Same-security-problems3 1

[pgatt62]

Hi All
I know that this is asking a lot but the config below from a ASA 5520 was hopefully meant to route between both inside secure networks and the outside world. It was also meant to redirect packets that were meant for remote networks connected to other WAN devices connected to the Data G0/1 network that are eventually being migrated to the ASA.
Anyway the original problem was that I couldn't ping between both inside networks and when trying to solve this lost the crypto tunnel and I think caused a routing/bridging loop.
If anyone could take the time out of their busy schedule and adjust the config where necessary I would be very grateful. I've bought the Harris Andrea on ASA fundamentals book but thats not helping much and a ASA pdf with over 1500 pages which is a bit too technical for me at the moment. A revised working config would certainly assist me on where I've went wrong for future.
Regards etc pgatt62


: Saved
:
ASA Version 8.2(1)
!
hostname ISC-EDI-ASWFW
domain-name iscinternal.com
enable password DVYtjzRh.k2l3Eyj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address XX.XX.XX.154 255.255.255.248
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside1
security-level 100
ip address 172.24.19.252 255.255.252.0
!
interface GigabitEthernet0/2
speed 100
duplex full
nameif inside2
security-level 100
ip address 172.24.23.254 255.255.252.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup inside1
dns domain-lookup inside2
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.24.16.2
name-server 172.24.0.10
name-server XX.XX.XX.6
domain-name iscinternal.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0 255.255.252.0
access-list VPN-NONAT extended permit ip 172.24.16.0 255.255.252.0 172.24.20.0 255.255.252.0
access-list VPN-NONAT extended permit ip 172.24.20.0 255.255.252.0 172.24.16.0 255.255.252.0
access-list EDI-BRUSS extended permit ip 172.24.16.0 255.255.252.0 172.24.8.0 255.255.252.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging monitor notifications
logging trap errors
logging asdm informational
logging host inside1 172.24.16.2
mtu management 1500
mtu inside1 1500
mtu inside2 1500
mtu outside 1500
ip local pool VPN-POOL 192.168.10.1-192.168.10.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.24.20.0 255.255.252.0 inside1
icmp permit 172.24.16.0 255.255.252.0 inside2
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list VPN-NONAT
nat (inside1) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list VPN-NONAT
nat (inside2) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.153 1
route inside1 172.24.0.0 255.255.252.0 172.24.19.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACCESS-SRVR protocol radius
aaa-server ACCESS-SRVR (inside1) host 172.24.16.2
key Fountain42!
aaa authentication serial console ACCESS-SRVR LOCAL
aaa authentication ssh console ACCESS-SRVR LOCAL
aaa authentication enable console ACCESS-SRVR LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.24.16.0 255.255.252.0 inside1
http 172.24.20.0 255.255.252.0 inside2
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-TRSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map EDI-BRUSS 10 match address EDI-BRUSS
crypto map EDI-BRUSS 10 set pfs
crypto map EDI-BRUSS 10 set peer XX.XX.XX.18
crypto map EDI-BRUSS 10 set transform-set VPN-TRSET
crypto map EDI-BRUSS 10 set security-association lifetime seconds 25200
crypto map EDI-BRUSS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 25200
telnet timeout 5
ssh 172.24.16.0 255.255.252.0 inside1
ssh 172.24.20.0 255.255.252.0 inside2
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 62.206.250.163 source outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy ANYCONNECT-POLICY internal
group-policy ANYCONNECT-POLICY attributes
dns-server value 172.24.16.2 172.24.0.10
vpn-tunnel-protocol svc webvpn
webvpn
svc keep-installer installed
svc ask enable default svc timeout 20
username admin password we1JsUwd6pW4pQ2W encrypted
username dancoop password NFAr6PJhZEifx4Wo encrypted
username dancoop attributes
service-type remote-access
tunnel-group telecommuters type remote-access
tunnel-group TELECOMMUTERS type remote-access
tunnel-group TELECOMMUTERS general-attributes
address-pool VPN-POOL
default-group-policy ANYCONNECT-POLICY
tunnel-group TELECOMMUTERS webvpn-attributes
group-alias sslgroup-users enable
tunnel-group XX.XX.XX.18 type ipsec-l2l
tunnel-group XX.XX.XX18 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c410cd0af890f5fb81df2852aea8f4fb
: end
no asdm history enable

 

[unclerico]

please tell me what exactly you are able to connect to/from and what you are unable to connect to/from. a topology would also be good.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[pgatt62]

Unclerico

Hi Unclerico,

Because this is really an appeal for you to help a complete stranger, this reply has taken me almost an hour to compose.
I thought that putting an ip address on the outside address,the inside secure addresses, a default route to the outside interface, a couple of NAT statements all would ok. And that was basically all that was asked.
Like a lot of other stuff that I'm sure you've seen before, more and more arguments were added to the original remit to which I thought, OK, I know my way round this to a certain degree and I'm sure that I'll work out something or find a way round it using all the available stuff from Cisco and the web.( I've got a CCNP Switch exam under my belt,working on the rest, and a CCNA Security and Wireless and Field Engineer qualifications, so to a degree consider myself quite knowledgable. So I thought)
Anyway, the more I tried to fix the problem the worse it became.I'm not convinced that its too complicated but the solution is still eluding me.
What I tried to configure was a system with two seperate inside networks for Data and Voice protected by a ASA 5520 which acted as a router for both of these inside networks but also as device that would point to other connected legacy networks attached a Nortel switch located somewhere deep in the system, which were ear-marked for migration to the ASA 5520 once the Nortel switch had been decommissioned, and some deny statements for email smtp port 25.
After setting up and proving internet access for both inside networks G0/1 and G0/2 it was discoverd that a ping could not ping from either inside network to the other and likewise to the outside G0/0 interface although internet access was still available. I put an icmp inspect command into the global policy but this didn't work so did a kind of Stataic NAT/ip route fudge that seemed to sort the ping problem out. However when adding commands for VPN tunnels I lost the ping functionality.
This is where after trying to work out a solution for over an hour I started grasping at straws, which may explain some commands in my config that don't make any sense. I just couldn't see where I had went wrong.
Anyway, the customer is content enough with firewall protected internet access but its not sitting well with me professionally that I've not provided them with all that they asked for.
My config now as it stands has probably a few commands that shouldn't be there and undoubtedly some that should but I fear I'm now a bit out of my depth.
Ignoring the routes to the other networks via the Nortel switch, what I ultimately need and I know this asking a lot,is for someone like you to take my configuration, correct it and let the customer believe that I worked on it all weekend and think I'm just great. If this is ok by you, its certainly ok by me.
Thanks again for at least showing that you are willing to help, all I can be is grateful that people like you are out there.
(It goes without saying that I will study any new config recommendations assiduously so that I will know in future where my mistakes lay)

With best regards pgatt62

 

[unclerico]

a topology would really help here including any VPN tunnels

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[pgatt62]

I'm sorry but I don't have a topology, it is intended that the ASA will be the only gateway to the outside. The only VPN tunnel created and working previous to the ping problem reappearing is the EDI-BRUSS tunnel.
Regards pgatt62

 

[unclerico]

it looks ok to me, but i don't have a real topology to go on. try this:

no nat (inside1) 0 access-list VPN-NONAT
no nat (inside2) 0 access-list VPN-NONAT

static (inside1,inside2) 172.24.16.0 255.255.252.0 172.24.16.0 255.255.252.0
static (inside2,inside1) 172.24.20.0 255.255.252.0

no crypto map EDI-BRUSS interface outside

this will strip your config down to the basics. it will use identity nat for traffic from inside1 to inside2 and vice versa and it will remove the crypto config from the process in order to build from the ground up again.

once you have this in place, try to ping from a host on inside1 to a host on inside2 and vice versa

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[pgatt62]

Thanks, I'll let you know first chance I get to pay a return visit. I'll think of an excuse to get over ther soon.
Regards pgatt62

 

[unclerico]

the second statement above should be static (inside2,inside1) 172.24.20.0 255.255.252.0 172.24.0 255.255.252.0 and not just [/b]static (inside2,inside1) 172.24.20.0 255.255.252.0[/b]

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[pgatt62]

Thanks again.