Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Internal routing issue (asa 5510 v 8.2.2)

Hello again,

Well, I seem to be getting 'schooled" by these ASA 5510 devices lately.   I just had a lot of help resolving an inter-interface communications problem and now I've got a (hopefully small) routing problem on another 5510.  I hope the community can help me again.

I have a problem with implementing a route statement on an ASA 5510.

The 5510 has 1 inside and one outside interface.  The FW is the default GW for the subnet on the inside interface (192.168.1.1).  However, for traffic bound to 192.168.100.x, I need it to route back out onto the inside subnet and send it to another ASA5510 (192.168.1.3).

I've setup a route statement (route inside HQ-inside 255.255.255.0 192.168.1.3 1) but it is not working.

I imagined that since I'm not sending the traffic 'through' the firewall, I wouldn't need to deal with access lists and nat.  Am I wrong on that?

I've done a packet trace and it looks like the packets are dropping at the nat rule (nat (inside) 2 0.0.0.0 0.0.0.0.0).  I wonder if I need to do something similar in the last problem.  Something like a NAT Exemption) but I'm still not fully aware of what I'm doing... (embarassed to say).  Sorry to ask you to spoon feed me like this.

As always really appreciate any help.

Geoffrey

Here's my current Conf (edited for security):

Result of the command: "show running-config"

hostname NorthASA

domain-name domain.org

enable password c7Ik4QWNoVuUmbYX encrypted

passwd c7Ik4QWNoVuUmbYX encrypted

names

name 192.168.100.0 HQ-Inside

name 192.168.1.254 NHFDServer2-Inside

name xxxx NHFDServer2-Outside

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address xxxx 255.255.255.248

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name domain.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

port-object eq 3389

object-group service DM_INLINE_TCP_0 tcp

group-object RDP

port-object eq www

port-object eq https

port-object eq smtp

access-list valley_nat0 extended permit ip 10.99.9.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list valley_cryptomap extended permit ip 10.99.9.0 255.255.255.0 172.29.12.0 255.255.255.0

access-list Inside_nat_static extended permit ip host NHFDServer2-Inside any

access-list Outside_access_in extended permit tcp any host NHFDServer2-Outside object-group DM_INLINE_TCP_0

access-list inside_nat_static extended permit ip host NHFDServer2-Inside any

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 172.29.12.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.99.9.1-10.99.9.200 netmask 255.255.255.0

global (outside) 2 interface

global (outside) 3 NHFDServer2-Outside netmask 255.255.255.255

nat (inside) 1 access-list inside_nat_outbound

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) 10.99.9.201 192.168.1.31 netmask 255.255.255.255

static (inside,outside) 10.99.9.202 192.168.1.32 netmask 255.255.255.255

static (inside,outside) NHFDServer2-Outside NHFDServer2-Inside netmask 255.255.255.255

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.92.226.62 1

route inside HQ-Inside 255.255.255.0 192.168.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac

crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map valley_map 1 match address valley_nat0

crypto map valley_map 1 set pfs group5

crypto map valley_map 1 set peer 146.129.253.3

crypto map valley_map 1 set transform-set VALLEY

crypto map valley_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password ra.2Iw6nrBEaHn0M encrypted privilege 15

tunnel-group 146.129.253.3 type ipsec-l2l

tunnel-group 146.129.253.3 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d7f1b5a56370f3a2e2a6afe3c497ff8d

: end

1 ACCEPTED SOLUTION

Accepted Solutions

Internal routing issue (asa 5510 v 8.2.2)

Hello,

So you are basically not natting anything between those 2 subnets with this configuration

Now what is the result of the packet-tracer that I am about to provide you

Local ASA

packet-tracer input inside tcp 192.168.1.10 1025 192.168.100.25 80

Now just by logic I can see a routing issue in here ( Asymetric flow)

As you know the ASA's are stateful firewalls right so check the following

1-Host behind the remote ASA at 192.168.100.25 innitiates a connection to 192.168.1.10 ( SYN)

2-Remote ASA receives, does not perform any nat as thats what you have configured

3-Looks on the routing table and determines the destination it's directly connected to him so it will send it to that host without going to the local ASA ( THIS IS THE ISSUE)

4-PC 192.168.1.10 receives the packet and it replies to Local ASA with a SYN ACK  as that it's his gateway.

5-Local ASA receives and said Wait a Minute a SYN ACK for this connection but where is my SYN, I have not received it and drops the connection

As simple as that, How to solve it

Workaround 1: TCP statebypass

                    2: U-turning proxy arping a fake IP so the traffic from PC on the remote ASA always goes to local ASA

You have some homework to do

Remember to rate the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
17 REPLIES

Re: Internal routing issue (asa 5510 v 8.2.2)

Hi Bro

Please do copy and paste the config shown below. This should resolve your issue.

!

no access-list valley_cryptomap extended permit ip 10.99.9.0 255.255.255.0 172.29.12.0 255.255.255.0

no access-list Inside_nat_static extended permit ip host NHFDServer2-Inside any

no access-list inside_nat_static extended permit ip host NHFDServer2-Inside any

!

no global (outside) 3 NHFDServer2-Outside netmask 255.255.255.255

!

access-list inside permit ip any any

access-group inside in interface inside

!

nat (inside) 0 access-list inside-to_192.168.100

access-list inside-to_192.168.100 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

!

      

Note: I've attached a diagram along in this case. This something for you to propose, in improving your network further.

P/S: If you think this comment is useful, please do rate it nicely :-) and click on the "Correct Answer" button

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Internal routing issue (asa 5510 v 8.2.2)

Hi Ramraj,

I must say, some of this is really unintuitive.  It's quite humbling after 26 odd years as a generalist IT person.

I don't understand how removing those Access lists - especially the Valley_cryptomap list - would affect this routing issue.  Wouldn't this break my VPN?

I sort of see where you are going with the last 2 lines but I really don't understand the purpose of the rest of it.  Can you shed some light on your thinking?

All that said, for diagnostic purposes, I did cut and paste these into the Multi-line ASDM CLI interface (and then re-ran the nat(inside) line because if failed with "access-list inside..." does not exist").  I then tried to RDP from 192.168.1.254 to 192.168.100.2 and was not successful.

Since I'm nervous about preserving my VPN, I've since reversed the lines above.

Thanks,

Internal routing issue (asa 5510 v 8.2.2)

Hi Bro

Yes, you're correct. Removing the ACLs that I’ve proposed above will not resolve your routing issue but it's part of the configuration clean-up process. This is because you're not using them at all. This is based on the assumption the configuration you've provided above is the latest copy. This will not break your VPN but if you're afraid to give it a try, that's fine by me.

Moving forward, since you've done what I’ve suggested and it doesn't resolve your issue, could you paste both the FW's config here? Perhaps, there’s something else that I missed out.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: Internal routing issue (asa 5510 v 8.2.2)

Hi Ramraj,

Good to know.  I'd prefer a clean config so when we're done with the routing issue, I'll come back and experiment with removing those access lists and Globals.  Thanks a lot for the recommendations there.

Back to the route issue:

The configs are posted below.  Note that I have reapplied this to the FW we have been working on (highlineASA):

access-list inside permit ip any any

access-group inside in interface inside

!

nat (inside) 0 access-list inside-to_192.168.100

access-list inside-to_192.168.100 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

      

Also be aware that the other firewall is passing traffic correctly.  I know this because when I go to a workstation and set the GW to 192.168.1.3, I am able to access the hosts on the other side of that firewall (thanks to your help in this post: https://supportforums.cisco.com/message/3714489#3714489).

First is the running conf for local GW FW:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname HighlineASA
domain-name domain2.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name 192.168.100.0 HQ-Inside
name 192.168.1.254 NHFDServer2-Inside
name xxxx NHFDServer2-Outside
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address xxxx 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_0 tcp
group-object RDP
port-object eq www
port-object eq https
port-object eq smtp
access-list valley_nat0 extended permit ip 10.99.9.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list valley_cryptomap extended permit ip 10.99.9.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host NHFDServer2-Inside any
access-list Outside_access_in extended permit tcp any host NHFDServer2-Outside object-group DM_INLINE_TCP_0
access-list inside_nat_static extended permit ip host NHFDServer2-Inside any
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list inside extended permit ip any any
access-list inside-to_192.168.100 extended permit ip 192.168.1.0 255.255.255.0 HQ-Inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.99.9.1-10.99.9.200 netmask 255.255.255.0
global (outside) 2 interface
global (outside) 3 NHFDServer2-Outside netmask 255.255.255.255
nat (inside) 0 access-list inside-to_192.168.100
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.9.201 192.168.1.31 netmask 255.255.255.255
static (inside,outside) 10.99.9.202 192.168.1.32 netmask 255.255.255.255
static (inside,outside) NHFDServer2-Outside NHFDServer2-Inside netmask 255.255.255.255
access-group Outside_access_in in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 74.92.226.62 1
route inside HQ-Inside 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map valley_map 1 match address valley_nat0
crypto map valley_map 1 set pfs group5
crypto map valley_map 1 set peer 146.129.253.3
crypto map valley_map 1 set transform-set VALLEY
crypto map valley_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted privilege 15
tunnel-group 146.129.253.3 type ipsec-l2l
tunnel-group 146.129.253.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2191c29b28ebfb542d7c12872d5c0640
: end

This is the remote (HQ) FW:

Result of the command: "show running-config"

hostname HQASA
domain-name domain.org
enable password c7Ik4QWNoVuUmbYX encrypted
passwd c7Ik4QWNoVuUmbYX encrypted
names
name xxxx Server2-Outside
name xxxx Konica-Outside
name xxxx Sharepoint-Outside
name 192.168.100.15 Konica-Inside
name 192.168.100.2 Server2-Inside
name 192.168.100.5 Sharepoint-Inside
name 192.168.1.0 Highline-inside
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
pppoe client vpdn group blah

ip address xxxx 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif Highline
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service Sharepoint-SSL tcp
port-object eq 444
object-group service Zone3-17365 tcp
port-object eq 17365
object-group service Konica-printing tcp
port-object eq 9100
access-list Outside_access_in extended permit tcp any host Server2-Outside eq 3389
access-list Outside_access_in extended permit tcp any host Server2-Outside eq smtp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq ftp
access-list Outside_access_in extended permit tcp any host Server2-Outside eq www
access-list Outside_access_in extended permit tcp any host Server2-Outside eq https
access-list Outside_access_in extended permit tcp any host Server2-Outside eq pptp
access-list Outside_access_in extended permit gre any host Server2-Outside
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq www
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside eq https
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Zone3-17365
access-list Outside_access_in extended permit tcp any host Sharepoint-Outside object-group Sharepoint-SSL
access-list Outside_access_in extended permit tcp any host Konica-Outside object-group Konica-printing
access-list valley_nat0 extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list valley_cryptomap extended permit ip 10.99.12.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 172.29.12.0 255.255.255.0
access-list Inside_nat_static extended permit ip host Server2-Inside any
access-list Inside_nat_static_1 extended permit ip host Server2-Inside host 172.29.12.5
access-list Inside_nat_static_2 extended permit ip host 192.168.100.12 host 172.29.12.1
access-list Highline_access_in extended permit ip any any
access-list Inside extended permit ip any any
access-list Inside-to-Highline extended permit ip 192.168.100.0 255.255.255.0 Highline-inside 255.255.255.0
access-list Highline-to-Inside extended permit ip Highline-inside 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Highline 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 2 10.99.12.10-10.99.12.254 netmask 255.255.255.0
global (Outside) 1 interface
nat (Inside) 0 access-list Inside-to-Highline
nat (Inside) 2 access-list Inside_nat_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Highline) 0 access-list Highline-to-Inside
nat (Highline) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Sharepoint-Outside Sharepoint-Inside netmask 255.255.255.255
static (Inside,Outside) Konica-Outside Konica-Inside netmask 255.255.255.255
static (Inside,Outside) 10.99.12.5  access-list Inside_nat_static_1
static (Inside,Outside) Server2-Outside  access-list Inside_nat_static
static (Inside,Outside) 10.99.12.1  access-list Inside_nat_static_2
access-group Outside_access_in in interface Outside
access-group Inside in interface Inside
access-group Highline_access_in in interface Highline
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TEST esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VALLEY esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map valley_map 1 match address valley_nat0
crypto map valley_map 1 set pfs group5
crypto map valley_map 1 set peer 146.129.253.3
crypto map valley_map 1 set transform-set VALLEY
crypto map valley_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.100.0 255.255.255.0 Inside
telnet Highline-inside 255.255.255.0 Highline
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group blah request dialout pppoe
vpdn group blah localname

vpdn group blah ppp authentication pap
vpdn username password ***** store-local
dhcpd address 192.168.11.2-192.168.11.254 management
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ra.2Iw6nrBEaHn0M encrypted
tunnel-group 146.129.253.3 type ipsec-l2l
tunnel-group 146.129.253.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:26297ecc874da0830228d68c7784c33e
: end

New Member

Internal routing issue (asa 5510 v 8.2.2)

Hello Ramraj,

I'm just pinging to see if you've had a chance to look at the configs I posted.  I don't mean to harass you.  Just wanted to make sure it didn't slip through the cracks.

Thanks,

Geoffrey

Internal routing issue (asa 5510 v 8.2.2)

Hello,

So you are basically not natting anything between those 2 subnets with this configuration

Now what is the result of the packet-tracer that I am about to provide you

Local ASA

packet-tracer input inside tcp 192.168.1.10 1025 192.168.100.25 80

Now just by logic I can see a routing issue in here ( Asymetric flow)

As you know the ASA's are stateful firewalls right so check the following

1-Host behind the remote ASA at 192.168.100.25 innitiates a connection to 192.168.1.10 ( SYN)

2-Remote ASA receives, does not perform any nat as thats what you have configured

3-Looks on the routing table and determines the destination it's directly connected to him so it will send it to that host without going to the local ASA ( THIS IS THE ISSUE)

4-PC 192.168.1.10 receives the packet and it replies to Local ASA with a SYN ACK  as that it's his gateway.

5-Local ASA receives and said Wait a Minute a SYN ACK for this connection but where is my SYN, I have not received it and drops the connection

As simple as that, How to solve it

Workaround 1: TCP statebypass

                    2: U-turning proxy arping a fake IP so the traffic from PC on the remote ASA always goes to local ASA

You have some homework to do

Remember to rate the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Internal routing issue (asa 5510 v 8.2.2)

Hi Julio,

I'll start by saying that I'm not knowledgeable enough about this device to disagree with your logic but it seems odd to me.  Mostly because I've found it very easy to set up this exact same configuration on other stateful firewalls (Firebox, Sonicwall, Juniper and Checkpoint).  It'd surprise the heck out of me if a Cisco device couldn't accomplish this simple task. 

I'm not ranting or anything.  It just seems weird. Maybe I do have some homework to do .

That said, the output from Packet tracer is strange:

Result of the command: "packet-tracer input inside tcp 192.168.1.10 1025 192.168.100.25 80"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   HQ-Inside 255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.1.0 255.255.255.0 inside HQ-Inside 255.255.255.0
    NAT exempt
    translate_hits = 241, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list inside_nat_outbound
  match ip inside 192.168.1.0 255.255.255.0 outside 172.29.12.0 255.255.255.0
    dynamic translation to pool 1 (10.99.9.1 - 10.99.9.200)
    translate_hits = 1445, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 2 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 1951, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 1951, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Note what is happening is Phase 6.  I can't interperet it well but it looks like my VPN's Dynamic Nat Policy is hijacking the packet.  What do you think?

Thanks,

G

Internal routing issue (asa 5510 v 8.2.2)

Hello Geff,

Again you will need to see the logic behind what security means to the ASA to understand that but right now looks like the problem is the NAT at least for the Packet tracer output. So let's work on that first :

static (inside,inside)  192.168.100.0  192.168.100.0 netmask 255.255.255.0

Do the same packet tracer and let me know the result dude.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Internal routing issue (asa 5510 v 8.2.2)

That certainly cleaned up the Packet Tracer output:

Result of the command: "packet-tracer input inside tcp 192.168.1.10 1025 192.168.100.25 80"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) hq-Inside hq-Inside netmask 255.255.255.0
  match ip inside hq-Inside 255.255.255.0 inside any
    static translation to hq-Inside
    translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate hq-Inside/0 to hq-Inside/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.1.0 255.255.255.0 inside hq-Inside 255.255.255.0
    NAT exempt
    translate_hits = 243, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list inside_nat_outbound
  match ip inside 192.168.1.0 255.255.255.0 outside 172.29.12.0 255.255.255.0
    dynamic translation to pool 1 (10.99.9.1 - 10.99.9.200)
    translate_hits = 1445, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 2 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 1951, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,inside) hq-Inside hq-Inside netmask 255.255.255.0
  match ip inside hq-Inside 255.255.255.0 inside any
    static translation to hq-Inside
    translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) hq-Inside hq-Inside netmask 255.255.255.0
  match ip inside hq-Inside 255.255.255.0 inside any
    static translation to hq-Inside
    translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 150022, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

I was just carefully reviewing your logic from a couple of posts ago.  I think I found an error in your understanding of the configuration...  you see, the network looks like this:

BF small drawin as is.jpg

Not like this:

BF small drawing not as is.jpg

Thus, when you said:

1-Host behind the remote ASA at 192.168.100.25 innitiates a connection to 192.168.1.10 ( SYN)

2-Remote ASA receives, does not perform any nat as thats what you have configured

3-Looks on the routing table and determines the destination it's directly connected to him so it will send it to that host without going to the local ASA ( THIS IS THE ISSUE)

4-PC 192.168.1.10 receives the packet and it replies to Local ASA with a SYN ACK as that it's his gateway.

5-Local ASA receives and said Wait a Minute a SYN ACK for this connection but where is my SYN, I have not received it and drops the connection

#2  and what follows is not accurate:

It should be more like this?:

1-Host behind the remote ASA at 192.168.100.25 innitiates a connection to 192.168.1.10 ( SYN)

2-Local Host recieves packet and replys but since GW is set to local ASA, the reply goes there.

3-Local ASA inspects routing table and sees that 192.168.100.x network can be found through the "router" at 192.168.1.3

4- I'm not sure what comes next.  I'm mostly a server guy.   But I would expect it to put the traffic back on the inside interface bound for 192.168.1.3.

5- Traffic arrives at remote host and everyone lives happily ever after.

Am I way off base?

Thanks mate.


      

New Member

Re: Internal routing issue (asa 5510 v 8.2.2)

Note that I just edited some minor points in the previous post.  Mostly around the logic information at the end and edited certain info for security.

New Member

Re: Internal routing issue (asa 5510 v 8.2.2)

Oh, and one more thing FYI.

I can now Ping in both directions... Though I can't do anything else.

New Member

Re: Internal routing issue (asa 5510 v 8.2.2)

Hmmmm.  TCP Bypass.

Really good suggestion.

I now have full connectivity but man is it slow. 

Is that expected?

Here's what I did:

On HQASA:

access-list tcp_bypass extended permit TCP 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

Class-map tcp_bypass

description "traffic to 192.168.1.0"

match access-list tcp_bypass

policy-map tcp_bypass_policy

Class tcp_bypass

set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface Highline

On HighlineASA:

access-list tcp_bypass extended permit TCP 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

Class-map tcp_bypass

description "traffic to 192.168.100.0"

match access-list tcp_bypass

policy-map tcp_bypass_policy

Class tcp_bypass

set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

I'm wondering about context now.  Do I only have to do this on the Highline ASA?  The one with the hairpin route?

Would appreciate your thoughts... Anyone's thought actually.

Thanks,

G

Re: Internal routing issue (asa 5510 v 8.2.2)

Hello,

I just saw your answer, looks like you already did it...

Saw it was the logic I told you before, the ASA behaves as no other Firewall device, is the best man!

Now this needs to be done just on the Local ASA! No need to do it on the remote

Just on one ( The HQ)

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Internal routing issue (asa 5510 v 8.2.2)

Well now that's not what I expected you to say. 

I did the HQ ASA first and then tested but was not able to connect.

I then did it on HighlineASA and everything connected.

Is the fact that I have it on both ASAs the cause of extreme slow connection?

Thanks,

G

Re: Internal routing issue (asa 5510 v 8.2.2)

Hello,

I mean that, sorry I am not checking the diagrams anymore hehe

Yes, as you add more work to the ASA>>>>

Glad I could help man

Have a good one

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Re: Internal routing issue (asa 5510 v 8.2.2)

Hello Geoff,

The diagram you just set it's what I am saying dude jaja

Ok ...why ICMP works?

     Because ICMP is stateless for the ASA unless you add the following command and becomes statefull

          Fixup Protocol ICMP

I ensure you that as soon as you add the highlated command the ICMP will stop working

Why any other traffic fails.. I would say tcp traffic? Because it is stateful

Again back to my theory

How to solve it:

TCP state bypass

access-list test permit tcp 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

class-map test

match access-list test

policy-map global_policy

class test

set connection advanced-options tcp-state-bypass

Clear local-host

Then give it a try and Keep me posted dude

Remember to rate all the helpful posts

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Internal routing issue (asa 5510 v 8.2.2)

Well, I had high hopes for TCP Bypass but it doesn't appear to be a usable solution.  At least not yet.

First, just FYI,  It seems to be necessary on both ASAs.  If I deactivate the Service Policy on either FW, communications fail.

Worse, although some communication is occuring,  Most is failing.

For example, I can map a drive across the connection but cannot browse the content.  I can make an RDP connection but mouse and keyboard information does not seem to make it accross the connection.  Telneting to the remote FW (from either direction) fails outright.

So, unless, there's some way to improve the performance, I can't call it a working solution at this time.

Note that the connection between HQ and Highline locations is a dedicated fiber connection running at 100Mbps and this is the only traffic running across it.  So, I can at least say it's not a bandwidth issue. 

Any ideas about how to proceed?

Thanks,

Geoffrey

632
Views
3
Helpful
17
Replies
CreatePlease to create content