Solved: Cisco ASA 5505 - 2 internal Networks

Richard Tapley · ‎10-13-2013

Hi new to ASA's,

Been trying to get the following setup working for ages but can't see what I am missing:

(Got image from another post but exactly what I want but cannot get working)

I can get ping between subnets but nothing else and Lan 2 cannot get to internet.

The reolution for this guy was the following I believe; (from his config he has ASA v8.2)

same-security-traffic permit intra-interface

access-list NONAT permit ip 192.168.50.0 255.255.255.0 10.0.50.0255.255.255.0

access-list NONAT permit ip 10.0.50.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list NONAT

I have tried this but I have ASA v8.4 and whilst commands 1 - 3 work command 4 doesn't.

I get a message about the command being deprecated. I couldn't find a new version I could understand.

Hope nothing stupid and simple but any help greatly appreciated.

BTW, I have reset my ASA back to defaults except internet access is working and internet LAN as I made some many changes I feared one my conflict with the other.

Many thanks for any views or help.

jumora · ‎10-25-2013

Ok, tcp-bypass is done for TCP traffic only and on the document it states that configuring this option would avoid any type of inspection. This was mainly created for design issues where you receive traffic through the ASA without going through TCP 3 way handshake.

U turning was also added for none VPN traffic based on the need to re-route traffic on the same interface which you receive a packet but has limitations.

Inspect ICMP to maintain control over ICMP sessions, one request one reply.

Most of these issues caused by incorrect routing, so to avoid over complication just change the routing.

This is a document created for PIX but explains a little of what is happening.

Q. I recently added an inside router to connect a second inside network to my Cisco Secure PIX Firewall. Users between the Cisco Secure PIX Firewall and inside router can successfully get to the Internet, but they cannot talk to this new, inside network. Users on the new network are unable to get past the inside router. What is wrong?

A. You must enter a specific route inside statement into the PIX for this new network through the new router. You can also enter a specific route inside statement for the major network through this router, which allows for future growth.

For example, if your existing network is 192.168.1.0/24 and your new network is 192.168.2.0/24, the Ethernet port of your internal router is 192.168.1.2. The route configuration of the PIX appears similar to this:

route inside 192.168.2.0 255.255.255.0 192.168.1.2 1

or (the major network):

route inside 192.168.0.0 255.255.0.0 192.168.1.2 1

Work stations between the Cisco Secure PIX Firewall and router should have their gateway point to the router, not the PIX. Even though they are directly connected, they have problems accessing the new internal network if their gateway does not point to the router. The router should have a default gateway that directs all unknown traffic to the inside interface of the Cisco Secure PIX Firewall. The installation of a route for this new network in the PIX does not work either. The PIX does not route or redirect off the interface it received the packet. Unlike a router, the PIX cannot route packets back through the same interface where the packet was initially received. Also, make sure your nat statement includes the new network or the major net you are adding.

Value our effort and rate the assistance!

View solution in original post

cadet alain · ‎10-14-2013

Hi,

For communication between 10.0.50.0 and 192.168.1.0 you are using the router and the devices on the 192.168.1.0 network are attached to switchports on the ASA so they are switched not routed and so you don't need any of these commands to make it work.Just simply add a static route inside for 10.0.50.0 pointing towards 192.168.1.252 and NAT 192.168.1.0 and 10.0.50.0 from inside to outside.

Regards

Alain

Don't forget to rate helpful posts.

Richard Tapley · ‎10-14-2013

Hi Alain,

thanks for the reply.

I tried to do as you have suggested above but still have no connectivity but I think this is more to do with what I am doing..... although I have to add I spent a few weeks / months with assistance from a guy from Experts Exchange with the same issue and still couldn't get it working so a begining to feel it just isnt' possible with my ASA, could that be the case?

I added a static route and while I can ping the ASA from the PC on the 10.0.50.0 lan I can ping nothing else on the 192.168.1.0 lan.

From the 192.168.1.0 I can ping the router but nothing else on the 10.0.50.0 lan.

I am aftraid that I really fell down on the NAT part, I tried to do it through the GUI and didn't see any different results so presumed I am not selecting the correct options.

I wiped the ASA again to keep things fresh and not conflicting with each other and when I setup the internet access again just to try something different I setup EIGRP on the router and the ASA and get the same ping connectivity above.

Are you able to guide me further.?

Many thanks

Richard

rfalconer.sffcu · ‎10-14-2013

Let's try to tackle things in pieces:


I added a static route and while I can ping the ASA from the PC on the 10.0.50.0 lan I can ping nothing else on the 192.168.1.0 lan.

What static route did you add?

What is the gateway of the machines on the 192.168.1.0 LAN? Is it the ASA?

From the 192.168.1.0 I can ping the router but nothing else on the 10.0.50.0 lan.

This would also point to your gateway being the ASA.

Have you added a static route on the LAN 1 PC to route traffic for LAN2 through the router?

Or, you can set your gateway to the router.

Can you try one of these and see if you can ping between the test host on LAN1 and LAN2?

Richard Tapley · ‎10-14-2013

hi Robert,

Thanks for the reply.

I have progress :-) and in the right direction :-)

Def G of PC's on 192.168.1.0 LAN is the ASA

Def G of PC's on 10.0.50.0 LAN is 1841 router.

added static route on ASA of : route inside 10.0.50.0 255.255.255.0 192.168.1.252 1

Still no connectivity.

Then added:

same-security-traffic permit intra-interface

And hurah... ping from 192 to 10 from clients aswell :-)

Question is......

ASA says:

inter-interface Permit communication between different interfaces with the

same security level

intra-interface Permit communication between peers connected to the same

interface

Where am I misunderstanding...

I did "inter-interface" first thinking devices are in different physical interfaces but same security level (inside) but it was the intra-interface that got the ping working but .... they are in different physical interfaces??? I am confused?

or is it s case that it looks at the inside and outside VLANs as interfaces in this scenario?

Only have ping connectivity though so is NAT the next step?

Have always struggled with this bit, so if it is the next step please could I ask for guidance here thanks.

Thanks again

Richard

P.s. thanks for advice of tackling in pieces I all too often try too much....

Richard Tapley · ‎10-15-2013

Hi,

Had another look at this today.

Noticed that I was getting the following messages in the ASDM syslog:

Teardown TCP connection 12657 for inside:xx.xx.xx.xx/4658 to inside:xx.xx.xx.xx/139 duration 0:00:00 bytes 0 TCP Reset-O
Deny TCP (no connection) from xx.xx.xx.xx/4654 to xx.xx.xx.xx/445 flags RST on interface inside

When I investigated I found a website that mentioned asymmetrical routing, presumably my problem where the 1841 was routing direct back to the host instead of through the ASA.?? not something I have heard of before!

This mentioned using TCP state bypass found the following config from :

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html#wp1087434

CONFIG AS PER BELOW:

hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.224 any
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside

Once commands entered..... HURAH it works!!!

I can now RDP to PC's in the 10 network :-)

After months I have made progress :-)

But..... is there any security risk with this? or anything else I should be concerned with?

I have run an nmap port scan on my external IP and that doesn't report any open ports so all good I hope??

Presuming bypassing the TCP state inspection is not the preferred method for proper resolution what is?

Only thing left now (unless you experts advise is to change this setup) is to get internet access from the 10 range PC's,

will DNS resolution pass through the ASA?

thaks again apologies for the length!

rfalconer.sffcu · ‎10-15-2013

TCP bypass is meant for assymetric traffic, which is what you have here. LAN2 can send directly to LAN1, but LAN1 must go through the firewall. The response from LAN2 to LAN1 will not pass through the ASA, which is what generated the logs messages and kept the connection from working.

You should probably restrict the tcp bypass ACL more than you've done. It's bypassing everything, not just between your internal subnets. Instead of any, define the destination as your LAN1 network. You don't want to do TCP bypass on traffic from LAN2 to the internet.

Do you have an internal DNS server?

Can you post your current NAT configuration?

rfalconer.sffcu · ‎10-15-2013

Question is......

ASA says:

inter-interface Permit communication between different interfaces with the

same security level

intra-interface Permit communication between peers connected to the same

interface

Where am I misunderstanding...

I did "inter-interface" first thinking devices are in different physical interfaces but same security level (inside) but it was the intra-interface that got the ping working but .... they are in different physical interfaces??? I am confused?

or is it s case that it looks at the inside and outside VLANs as interfaces in this scenario?

The devices/endpoints are accessed through the same interface, the inside interface. It doesn't matter than they are on different vlans.

Intra-interface basically allows the ASA to redirect traffic out the same interface that it entered on. In the past, the ASA couldn't actually do this type of redirection, only forward between interfaces.

This command is also very useful if you have remote access VPN sessions inbound that need to access resources over a L2L VPN tunnel. The traffic from the VPN sessions enters and leaves on the same interface, usually the outside.

Inter-interface is used if you have multiple interfaces with the same security level, maybe DMZs as an example. It's unlikely that you'll need this on a 5505 but it does happen in environments where there might be many more DMZs or extranets.

Richard Tapley · ‎10-15-2013

thanks for the info in both posts Robert, and the explanation.

Never thought of it that way!

I have restricted the access list to from the 192 network to the 10 network although I might restrict it down even further. I am surprised the access lists on the ASA's use subnet masks but those on Cisco routers etc use wildcard masks! I understand that the ASA's were not originally a Cisco design but another company bought out so perhaps that is why the difference, unless I misunderstood what the person was telling me was saying.

I don't currently have a DNS server but in due course might set one up on a VMware box, I have been using openDNS.

I have copied the lines out of the show version for NAT below is this enough info?

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface nat

thanks also for the explanation of the inter and intra. I suppose this is where I need to make sure that I keep my head straight in logical and physical interfaces, presumably I was thinking in physical interfaces and the ASA was thinking logical for the inside and outside interfaces.

thanks again for your assistance with this.

rfalconer.sffcu · ‎10-15-2013

The ASA line was preceeded by the PIX line of firewalls, which was purchased back in the 90s. Cisco did not initially develop it.

Can you include your network objects also? You need to make sure that each LAN has been configured for NAT.

Richard Tapley · ‎10-18-2013

Hi Robert,

Apologies for the delay, had to suddently do a lovely 600mile round trip to Lands End.

I hope I haven't misunderstood what you have asked for but is the following what you are looking for:

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any

nat (inside,outside) dynamic interface

These are the only 2 network object entries I can see in the running config.

Am I right in thinking that the network object is like a label to make it easier to identify an object and add it to a ACL or NAT or other configuration?

Thanks again for your assistance.

paolo bevilacqua · ‎10-19-2013

Wrong forum, post in "Security - firewalling". You can move your posting with the Actions panel on the right.

Richard Tapley · ‎10-20-2013

Thanks, sorryit was in the wrong place.

rfalconer.sffcu · ‎10-20-2013

An object group is just that, a grouping of stuff that makes ACLs easier to manage. Instead of applying things to an individual item, you apply it to the group. Then you just add items to the group and they have the necessary policy applied. Like a security group in active directory.

This is basically saying 'all networks'

object network obj_any

subnet 0.0.0.0 0.0.0.0

This says the group defined should have NAT applied to all subnets and make them appear externally to be sourced from the outside interface of the ASA.

object network obj_any

nat (inside,outside) dynamic interface

These look fine for both subnets to access the internet. What ACLs are applied to the interfaces?

Richard Tapley · ‎10-22-2013

thanks again Robert.

I have had another look and am not sure if I am getting confused between access control lists and access rules but I have copied the screen showing the Access Rules which is attached.

I have had a look through the running conifig and did a show access-list and all I could see was the following:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list tcp_bypass; 1 elements; name hash: 0xce18d5d2

access-list tcp_bypass line 1 extended permit tcp 192.168.1.0 255.255.255.0 10.0.50.0 255.255.255.0 (hitcnt=0) 0x63dba9fc

Is there something I am missing?

To me it all looks fine and so I am thinking if I add DNS then itshould be fine?

Thanks