04-12-2012 10:18 PM
Hi Guys,
I am configuring AnyConnect VPN on our outside firewall and this firewall has 1 interface which is outside interface. This interface is connected to one of our switch with seperate VLAN and our inside firewall ourside interface is in the same vlan.
Now, problem is that I want my outside firewall to send traffic to my inside firewall on outside interface and this firewall will send traffic to inside network. I have configured "same-security-traffic permit intra-interface" so it can send traffic out on same interface to inside firewall but it doesn't seem to be working.
After connecting with AnyConnect VPN, my traffic do not seem to be traversing to inside firewall to inside network. I have confogired one route on outside firewall which is default route to outside interface.
Thanks for your help
04-16-2012 12:34 PM
If I understood this right, your design is:
Inside FW (outside) ---- |
| ---- (vlan
Outside FW (outside) ---- |
If that was correct ... we need config from the outside firewall and captures, captures, captures ... this is from the outside of the outside and inside firewall ... clear traffic of course .. :]
/Mo.
04-16-2012 01:10 PM
Mohammad,
Yes, your understanding is correct.
Here is config of outside ASA:
ASA1(config)# sh run
ASA1(config)# sh running-config
: Saved
:
ASA Version 8.0(4)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.150 255.255.255.240
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
access-list outside extended permit ip any any
access-list AC-CAP extended permit ip host 192.168.100.1 host x.x.x.x
access-list AC-CAP extended permit ip host 192.168.100.1 host x.x.x.x
access-list AC-CAP extended permit ip host 192.168.100.1 host x.x.x.x
pager lines 24
logging enable
logging buffered debugging
logging class svc buffered debugging
mtu outside 1500
ip local pool PARTNER1 192.168.100.1-192.168.100.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 64.104.155.148 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RAD protocol radius
aaa-server RAD (outside) host x.x.x.x
key cisco123
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy PARTNER1 internal
group-policy PARTNER1 attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
default-domain value cisco.com
address-pools value PARTNER1
tunnel-group PARTNER1 type remote-access
tunnel-group PARTNER1 general-attributes
authentication-server-group RAD
default-group-policy PARTNER1
tunnel-group PARTNER1 webvpn-attributes
group-url https://x.x.x.x/partner1 enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ea9280bb69127b3441867c003f5a61ee
: end
ASA1(config)#
Here is Capture of Outside ASA:
========================
1: 18:05:16.261705 192.168.100.1 > x.x.x.129: icmp: echo request
2: 18:05:21.761358 192.168.100.1 > x.x.x.129: icmp: echo request
Config of Inside ASA:
================
ASA2(config)# sh run
ASA2(config)# sh running-config
: Saved
:
ASA Version 8.0(4)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.148 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address x.x.x.132 255.255.255.240
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list ACL-CAP extended permit ip host 192.168.100.101 host 64.104.155.132
access-list ACL-CAP extended permit ip host 192.168.100.1 host 64.104.155.132
access-list ACL-CAP extended permit ip host 192.168.100.1 host 64.104.155.129
access-list outside extended permit ip 192.168.100.0 255.255.255.0 host 64.104.155.132
access-list outside extended permit ip 192.168.100.0 255.255.255.0 host 64.104.155.129
access-list outside extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 64.104.155.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service password-recovery
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b4927dacb2bf069db4a2a004d553589b
: end
ASA2(config)#
Here is Capture of outside interface:
1: 18:05:35.712609 192.168.100.1 > x.x.x.129: icmp: echo request
2: 18:05:41.212131 192.168.100.1 > x.x.x.129: icmp: echo request
Here is loggs: [just trying to ping inside network from outside asa to inside lan of internal firewall].I'm ubable to ping from outside asa to inside lan IP.
%ASA-7-609001: Built local-host outside:x.x.x.150
%ASA-7-609001: Built local-host inside:x.x.x.129
%ASA-6-302020: Built inbound ICMP connection for faddr x.x.x.150/4388 gaddr x.x.x.129/0 laddr x.x.x.129/0
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-6-302021: Teardown ICMP connection for faddr x.x.x.150/4388 gaddr x.x.x.129/0 laddr x.x.x.129/0
I am pinging inside network IP address x.x.x.129.
Do I have to have NAT on inside firewall? At moment I have configured no nat-control cos really dont want NAT.
04-20-2012 11:35 AM
Sorry for the delay, quit busy days around here ....
Ok, so what about inside captures on the inside firewall this is when you ping from the AC client and from the outside ASA, can you show me what you see? can you take out the capture and add the keyword "detail" when you use the show capture command, this is to show the MAC addresses on the capture, insure that they are reflecting the correct devices.
Also, please have ASP captures setup on the inside ASA to show us any drop on the ASA level for our packets, to do that apply the following:
capture asp type asp-drop all
After you ping, just take the output of this capture as "show cap asp detail | inc
Basically, this shouls work, U-turn traffic is working, you are being directed to the outside interface of the inside firewall, but we have to find out of the inside ASA is dropping the traffic or not!
Mo.
04-24-2012 08:29 AM
I am going to test whatever you have suggested here. I will respond back shortly.
Thanks,
04-29-2012 05:59 PM
I have fixed this issue. It was an issue with my FW. Thanks for your help. You gave me some really good commands to use.
Thanks.
04-29-2012 11:22 PM
Glad that it worked. :]
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: