Solved: Segment from PIX to segment on ASA continued...

Tyler Woods · ‎11-22-2013

This is a continuation of the the thread that can be found here:

https://supportforums.cisco.com/message/4100237#4100237

I need the following to happen:

Host at 12.x.x.134 to access host 10.50.2.32 on port 8888.

Host at 12.x.x.134 to access host 10.50 2.33 on port 1560.

I am at a complete loss on getting this accomplished. Have tried multiple configurations and nothing works. Ideally I would collapse this all to the ASA but I do not have the time to dedicate at the moment so I just need to get this working as it is. The ASA is under SMARTnet but CCO ID does not have permission to its serial number yet.

Any guidance on this would be greatly appreciated. Is below enough to go on?

ASA Interfaces

Ethernet0/0 outside 64.xx.xx.130 security-level 0 --> to RouterA via 2980

Ethernet0/1 inside 10.50.2.1 security-level 100 --> to 2980

Ethernet0/2 dmz1 10.10.10.2 security-level 50 --> to ASA e2

PIX

Ethernet0 outside 12.xx.xx.2 security-level 0 --> to RouterB via 2980

Ethernet1 dmz 12.x.x.129 security-level 50 --> to 2980

Ethernet2 dmz2 10.10.10.1 security-level 50 --> to PIX e0/2

Jon Marshall · ‎11-22-2013

Tyler

I think the issue may be this line on the pix -

nat (dmz2) 0 10.50.2.0 255.255.255.0

this is Identity NAT. Basically it says don't translate 10.50.2.x addressing going to the pix. But it is only one way ie .from the ASA to the pix. I don't know why it is there but we should be able to override it with -

static (dmz2,dmz) 10.50.2.33 10.50.2.33 netmask 255.255.255.255

So if the ping didn't work can you add this to the pix and retest both with ping and connecting on the ports you want to use.

Jon

View solution in original post

Jon Marshall · ‎11-22-2013

Tyler

Thanks for starting new thread. Here are the narrowed down configs -

ASA Version 8.2(5)

!

interface Ethernet0/0

description Internet

nameif outside

security-level 0

ip address 64.x.x.130 255.255.255.240

!

interface Ethernet0/1

description inside

nameif inside

security-level 100

ip address 10.50.2.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz1

security-level 50

ip address 10.10.10.2 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list DMZ2IN extended permit tcp host 12.x.x.130 host 12.y.x.130 eq ftp

access-list DMZ2IN extended permit tcp host 12.x.x.130 host 12.y.x.130 eq ftp-data

access-list DMZ2IN extended permit tcp host 12.x.x.134 host 10.50.2.33 eq 1560

access-list DMZ2IN extended permit tcp host 12.x.x.134 host 10.50.2.32 eq 8888

access-list DMZ2IN extended permit ip any any

nat-control

global (outside) 1 interface

global (dmz1) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 10.50.2.0 255.255.255.0

static (inside,dmz1) tcp 10.50.2.32 8888 10.50.2.32 8888 netmask 255.255.255.255

static (inside,dmz1) tcp 10.50.2.33 1560 10.50.2.33 1560 netmask 255.255.255.255

access-group DMZ2IN in interface dmz1

route outside 0.0.0.0 0.0.0.0 64.x.x.129 1

route dmz1 12.x.x.134 255.255.255.255 10.10.10.1 1

PIX Version 7.0(6)

!

interface Ethernet0

nameif outside

security-level 0

ip address 12.xx.xx.2 255.255.255.248

!

interface Ethernet1

nameif dmz

security-level 50

ip address 12.x.x.129 255.255.255.224

!

interface Ethernet2

nameif dmz2

security-level 50

ip address 10.10.10.1 255.255.255.0

!

same-security-traffic permit inter-interface

access-list temp_inside extended deny ip any host 89.163.182.25 log

access-list temp_inside extended permit ip any any

access-list dmz2_out extended permit ip host 12.x.x.134 host 10.50.2.32

access-list dmz2_out extended permit ip host 12.x.x.134 host 10.50.2.33

access-list dmz2_out extended permit ip any any

pager lines 24

logging enable

logging console debugging

logging monitor alerts

logging buffered debugging

logging trap notifications

mtu outside 1500

mtu dmz 1500

mtu dmz2 1500

icmp permit any outside

icmp permit any dmz

icmp permit any dmz2

no asdm history enable

arp timeout 14400

nat (dmz2) 0 10.50.2.0 255.255.255.0

static (dmz2,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

static (dmz,dmz2) 12.x.x.0 12.x.x.0 netmask 255.255.255.0

access-group temp_inside in interface dmz2

access-group dmz2_out out interface dmz2

route outside 0.0.0.0 0.0.0.0 12.xx.xx.1 1

route dmz2 10.50.2.0 255.255.255.0 10.10.10.2 1

timeout xlate 3:00:00

Jon

Jon Marshall · ‎11-22-2013

edited

Jon Marshall · ‎11-22-2013

On the ASA can you remove this -

static (inside,dmz1) tcp 10.50.2.32 8888 10.50.2.32 8888 netmask 255.255.255.255

add this -

static (inside,dmz1) 10.5.2.32 10.50.2.32 netmask 255.255.255.255

then -

clear xlate global 10.5.2.32

then -

add this line to DMZ2IN (make sure it is before the permit ip any any)

access-list DMZ2IN permit ip host 12.x.x.134 host 10.50.2.32

on the pix add this line to dmz2_out (again before the permit ip any any)

access-list permit ip host 12.x.x.134 host 10.50.2.32

Once all the above is done can you then ping from 12.x.x.134 to 10.50.2.32 and see -

1) do you get a response

2) do you see a hit cnt on the pix dmz2_out acl

3) do you see a hit on ASA DMZ2IN acl

Jon

Jon Marshall · ‎11-22-2013

Tyler

I think the issue may be this line on the pix -

nat (dmz2) 0 10.50.2.0 255.255.255.0

this is Identity NAT. Basically it says don't translate 10.50.2.x addressing going to the pix. But it is only one way ie .from the ASA to the pix. I don't know why it is there but we should be able to override it with -

static (dmz2,dmz) 10.50.2.33 10.50.2.33 netmask 255.255.255.255

So if the ping didn't work can you add this to the pix and retest both with ping and connecting on the ports you want to use.

Jon

Tyler Woods · ‎11-22-2013

I've just now learned 10.50.2.32 is not up and running yet so I adjusted all the above for 10.50.2.33.

Ping is now working and I'm getting the response on port 1560 as I should. Looks like that static NAT did it. Going to button this down now to the specific ports and try again.

Jon Marshall · ‎11-22-2013

Tyler

Out of interest which static ? The one i asked you to change on the ASA or the one on the pix ?

Jon

Tyler Woods · ‎11-22-2013

This one in the PIX

static (dmz2,dmz) 10.50.2.33 10.50.2.33 netmask 255.255.255.255

Tyler Woods · ‎11-22-2013

I am curious about making this cleaner. Am I correct in thinking I can remove the stricken ones and and the bold one getting the same results?

nat (dmz2) 0 10.50.2.0 255.255.255.0

static (dmz,outside) 12.x.x.130 12.x.x.130 netmask 255.255.255.255

static (dmz,outside) 12.x.x.131 12.x.x.131 netmask 255.255.255.255

static (dmz,outside) 12.x.x.142 12.x.x.142 netmask 255.255.255.255

static (dmz,outside) 12.x.x.144 12.x.x.144 netmask 255.255.255.255

static (dmz,outside) 12.x.x.138 12.x.x.138 netmask 255.255.255.255

static (dmz,outside) 12.x.x.150 12.x.x.150 netmask 255.255.255.255

static (dmz,outside) 12.x.x.156 12.x.x.156 netmask 255.255.255.255

static (dmz,outside) 12.x.x.135 12.x.x.135 netmask 255.255.255.255

static (dmz,outside) 12.x.x.140 12.x.x.140 netmask 255.255.255.255

static (dmz2,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

static (dmz,dmz2) 12.x.x.0 12.x.x.0 netmask 255.255.255.0

static (dmz2,dmz) 10.50.2.0 10.50.2.0 netmask 255.255.255.0

static (dmz2,dmz) 10.50.2.33 10.50.2.33 netmask 255.255.255.255

static (dmz2,dmz) 10.50.2.32 10.50.2.32 netmask 255.255.255.255

Jon Marshall · ‎11-22-2013

Tyler

You should be able to do that with no effect on existing traffic although you would need to clear the xlate entries. I have been reluctant to suggest this because there is obviously other traffic going to the 12.x.x.x network from the ASA. Your entry in bold should account for that though. But you do need to be careful when changing things that you don't affect other traffic so you need to understand all the traffic flows. I have been trying to make as few changes as possible while we tried to troubleshoot this.

It was only after i cleared the configs that i noticed that pix entry. There is an awful lot in the configs such as acls and NAT entries, especially acls, that are simply not used either with NAT or assigned to any interface. It may be worth trying to clean all that up before you migrate everything onto the ASA.

So did it work ?

Edit - one thing i didn't check was whether the acls were referenced in the IPSEC config so it is worth checking that if you do decide to try and clean up the configs.

Edit 2 - If you do make those changes bear in mind you have a little less security than you had before especially with your permit ip any any statements in the acls. At the moment you have 2 static entries for 10.50.2.32 and 33 which allows connections from the pix to those hosts. The identity NAT statement does not allow any connections from the pix to any other 10.50.2.x hosts, it only allows traffic to be initiated from the 10.50.2.x hosts. if you configure a static for the whole 10.50.2.0/24 network then you are allowing connections from the pix to any 10.50.2.x hosts. This may or may not be a concern for you.

Jon

Tyler Woods · ‎11-25-2013

Will not get to try this out till next week.

I have actually removed the "ip any any" due to security. My thinking is create the static NAT on the PIX for the entire segment then lock things down on the ASA side when inbound. Though I could do it the other way around. To be honest haven't decided which way I am going to skin this cat. Given my plan is to consolidate to the ASA I will clean up with that in mind.

To the best of my limited expertise there are not active tunnels of any kind on the PIX. The tunnel now resides on the ASA so lots of the config on the PIX can be removed. Just hesitent to do so given my lack of experience.

Thank you again for all your help. It has taught me lots.

Jon Marshall · ‎11-25-2013

Tyler

No problem and thanks for getting back to me as i was wondering if it was working or not.

I think it should work if you were able to ping and i agree on removing the permit ip any any as this is too open. A lot of the config on the pix doesn't seem to be needed. Even some of the NAT statements because the pix has a "same-security-traffic permit inter-interface" statement so you shouldn't need NAT between interfaces of the same security level. But because NAT has been used it's not as simple as just removing them without understanding what they are all doing.

I think what you are looking at is config that has sort of evolved so as you say there is probably a lot of the config that isn't actually needed but i understand your reluctance to make changes.

Jon