09-06-2013 04:20 PM - edited 03-11-2019 07:35 PM
Hi!
I have a problem with allowing traffic to UC500 subnets on ASA 5505 inside interface.
My asa is a main router with addres 192.168.1.1
UC500 voip box is connected to ASA's inside interface through UC500 WAN port with UC500 with 192.168.1.2 address.
Firewall and NAT on UC500 is disable
UC500 sip traffic works fine. voipbox creates its subnets for data and voip - 192.168.10.0 and 10.1.1.0. another important address is 10.1.10.1 which is UC500 CUE.
My problem is that from within ASA local network (192.168.1.0) i cannot reach UC500 subnets, neither can I reach ASA's local network from the UC subnets.
the log says
3 | Sep 07 2013 | 00:21:49 | DC | 53 | PBXCUE | 32901 | portmap translation creation failed for udp src inside:DC/53 dst inside:PBXCUE/32901 |
I tried exempting uc500 subnets on ASA but that didn;t work.
Funny thing is that I CAN reach the UC500 subnets when connecting with VPN to ASA...
Please help! I am not familiar with CLI.
I configured static route to 10.1.10.0 and since then I was able to ping 10.1.10.1 thorugh ASA;s VPN.
I would be grateful for ideas.
Lukasz
global (inside) 1 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https IIS https netmask 255.255.255.255 dns tcp 200 200 udp 200
static (inside,outside) tcp interface www IIS www netmask 255.255.255.255 dns tcp 200 200 udp 200
static (inside,outside) tcp interface smtp IIS smtp netmask 255.255.255.255 dns
static (inside,outside) tcp interface pop3 IIS pop3 netmask 255.255.255.255 dns
static (inside,outside) udp interface domain RenBetPBX domain netmask 255.255.255.255 dns
static (inside,outside) udp interface 5061 RenBetPBX 5061 netmask 255.255.255.255 dns
static (inside,outside) udp interface sip RenBetPBX sip netmask 255.255.255.255 dns
static (inside,outside) tcp interface 13000 SQL 13000 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
route inside PBXCUE-network 255.255.255.0 RenBetPBX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
Solved! Go to Solution.
09-10-2013 02:17 PM
Hello Lukas,
Way better description.
The problem is asymetric routing.
So my recommendation would be:
And let us know how it goes.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-06-2013 11:33 PM
Hello Lukasz,
In this scenarios what we usually see is that the ASA is not seeing the full exchange of packets. (Asymetric routing)
In this case we have not even reach that part as we are handeling with the NAT at this point
Before any change on the configuration, what's the requirement?
Do the 192.168.10.0 needs to talk to the 10.1.0.0 but do the 10.1.0.0 have to talk to the 192??
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-10-2013 01:58 PM
Hi Julio!
Thank you for interest and your reply.
I might have not been very clear in describing what I would like to achieve after spending a weekend trying to configure my UC540 device and ASA5505...
The network topology looks like this:
i. ASA5505 (192.168.1.0 as my main network, ASA ip 192.168.1.1)
ii. UC540 (WAN connection, WAN ip: 192.168.1.2) UC540 creates 2 subnets: 192.168.10.0 - data subnet and 10.1.1.0 - voice subnet. UC540 is connected to 192.168.1.0 network through WAN port and is given static ip of 192.168.1.2/255.255.255.0 with default gateway set to ASA (192.168.1.1). Firewall and NAT on UC540 are both disabled.
UC540 creates another network with CUCM(E) service module at 10.1.10.1 and also creates loopback interface with ip 10.1.10.2 which is being used as CUCM(E) gateway.
UC540 has its radio device (2SSID - one for 192.168.10.0 and second for 10.1.1.0).
What I am trying to achieve:
1. to be able to reach 10.1.1.0 and 10.1.10.0 from within ASA main network (192.168.1.0) - and also to be able to reach 192.168.1.0 from both 10.x.x.x networks. I need that for attaching another IP phones from within a switch that only operates on 192.168.1.0 network.I also need that for configuring SMTP notification service on CUCME (10.1.10.1) which would communicate with my exchange on 192,168.1.0 network.
2. Be able to configure UC540 radios to allow access to 192.168.1.0 ASA's network and not 192.168.10.0 UCdata network which it does in its current configuration. at the moment UC540 wifi clients can only access 192.168.10.0 network which means they do not have access to my main 192.168.1.0 network.
I hope this explanation sounds more reasobable ;-)
Once again thank you for your interest and I am looking forward to hearing from you.
I was working on my CLI skills recently and I am getting more used to it - I hope that with your help I will be able to reach my goals.
Regards
Lukasz
09-10-2013 02:17 PM
Hello Lukas,
Way better description.
The problem is asymetric routing.
So my recommendation would be:
And let us know how it goes.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-12-2013 11:41 AM
Hello Julio!
Thank you for your advice.
I have managed to solve my main problem by reconfiguring my switches vlans - enabling trunk port configs for required ports and allowing them access to both vlans.
Now I can see everything from all of my inside networks.
I continue my ASA adventures - I have managed to configure L2TP client access for my windows users, RADIUS authentication for domain users and yesterday night I have managed to configure site to site VPN with my RV120W router.
I am only an enthusiast but my recent successes have given me apetite for more...
I keep reading forums and trying to solve most of my problems myself but I have faced another one now and thought that maybe you could give me another tip on where to look for the issue:
I still have one problem with my L2TP VPN config - I have configured split tunnel on the group policy to tunnel only 192.168.1.0 network requests.
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
My network at home is 192.168.2.0 but it still tunnels everything (when I check my ip after connecting to VPN my home laptop still identifies with ASA gateway(!) address .
access-list outside_access_in extended permit icmp any interface outside object-group DM_INLINE_ICMP_1
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 23456
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 any
access-list outside_access_in extended permit tcp any interface outside eq 13000
access-list outside_access_in extended permit tcp any interface outside range 8001 8016
access-list outside_access_in extended permit tcp x.x.x.x 255.255.255.0 interface outside eq ssh
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any PBXVOIP-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip any PBXCUE-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 igolomska-network 255.255.255.0
access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_2 any object-group DM_INLINE_UDP_1
access-list inside_access_in extended permit ip host IIS any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip host RBSTORE_NAS any
access-list inside_access_in extended deny udp any any object-group DM_INLINE_UDP_2
access-list inside_access_in extended permit tcp any any eq 5432
access-list inside_access_in extended permit tcp any host PBXCUE eq www
access-list inside_access_in extended permit tcp host PBXCUE any eq www
access-list inside_access_in extended permit tcp host RBCAMSTORE_NAS host EXCH-MBX eq smtp
access-list inside_access_in extended permit tcp host RBSTORE_NAS host EXCH-MBX eq smtp
access-list inside_access_in extended permit tcp host RENBETUPS host EXCH-MBX eq smtp
access-list inside_access_in extended permit tcp host RenBetPBX host EXCH-MBX eq smtp
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 igolomska-network 255.255.255.0
route print shows:
and 192.168.1.240 is my VPN IP - its metric has higher priority than the local gateway.
How do I change it?
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.126 4250
0.0.0.0 0.0.0.0 On-link 192.168.1.240 21
80.51.24.22 255.255.255.255 192.168.2.1 192.168.2.126 4251
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
169.254.0.0 255.255.0.0 On-link 192.168.2.126 4506
169.254.104.126 255.255.255.255 On-link 192.168.2.126 4506
169.254.255.255 255.255.255.255 On-link 192.168.2.126 4506
192.168.1.240 255.255.255.255 On-link 192.168.1.240 276
192.168.2.0 255.255.255.0 On-link 192.168.2.126 4506
192.168.2.126 255.255.255.255 On-link 192.168.2.126 4506
192.168.2.255 255.255.255.255 On-link 192.168.2.126 4506
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 192.168.2.126 4506
224.0.0.0 240.0.0.0 On-link 192.168.1.240 21
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 192.168.2.126 4506
255.255.255.255 255.255.255.255 On-link 192.168.1.240 276
===========================================================================
I am starting to feel like I am using a bit too much of your friendliness ...
Best Regards and have a great day!
Lukasz
09-12-2013 11:59 AM
Hello Lukasz,
No problem It's always a pleasure to help.
I always recommend using a different address range on the other side of the connection for routing/arp weird issues.
The Split tunnel access-list looks good
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
Can you share the group-policy and tunnel-group setup cause at the moment you should only have that route to the internal subnet.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-12-2013 01:35 PM
This is the group policy I use for L2TP:
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.1.10 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value BETONOWA.local
and tunnel group settings:
tunnel-group DefaultRAGroup general-attributes
address-pool install_pool
authentication-server-group BETONOWA-DC LOCAL
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
radius-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
09-12-2013 02:48 PM
Hello Lukasz,
To be honest with you I have not played that much with L2TP but configuration speaking it should be the same.
Can you use a different Pool subnet for the VPn traffic (different than 192.168.1.0) Make sure you use the rigth NAT0 configuration.
Just to check if that makes a difference.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: