Outside firewall has one interface- OUTSIDE

tamakuwalapranav · ‎04-12-2012

Hi Guys,

I am configuring AnyConnect VPN on our outside firewall and this firewall has 1 interface which is outside interface. This interface is connected to one of our switch with seperate VLAN and our inside firewall ourside interface is in the same vlan.

Now, problem is that I want my outside firewall to send traffic to my inside firewall on outside interface and this firewall will send traffic to inside network. I have configured "same-security-traffic permit intra-interface" so it can send traffic out on same interface to inside firewall but it doesn't seem to be working.

After connecting with AnyConnect VPN, my traffic do not seem to be traversing to inside firewall to inside network. I have confogired one route on outside firewall which is default route to outside interface.

Thanks for your help

Mohammad Abazeed · ‎04-16-2012

If I understood this right, your design is:

Inside FW (outside) ---- |

| ---- (vlan) SW ---- Internet

Outside FW (outside) ---- |

If that was correct ... we need config from the outside firewall and captures, captures, captures ... this is from the outside of the outside and inside firewall ... clear traffic of course .. :]

/Mo.

tamakuwalapranav · ‎04-16-2012

Mohammad,

Yes, your understanding is correct.

Here is config of outside ASA:

ASA1(config)# sh run

ASA1(config)# sh running-config

: Saved

:

ASA Version 8.0(4)

!

hostname ASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.150 255.255.255.240

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit intra-interface

access-list outside extended permit ip any any

access-list AC-CAP extended permit ip host 192.168.100.1 host x.x.x.x

pager lines 24

logging enable

logging buffered debugging

logging class svc buffered debugging

mtu outside 1500

ip local pool PARTNER1 192.168.100.1-192.168.100.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 64.104.155.148 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server RAD protocol radius

aaa-server RAD (outside) host x.x.x.x

key cisco123

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy PARTNER1 internal

group-policy PARTNER1 attributes

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

default-domain value cisco.com

address-pools value PARTNER1

tunnel-group PARTNER1 type remote-access

tunnel-group PARTNER1 general-attributes

authentication-server-group RAD

default-group-policy PARTNER1

tunnel-group PARTNER1 webvpn-attributes

group-url https://x.x.x.x/partner1 enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ea9280bb69127b3441867c003f5a61ee

: end

ASA1(config)#

Here is Capture of Outside ASA:

========================

1: 18:05:16.261705 192.168.100.1 > x.x.x.129: icmp: echo request

2: 18:05:21.761358 192.168.100.1 > x.x.x.129: icmp: echo request

Config of Inside ASA:

================

ASA2(config)# sh run

ASA2(config)# sh running-config

: Saved

:

ASA Version 8.0(4)

!

hostname ASA2

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.148 255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address x.x.x.132 255.255.255.240

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list ACL-CAP extended permit ip host 192.168.100.101 host 64.104.155.132

access-list ACL-CAP extended permit ip host 192.168.100.1 host 64.104.155.132

access-list ACL-CAP extended permit ip host 192.168.100.1 host 64.104.155.129

access-list outside extended permit ip 192.168.100.0 255.255.255.0 host 64.104.155.132

access-list outside extended permit ip 192.168.100.0 255.255.255.0 host 64.104.155.129

access-list outside extended permit icmp any any

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 64.104.155.150 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no service password-recovery

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b4927dacb2bf069db4a2a004d553589b

: end

ASA2(config)#

Here is Capture of outside interface:

1: 18:05:35.712609 192.168.100.1 > x.x.x.129: icmp: echo request

2: 18:05:41.212131 192.168.100.1 > x.x.x.129: icmp: echo request

Here is loggs: [just trying to ping inside network from outside asa to inside lan of internal firewall].I'm ubable to ping from outside asa to inside lan IP.

%ASA-7-609001: Built local-host outside:x.x.x.150

%ASA-7-609001: Built local-host inside:x.x.x.129

%ASA-6-302020: Built inbound ICMP connection for faddr x.x.x.150/4388 gaddr x.x.x.129/0 laddr x.x.x.129/0

%ASA-7-111009: User 'enable_15' executed cmd: show logging

%ASA-6-302021: Teardown ICMP connection for faddr x.x.x.150/4388 gaddr x.x.x.129/0 laddr x.x.x.129/0

I am pinging inside network IP address x.x.x.129.

Do I have to have NAT on inside firewall? At moment I have configured no nat-control cos really dont want NAT.

Mohammad Abazeed · ‎04-20-2012

Sorry for the delay, quit busy days around here ....

Ok, so what about inside captures on the inside firewall this is when you ping from the AC client and from the outside ASA, can you show me what you see? can you take out the capture and add the keyword "detail" when you use the show capture command, this is to show the MAC addresses on the capture, insure that they are reflecting the correct devices.

Also, please have ASP captures setup on the inside ASA to show us any drop on the ASA level for our packets, to do that apply the following:

capture asp type asp-drop all

After you ping, just take the output of this capture as "show cap asp detail | inc "

Basically, this shouls work, U-turn traffic is working, you are being directed to the outside interface of the inside firewall, but we have to find out of the inside ASA is dropping the traffic or not!

Mo.

tamakuwalapranav · ‎04-24-2012

I am going to test whatever you have suggested here. I will respond back shortly.

Thanks,

tamakuwalapranav · ‎04-29-2012

I have fixed this issue. It was an issue with my FW. Thanks for your help. You gave me some really good commands to use.

Thanks.

Mohammad Abazeed · ‎04-29-2012

Glad that it worked. :]