmask 255.255.255.255
access-list outside-to-inside extended permit tcp any host k.k.k.2 eq www
access-group outside-to-inside in interface outside
My results
-------------
can ping from local LAN to ASA inside interface
cannot ping from local LAN to ASA outside interface - I think this is normal for PIX & ASA
can ping from ASA to internet (eg:cisco.com)
can ping from local router to internet
cannot browse the internet(with IP and with name) or ping internet IPs from local LAN -- need advise on this please.
Can someone also advice me what are the basic tests I need to do before checking the vpn connectivity to remote site?
Also is there any document for ASA commands?
I can post the whole config changing the IPs if thats safe so someone can take a look.
Thanks and Regards
Venkat
Solved! Go to Solution.
03-13-2007 08:51 AM
Hello Sarat,
I have done some researches and haven't found any document that explains what do they mean by these two counters.
However, this does not mean that the ASA is dropping packets randomly. These dropped packets may be untagged broadcast traffic. Since your are not using sub-interfaces then all traffic will be treated as untagged that is vlan 1 default.
Hope this helps eventhough I couldn't support you with a document from Cisco,
Let me know if you need anyhting else,
Regards,
12-18-2006 10:43 AM
Hi Venkat,
It sounds like a natting issue on router. Do you have a public ip address on ASA's outside Interface ? Or its a private ip but natted to some public ip on the router ?
Are you able to ping the internet (say 4.2.2.2) from the ASA itself ?
Also, the static nat you created for internal servers wud not work as this has to be done on the router itself not on the ASA.
static (inside,outside) tcp k.k.k.2 www y.y.y.4 www netmask 255.255.255.255
I would like to get more information about your topology. Seems like its configuration issue on Router.
Thanks,
Kanishka
12-18-2006 12:54 PM
Hi Kanishka
Thanks very much for your reply.
It sounds like a natting issue on router. Do you have a public ip address on ASA's outside Interface ? Or its a private ip but natted to some public ip on the router ?
I do have a public IP on ASA itself and there is no nat on the router
Are you able to ping the internet (say 4.2.2.2) from the ASA itself ?
Yes, I can ping internet from ASA outside interface
Also, the static nat you created for internal servers wud not work as this has to be done on the router itself not on the ASA.
static (inside,outside) tcp k.k.k.2 www y.y.y.4 www netmask 255.255.255.255
Is there anyway that we can do on ASA as we want to have all natting and acls on firewall? Router would just forward the traffic to ASA
I would like to get more information about your topology. Seems like its configuration issue on Router.
I have used dummy IPs and I have attached the configs in the excel (3 sheets). I will attach my network diagram shortly.
Please advise.
Thanks and Regards
venkat
12-18-2006 02:24 PM
12-19-2006 05:00 AM
Hi Venkat,
The access-list "outside-to-inside" is denying the echo replies and http traffic from outside for internal hosts. The statements you have in the ACL do not apply anywhere as the host 65.154.19.149 is not in the inside network of ASA.
To start with :
1: The static NAT statements will not do any good, as router will not forward the traffic inside unless you configure it to do so.
You mentioned you want to do all natting on ASA, then you have to use either the outside ip address of ASA or any other free public ip of thesame network for this purpose. e.g.
static(inside,outside) tcp 210.55.6.49 www 20.0.14.30 www netmask 255.255.255.255
This way all the internal servers will use the ASA outside ip for natting.
2: For internal hosts to go to the internet, you have to do the following :
access-list outside-to-inside extended permit icmp any any
access-list outside-to-inside extended permit tcp any eq 80 any
And for statically natted internal servers :
access-list outside-to-inside extended permit tcp any 210.55.6.49 eq 80
Try this and let me know if it works.
12-19-2006 06:09 AM
Hi Kanishka
Thanks very much for your reply.
1. As as you mentioned, that I have to use 210.55.6.49 as my public IP for outside traffic to come inside, I can still use 65.154.19.149 as a public address on the router and however this will not be used as a reference for inside and outside traffic, right?
2. For internal hosts to go to the internet, as I dont have any rules on ASA for inside traffic to go out, my understanding of is that all the traffic from inside is allowed to outside right?
I was doing some testing last night in my lab on existing T1, I have removed the router and I am able to browse the internet without any acls.
ASA -- T1 -- remote pix. So I dont understand if something wrong between ASA and the router thats stopping me to browse the internet.
So do we still require the below rules.
access-list outside-to-inside extended permit icmp any any
access-list outside-to-inside extended permit tcp any eq 80 any
And as you see, "access-group outside-to-inside in interface outside" is applied at outside interface.
If we require these rules, I think I should apply this on inside interface for internet traffic from inside. So will the config be as below?
access-list inside-to-outside extended permit icmp any any
access-list inside-to-outside extended permit tcp any eq 80 any
access-group inside-to-outside in interface inside
can you please advise if other configs on ASA, router and remote pix are looking good? Especially I have a doubt on the routes on the router.
thanks for your help
venkat
12-19-2006 08:13 AM
Hi Venkat,
Yes, you can use the same ip address on the router.
You require the ACL entries only for your internal servers. You dont need any ACL entry for hosts going out to Internet. (My mistake ! ;) )
On the router, remove the route :
ip route 210.55.6.49 255.255.255.255 FastEthernet0/0
as its a directly connected subnet and sometimes this route might cause some issues.
I would like you to try it and let me know if this works.
Thanks
Kanishka
12-19-2006 09:21 AM
Hi Kanishka
Unfortunately I cant test this now with the same scenario. I can only test on thursday as the client has an outage scheduled.
But as per the config which I sent to you, we have tested on live environment with the router last week and I was not able to browse the internet through ASA.
As per the discussions we had, I believe the changes you advised is for outside traffic coming inside.(static & nat statements). So with the current config, I should be able to access the internet through ASA and PIX right? But I was not able to do so at both locations. Can you please advise on this.
As I advised before, without the router in my lab, I am able to access the internet through ASA, however am not able to browse through remote pix.
thanks
venkat
12-20-2006 06:41 AM
Hi Kanishka
I did some testing in my lab yesterday and found that the tunnel is up and running between PIX and ASA without the router connected to ASA. I have no issues browsing etc. I have added only icmp config on both firewalls to allow any traffic and havent done any other changes to current config. I was not able to test the statics which I will do this tomorrow according to the rules advised by you.
My only concern is to browse the Internet with router connected to ASA. I am not sure if this is going to work tomorrow. Can we terminate a T1 on ASA by inserting any module in it, that way I dont have to use the router.
Any advise on this is highly appreciated.
Best Regards
venkat
12-20-2006 06:37 PM
Hi
Can someone advise me on this please ?
Thanks
venkat
12-21-2006 04:52 PM
Hello Sarat,
Below are the wrong lines in your config:
1700:
------
no ip route 210.55.6.49 255.255.255.255 FastEthernet0/0
No need for the above route. It is already directly connected to the router.
On the ASA:
All you statics won't work because the ASA does your 1700 router does not have any route for the 65.154.19.149.
If the 65.154.19.149 is assigned by your ISP then you have to add a route for this subnet on your 1700 router so it passes traffic to the ASA.
IPSEC config loooks OK however to check if the tunnel is up:
1- Try to ping end to end
2- go the asa and PIX issue the command " show crypto isakmp sa" You should see status QMIDLE
Issue the above command more than once to make sure the VPN tunnel doest not drop.
Let me know how it goes,
Regards,
12-21-2006 05:29 PM
Hi
Thanks for the reply. with the current configuration, I was unable to browse the internet from local site. I believe this is the basic thing to check before testing VPN. As I understand my statics are wrong and however these are used for outside traffic coming in, do you see any problem to access the internet from local site with the current config.(inside traffic going out)
I have attached my updated configs and network diagram. I have tested this in my lab, but without having router in between. ie VPN is built between ASA and pix. Everything was successful. However I am not sure if that works if the router comes in.
On the local site, the IPs between ASA and the router (210.55.x.x) and IPs between router and ISP (65.154.x.x) are all public IPs as mentioned in my diagram.
thanks
12-21-2006 05:47 PM
12-22-2006 09:08 AM
Hello Sarat,
Below you can find the modification you need to do:
1700:
no ip route 20.0.14.0 255.255.255.0 210.55.6.49
ASA:
no static (inside,outside) tcp 210.55.6.49 www 20.0.14.30 www netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 81 20.0.14.30 81 netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 82 20.0.14.30 82 netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 ftp 20.0.14.31 ftp netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 3389 20.0.14.32 3389 netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 https 20.0.14.33 https netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 smtp 20.0.14.34 smtp netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 8080 20.0.14.35 8080 netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 8008 20.0.14.33 8008 netmask 255.255.255.255
no static (inside,outside) tcp 210.55.6.49 4433 20.0.14.30 4433 netmask 255.255.255.255
static (inside,outside) tcp interface www 20.0.14.30 www netmask 255.255.255.255
static (inside,outside) tcp interface 81 20.0.14.30 81 netmask 255.255.255.255
static (inside,outside) tcp interface 82 20.0.14.30 82 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 20.0.14.31 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 20.0.14.32 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 20.0.14.33 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 20.0.14.34 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 20.0.14.35 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8008 20.0.14.33 8008 netmask 255.255.255.255
static (inside,outside) tcp interface 4433 20.0.14.30 4433 netmask 255.255.255.255
Clear xlate
Other config should be correct.
Please let me know how it goes,
Regards,
12-22-2006 11:02 AM
Hi
Thanks for the reply. Last time you advised me to remove the below route which I removed.
no ip route 210.55.6.49 255.255.255.255 FastEthernet0/0
Can you please advise, if I remove the below route, how would the router reach the internal network?
no ip route 20.0.14.0 255.255.255.0 210.55.6.49
And removing the above 2 routes, I will have only the default route which is pointing to ISP router.
And can you also please advise what would be the difference if I use the ip address instead of interface in static commands? The interface would be referring to the ip address right?
Your early reply is much appreciated. I will be doing the final test this afternoon.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: