Solved: Routing question with ASA 5505

AaronCase3 · ‎02-05-2014

Here is my setup.

Inside network on my ASA is 192.168.1.0, VLAN1 is 192.168.1.30

There is also an OpenVPN server on the 192.168.1.0 network that brings in traffic from theh 192.168.2.0 network

The openVPN server is 192.168.1.254, it is an untangle box, which is also the default gateway for all but one host on the network.

I have one host that uses the ASA 192.168.1.30 as the gateway address -for SIP trunking-.

There are SIP phones on the 192.168.2.0 netowork that send traffic to 192.168.1.26 which has the gateway of 192.168.1.30. This traffic needs to be routed back to the 192.168.1.254 gateway

I've put in a route that I thought should work but it hasn't

I want any traffic that hits the inside interface on the ASA with a destination of 192.168.2.0 to be routed to 192.168.1.254 so it can traverse the VPN.

route inside 192.168.2.0 255.255.255.0 192.168.1.254 1

this is the command I entered, but even with this in I am unable to communicate.

for a temporary fix I added the route in windows on the host, but I would like to get it all done through the ASA. what am I missing?

Jouni Forss · ‎02-05-2014

Hi,

I think you asked this in the previous discussion but I forgot to answer in that discussion.

Part of the problem with the current setup might be if you are missing this command

same-security-traffic permit intra-interface

But to my understanding it still might not work. If you have VPN users from another subnet connecting through this server and they are connecting to an internal host which uses ASA as the default gateway then ASA would not see the initial packet from the host 192.168.2.x to the host 192.168.1.26 but would see that hosts reply through the gateway. This would cause problem that the ASA would not allow the connections. This applies to TCP connections and would require configuring TCP State Bypass on the ASA.

From the perspective of the ASA the ideal situation for it would be if the VPN server was on its own DMZ on the ASA so that all traffic HAS to go through the ASA always. Is such setup possible or would it cause other problems?

Naturally your ASAs license might be a slight problem also (if its Base License) though there might be a way around it.

EDIT: Gah, head doesn't function after workday. Corrected some typos

- Jouni

View solution in original post

Jouni Forss · ‎02-05-2014

Hi,

I think you asked this in the previous discussion but I forgot to answer in that discussion.

Part of the problem with the current setup might be if you are missing this command

same-security-traffic permit intra-interface

But to my understanding it still might not work. If you have VPN users from another subnet connecting through this server and they are connecting to an internal host which uses ASA as the default gateway then ASA would not see the initial packet from the host 192.168.2.x to the host 192.168.1.26 but would see that hosts reply through the gateway. This would cause problem that the ASA would not allow the connections. This applies to TCP connections and would require configuring TCP State Bypass on the ASA.

From the perspective of the ASA the ideal situation for it would be if the VPN server was on its own DMZ on the ASA so that all traffic HAS to go through the ASA always. Is such setup possible or would it cause other problems?

Naturally your ASAs license might be a slight problem also (if its Base License) though there might be a way around it.

EDIT: Gah, head doesn't function after workday. Corrected some typos

- Jouni

AaronCase3 · ‎02-05-2014

It isn't possible to have the VPN behind the ASA. I just implemented the same-security-traffic command and I am not able to ping hosts on the 192.168.2.0 network. I'll test and see if this has remedied if for me.

Thanks!

AaronCase3 · ‎02-05-2014

OK, I'm able to ping to the 192.168.2.0 network. but I'm not getting SIP registration to work, is there something I need to do to allow all traffic between 192.168.1.0 and 192.168.2.0?

Jouni Forss · ‎02-05-2014

Hi,

I imagine that there is some TCP traffic involved even though I guess SIP is UDP? Or is it TCP also? Sorry a bit clueless related to everything related to Voice/Video.

You could try TCP State Bypass even though its not a clean solution but if the network setup can't be configured better for the firewall then it must be used I think.

Try this configuration. It presumes that you have the default "policy-map" configuration

access-list TCP-STATE-BYPASS permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

class-map TCP-STATE-BYPASS

description TCP State Bypass for internal networks

match access-list TCP-STATE-BYPASS

policy-map global_policy

class TCP-STATE-BYPASS

set connection advanced-options tcp-state-bypass

Atleast to my understanding this should work unless I remember wrong.

Notice again that I am using this configuration under the default ASA "policy-map global_policy"

- Jouni

AaronCase3 · ‎02-05-2014

I've added those commands and they don't seem to be making a difrerence. I've also tried adding in access rules to allow all traffic 192.168.1.0 to 192.168.2.0 and vice versa, using network objects that I created. Still no luck. here's my running config

: Saved
:
ASA Version 8.4(6)
!
hostname wavefc
domain-name center
enable password 8EBQPyIGHYB9jy6X encrypted
passwd 8EBQPyIGHYB9jy6X encrypted
names
name 192.168.1.28 MRMA description Wave MRMA IP
name 192.168.1.27 MRMB description Wave MRMB IP
name 192.168.1.26 vam description WAVE VAM IP
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.30 255.255.255.0
!
interface Vlan2
mac-address c0ea.e426.1e05
nameif outside
security-level 0
ip address 108.174.110.110 255.255.255.0
!
boot system disk0:/asa846-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name center
same-security-traffic permit intra-interface
object network vam
host 192.168.1.26
description Created during name migration
object network MRMB_1
host 192.168.1.27
description Created during name migration
object network MRMA_1
host 192.168.1.28
description MRMB
object service VAM1
service udp destination range sip 5061
description VAM ports
object service VAM2
service udp destination range 16384 17383
description VAM SIP PORTS
object service MRMA
service udp destination range 17640 17895
description MRM A PORTS
object service MRMB
service udp destination range 17640 17895
description MRM B PORTS
object network Dynamic_NAT
subnet 192.168.1.0 255.255.255.0
object network vamIP
host 192.168.1.26
object network MRMAIP
host 192.168.1.27
object network MRMBIP
host 192.168.1.27
object service vamIP1
service udp source range 16384 17383
object service SIP
service udp source range sip 5061
object service mrmaUDP
service udp source range 17384 17639
object service mrmbUDP
service udp source range 17640 17895
object service vam5060
service udp source range sip 5061
object network KnoxVPN
subnet 192.168.2.0 255.255.255.0
description Knox IP's
object network Untangle
host 192.168.1.254
description VPN To Knoxville
object-group service VAM_PORTS
service-object object VAM1
service-object object VAM2
object-group service SIPPORTS udp
description WAVE PORT RANGES
port-object range sip 19000
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
access-list outside_access_in remark Allow ports for phone system
access-list outside_access_in extended permit object-group VAM_PORTS any object vamIP
access-list outside_access_in extended permit object MRMA any object MRMAIP
access-list outside_access_in extended permit object MRMB any object MRMBIP
access-list global_access extended permit ip any any inactive
access-list global_access extended permit udp any any object-group SIPPORTS
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any any
access-list global_access extended permit ip interface inside interface inside
access-list global_access extended permit ip 192.168.1.0 255.255.255.0 object KnoxVPN
access-list global_access extended permit ip object KnoxVPN 192.168.1.0 255.255.255.0
access-list inside_inside remark ALlow VPN Traffic
access-list TCP-STATE-BYPASS extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static vamIP interface service vamIP1 vamIP1
nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP
nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP
nat (inside,outside) source static vamIP interface service vam5060 vam5060
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 108.174.110.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.99-192.168.1.100 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username wave password 7dzE8CxoLKj5NbvA encrypted
!
class-map TCP-STATE-BYPASS
description TCP State Bypass for internal networks
match access-list TCP-STATE-BYPASS
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class TCP-STATE-BYPASS
set connection advanced-options tcp-state-bypass
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:462a45045d80065752bd7e1dd499b66e
: end
asdm image disk0:/asdm-715-100.bin
no asdm history enable

Jouni Forss · ‎02-05-2014

Hi,

Seems you did not have the default configuration on the ASA with regards to this "policy-map".

You will probably need to add this also

service-policy global_policy global

- Jouni

AaronCase3 · ‎02-05-2014

OK, I don't recall making any changes to the policy map, but I'll add that command in and let you know what happens. Thanks!

AaronCase3 · ‎02-05-2014

I think this may have done the trick. I'll keep you posted. Thanks again!

AaronCase3 · ‎02-05-2014

That got it working. Thanks!!