ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
themattman
New Member
Posts:
5
Joined:
Sat May 21, 2011 10:45 pm

Local Subnets can't browse eachother (but can ping ok)

Sat May 21, 2011 10:49 pm

I just installed a new ASA 5505 for an office with three internal subnets.* The three networks can each get online fine and ping eachother, but cannot browse to shares on the two internal networks other than their own.* How do I configure the ASA to allow all traffic between these three inside networks?
*
192.168.152.0
192.168.152.0
192.168.154.0
*
Here is the running config:
*
show run
: Saved
:
ASA Version 8.4(1)
!
hostname ASA
domain-name NETWORK.LOCAL
enable password 9FKvgw.UCVrfUD5M encrypted
passwd 9FKvvDw.UCVrUdDM encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.152.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name NETWORK.LOCAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Net1
subnet 192.168.152.0 255.255.255.0
object network Net2
subnet 192.168.153.0 255.255.255.0
object network Net3
subnet 192.168.154.0 255.255.255.0
object network FD
host 192.168.152.2
access-list global_access extended permit ip object Net1 any
access-list global_access extended permit ip object Net2 any
access-list global_access extended permit ip object Net3 any
access-list global_access extended permit icmp interface inside any
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 192.168.153.0 255.255.255.0 192.168.152.2 1
route inside 192.168.154.0 255.255.255.0 192.168.152.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.152.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.152.40-192.168.152.80 inside
dhcpd dns 192.168.0.21 interface inside
dhcpd wins 192.168.152.10 interface inside
dhcpd domain NETWORK.LOCAL interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin npassword qiyTRCDITAjP3aZE encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
* message-length maximum client auto
* message-length maximum 512
policy-map global_policy
class inspection_default
* inspect dns preset_dns_map
* inspect ftp
* inspect h323 h225
* inspect h323 ras
* inspect rsh
* inspect rtsp
* inspect esmtp
* inspect sqlnet
* inspect skinny
* inspect sunrpc
* inspect xdmcp
* inspect sip
* inspect netbios
* inspect tftp
* inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
* no active
* destination address http
* destination address email
* destination transport-method http
* subscribe-to-alert-group diagnostic
* subscribe-to-alert-group environment
* subscribe-to-alert-group inventory periodic monthly
* subscribe-to-alert-group configuration periodic monthly
* subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dd70e1358ea2eec7f73ee334j16492bb3
: end
Edit/Delete Message

rc172
Member
Posts:
213
Joined:
Sun Apr 17, 2011 3:28 pm
Certs:
CCSP/CCNP:Security GIAC GPEN

Re: Local Subnets can't browse eachother (but can ping ok)

Sun May 22, 2011 7:57 am

A little more information about your network setup would give us a much better idea on what your trying to do so we can give you the right advice.

Right now your ASA will only be able to pass traffic to devices on the Net1 subnet and wouldn't be able to talk directly to any devices on Net2 or Net3. Is the ASA the only device you have that will do routing on the inside network? Do you have a layer 3 switch? Do you have different VLANs on a switch? Are you trying to run a trunk link to the ASA?


Code: Select all
object network Net1
subnet 192.168.152.0 255.255.255.0
object network Net2
subnet 192.168.153.0 255.255.255.0
object network Net3
subnet 192.168.154.0 255.255.255.0

interface Vlan1
nameif inside
security-level 100
ip address 192.168.152.1 255.255.255.0




What device is 192.168.152.2? You have routes pointing traffic destined to the 153.0 and 154.0 networks using that address.

Code: Select all
object network FD
host 192.168.152.2

route inside 192.168.153.0 255.255.255.0 192.168.152.2 1
route inside 192.168.154.0 255.255.255.0 192.168.152.2 1
The Cubicle Wizard
http://cubiclewizard.blogspot.com/

themattman
New Member
Posts:
5
Joined:
Sat May 21, 2011 10:45 pm

Re: Local Subnets can't browse eachother (but can ping ok)

Sun May 22, 2011 10:07 am

Thanks for your response. The main network (152.0) is connected to the Internet via the providers router (152.2). The other two networks (153.0 & 154.0) connect through the ASA to the Internet. Therefore I have routes (or thought I did) for the other two networks to connect through the gateway for Internet access.

The Asa is the only device doing the routing for the internal network, and there are no layer 2 or 3 switches. no internal vlans, etc. They are however using a mpls network from the provider. Two networks (153.0 & 154.0) come in through one LAN port on the Asa.

I simply want all the internal subnets to be able to communicate with each other, unrestricted.

rc172
Member
Posts:
213
Joined:
Sun Apr 17, 2011 3:28 pm
Certs:
CCSP/CCNP:Security GIAC GPEN

Re: Local Subnets can't browse eachother (but can ping ok)

Sun May 22, 2011 11:55 am

Right now your ASA is not being used as a firewall and your internet is on the internal network only using your ISP router as a stopgap.

Few more questions for you. What kind of router did your ISP provide? What kind of internet do you have? And how many computers do you have on the inside networks?

Now the biggest question.

Which license did you get with your ASA? If you want to have separate internal subnets attached directly to the ASA you will need a Security Plus license. You will also want to pay attention to inside hosts field as that will determine how many active connections across networks (to internet or other subnets) your ASA license will support. Any users beyond the max number here trying to hit the internet or another network will be unable to do so. The non-security plus licenses only support 3 networks (one of which is considered your outside or internet) and there's a pretty big catch with that third network; it is restricted from starting communication to one of the other networks.

You can find this out by logging into the ASDM and clicking the license tab on the first screen.

If you don't have the security plus license you have a few options.

1. You could return the ASA and get the Security Plus bundle (includes unlimited users) and that tends to run around $1000. This is easier and more stright forward then trying to upgrade your license and you won't have to buy a support contract in the process (if you don't already have one). I would say this is your best bet.

2. Get a layer 3 switch and have that do your internal routing between subnets. Depending what vendor you go with this can be fairly expensive and if your not familiar with this kind of work can be tough to setup. It would also be the most scalable solution if you plan to add more users.

3. Put all internal hosts on the same subnet. There can be a lot of variables involved and this could easily cause a lot more problems then you would solve. I would only recommend this if your working in a small network with only a handful of computers.
The Cubicle Wizard
http://cubiclewizard.blogspot.com/

themattman
New Member
Posts:
5
Joined:
Sat May 21, 2011 10:45 pm

Re: Local Subnets can't browse eachother (but can ping ok)

Sun May 22, 2011 6:10 pm

Hopefully the attached diagram will help you understand my network layout, from a logical perspective anyway. Please advise if this view changes your suggestions.
Attachments
ASANetwork.jpg
ASANetwork.jpg (61 KiB) Viewed 1790 times

rc172
Member
Posts:
213
Joined:
Sun Apr 17, 2011 3:28 pm
Certs:
CCSP/CCNP:Security GIAC GPEN

Re: Local Subnets can't browse eachother (but can ping ok)

Sun May 22, 2011 7:47 pm

I think I love you. I wish everyone would provide a diagram like that. Forget everything I said in the last post :)

Were you trying to connect to a computer by its name?
ex. \\computer1\share1

Have you tried connecting to another computer by its IP?
ex. \\192.168.154.50\share1

If you can't connect to a share on a computer by name but can by using an IP then you might have a DNS problem.

On the ASA you are handing out DHCP to users with a DNS server of 192.168.0.21. If that server address was masked in the config for posting and is an ISP DNS server then you will still have a problem because an ISP DNS server still won't know about hosts on your internal network. I want to say it might be a typo since your WINS server is defined in the config and your DNS server is marked as being on the inside interface. Usually you have DNS and WINS on the same server and either use forwarders to an ISP servers for outside domains or crawl the root hints on your own server.

Code: Select all
dhcpd dns 192.168.0.21 interface inside
dhcpd wins 192.168.152.10 interface inside
The Cubicle Wizard
http://cubiclewizard.blogspot.com/

themattman
New Member
Posts:
5
Joined:
Sat May 21, 2011 10:45 pm

Re: Local Subnets can't browse eachother (but can ping ok)

Sun May 22, 2011 8:23 pm

Haha, thanks. Unfortunately, I cannot browse to it by IP or by name. That DHCP pool is old, and disabled. I will delete it, as it is not being used.

One thing I noticed on the ASA log when I try to browse to a server from one network to another:

6 May 22 2011 12:53:55 192.168.152.11 2708 192.168.154.53 139 Deny TCP (no connection) from 192.168.152.11/2708 to 192.168.154.53/139 flags RST on interface inside

rc172
Member
Posts:
213
Joined:
Sun Apr 17, 2011 3:28 pm
Certs:
CCSP/CCNP:Security GIAC GPEN

Re: Local Subnets can't browse eachother (but can ping ok)

Sun May 22, 2011 8:47 pm

themattman wrote:Haha, thanks. Unfortunately, I cannot browse to it by IP or by name. That DHCP pool is old, and disabled. I will delete it, as it is not being used.

One thing I noticed on the ASA log when I try to browse to a server from one network to another:

6 May 22 2011 12:53:55 192.168.152.11 2708 192.168.154.53 139 Deny TCP (no connection) from 192.168.152.11/2708 to 192.168.154.53/139 flags RST on interface inside


I should have seen that you didn't have a dhcpd enable inside :doh:

Anyways, you have an odd little problem there. A log like that means the ASA is dropping a packet from 152.11 going to 154.53 because there's no existing connection. Can you set the ASDM to informational and try to connect again. Would be helpful to see the full TCP conversation if something wacky is happening.

*EDIT*

In case you don't wanna display a bunch of information if it has IP info what you want to look is to see if that line is occurring after you see a connection teardown message to the same host.

So something like

Build connection to that host
Teardown connection to that host
Deny TCP from that host

If you do see that give this command a try "sysopt connection timewait"

In the ASDM its in Configure > Firewall > Advanced > TCP options. Its the time_wait check box under the other options.
The Cubicle Wizard
http://cubiclewizard.blogspot.com/

themattman
New Member
Posts:
5
Joined:
Sat May 21, 2011 10:45 pm

Re: Local Subnets can't browse eachother (but can ping ok)

Mon May 23, 2011 12:00 am

Problem solved! I researched the Firewall log showing the connection being denied, and found some others having an issue with asymmetric traffic. Here's the fix:

http://www.cisco.com/en/US/products/ps6 ... d922.shtml

'

Return to Cisco Security

Who is online

Users browsing this forum: Google Feedfetcher and 15 guests