traffic denied on internal vlan by asa 5505 1

[nottallhere]

This is my setup, 4 server all with 2 NICs, these 2NICs on each server are teamed using broadcom suite 3.
I have 2 ASA 5505 with security plus. And I have setup NAT and failover on these. There will be a router on the outside interface of both ASAs using HSRP for failover.

However traffic is being denied between local servers with the following error in the asa log-
%PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/ port to IP_address/ port flags tcp_flags on interface interface_name .

6 Mar 23 2009 11:11:24 106015 coloapp03 coloapp01 Deny TCP (no connection) from server1/4657 to server2/135 flags PSH ACK on interface inside

I have checked my NAT and security settings and these are ok.
I found a simular thread and they fixed it by putting the router on the inside on the network, however this is not possible for me. Since the asa comes with routing and NAT I am confused as to why I would need to do this.

Thanks to anybody that replies or just reads..

 

[North323]

do you have access lists on the interface with the servers? can you post a scrubbed config?

 

[unclerico]

Just so we're on the same page here, in your thread title you are referring to intervlan communication but in your description you are talking about NIC teaming. You may need to draw up a diagram and post it on box.net or something so we can see exactly how your devices should be communicating.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nottallhere]

Here is the config, don't be confused by my vlan title, I have no idea whats wrong. Also attached physical design.

http://www.box.net/shared/9hake8zdlk

show startup-config
asa-live(config)# show startup-config
: Saved
: Written by enable_15 at 10:13:53.056 GMT/BST Sat Mar 21 2009
!
ASA Version 8.0(3)9
!
hostname asa-live
domain-name default.domain.invalid
enable password x7Vcl7J7F/JdyxdV encrypted
passwd x7Vcl7J7F/JdyxdV encrypted
names
name 192.168.50.102 coloapp02
name 192.168.50.100 colosqllive
name 195.171.2.0 company-office-technium
name 192.168.50.103 coloapp03
name 192.168.50.101 coloapp01
name ***.***.45.54 coloapp01-ext
name ***.***.45.52 coloapp02-ext
name ***.***.45.37 colonlb-ext
name 192.168.50.110 colonlb
name ***.***.45.59 coloapp03-ext
name ***.***.45.50 colosqllive-ext
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.2
ospf cost 1
ospf mtu-ignore
!
interface Vlan2
nameif outside
security-level 0
ip address ***.***.45.57 255.255.255.224 standby ***.***.45.43
ospf cost 10
ospf priority 255
ospf network point-to-point non-broadcast
!
interface Vlan111
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
!
interface Ethernet0/3
speed 100
duplex full
!
interface Ethernet0/4
speed 100
duplex full
!
interface Ethernet0/5
speed 100
duplex full
!
interface Ethernet0/6
speed 100
duplex full
!
interface Ethernet0/7
switchport access vlan 111
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Onebridge tcp
port-object eq 5001
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object Onebridge
port-object eq 5001
access-list outside_access_in extended permit icmp company-office-technium 255.255.2
55.0 ***.***.45.32 255.255.255.224
access-list outside_access_in extended permit tcp company-office-technium 255.255.25
5.0 ***.***.45.32 255.255.255.224 eq 1433
access-list outside_access_in extended permit tcp company-office-technium 255.255.25
5.0 ***.***.45.32 255.255.255.224 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp company-office-technium 255.255.25
5.0 ***.***.45.32 255.255.255.224 eq https
access-list outside_access_in extended permit tcp any ***.***.45.32 255.255.255.2
24 eq 3389
access-list outside_access_in extended permit tcp any ***.***.45.32 255.255.255.2
24 object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit object-group TCPUDP 192.168.50.0 25
5.255.255.0 any eq domain
access-list inside_access_in extended permit icmp 192.168.50.0 255.255.255.0 any

access-list inside_access_in extended permit tcp 192.168.50.0 255.255.255.0 any
eq smtp
access-list inside_access_in extended permit tcp 192.168.50.0 255.255.255.0 any
eq www
access-list inside_access_in extended permit tcp 192.168.50.0 255.255.255.0 any
eq https
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 192.1
68.50.0 255.255.255.0
access-list inside_nat_static extended permit ip host coloapp02 any
access-list inside_nat_static_1 extended permit ip host colosqllive any
access-list inside_nat_static_2 extended permit ip host coloapp03 any
access-list inside_nat_static_3 extended permit ip host coloapp01 any
access-list inside_nat_static_4 extended permit ip host colonlb any
access-list inside_nat_static_5 extended permit ip host coloapp03 any
pager lines 24
logging enable
logging standby
logging trap informational
logging asdm informational
logging host inside coloapp03 format emblem
mtu inside 1500
mtu outside 1500
failover
failover lan unit secondary
failover lan interface LANfailover Vlan111
failover interface ip LANfailover 192.168.255.1 255.255.255.0 standby 192.168.25
5.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location coloapp02 255.255.255.255 inside
asdm location colosqllive 255.255.255.255 inside
asdm location company-office-technium 255.255.255.0 inside
asdm location coloapp03 255.255.255.255 inside
asdm location colonlb-ext 255.255.255.255 inside
asdm location coloapp01-ext 255.255.255.255 inside
asdm location coloapp01 255.255.255.255 inside
asdm location 192.168.254.110 255.255.255.255 inside
asdm location coloapp03-ext 255.255.255.255 inside
asdm location colosqllive-ext 255.255.255.255 inside
no asdm history enable
arp inside colonlb 03bf.c0a8.326e
arp timeout 14400
nat-control
global (outside) 1 interface
static (outside,inside) tcp colosqllive 1433 colosqllive-ext 1433 netmask 255.25
5.255.255
static (outside,inside) tcp coloapp01 5001 coloapp01-ext 5001 netmask 255.255.25
5.255
static (outside,inside) tcp coloapp02 5001 coloapp02-ext 5001 netmask 255.255.25
5.255
static (outside,inside) tcp coloapp03 5001 coloapp03-ext 5001 netmask 255.255.25
5.255
static (outside,inside) tcp coloapp03 ftp-data coloapp03-ext ftp-data netmask 25
5.255.255.255
static (outside,inside) tcp colosqllive 3389 colosqllive-ext 3389 netmask 255.25
5.255.255
static (outside,inside) tcp coloapp01 3389 coloapp01-ext 3389 netmask 255.255.25
5.255
static (outside,inside) tcp coloapp02 3389 coloapp02-ext 3389 netmask 255.255.25
5.255
static (outside,inside) tcp coloapp03 3389 coloapp03-ext 3389 netmask 255.255.25
5.255
static (outside,inside) tcp coloapp03 ftp coloapp03-ext ftp netmask 255.255.255.
255
static (outside,inside) tcp coloapp03 smtp coloapp03-ext smtp netmask 255.255.25
5.255
static (outside,inside) tcp coloapp01

http://www coloapp01-ext

http://www netmask

255.255.255.
255
static (outside,inside) tcp colonlb

http://www colonlb-ext

http://www netmask

255.255.255.255

static (outside,inside) tcp colosqllive

http://www colosqllive-ext

http://www netmask

255.255.
255.255
static (outside,inside) tcp coloapp02

http://www coloapp02-ext

http://www netmask

255.255.255.
255
static (inside,outside) coloapp01-ext access-list inside_nat_static_3
static (inside,outside) colonlb-ext access-list inside_nat_static_4
static (inside,outside) coloapp03-ext access-list inside_nat_static_5
static (inside,outside) coloapp02-ext access-list inside_nat_static
static (inside,outside) colosqllive-ext access-list inside_nat_static_1
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.45.62 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http ***.***.45.32 255.255.255.224 outside
http company-office-technium 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service resetoutbound interface inside
service resetoutside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics
ntp server 80.69.93.212 source outside prefer
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive disable
!
class-map inspection-default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8652d3663a9465493a35d439d4a41a70

 

[North323]

maybe change ip to tcp:
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 192.1
68.50.0 255.255.255.0

and add any to the end of it

also, i do not see any 'inside' routes has this ever worked?

 

[nottallhere]

Yes it has been working on and off. Didn't think I needed an inside route. what would the inside route be?

 

[nottallhere]

I don't think it's a routing, NAT or security config problem because the packet tracer brings back an ok result.

This ACL

access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 192.1
68.50.0 255.255.255.0

is allowing any internal traffic, are you asking me to change this with TCP instead of IP?

 

[North323]

yes and add 'any' to the end of it

 

[nottallhere]

North323, that didn't work.

 

[nottallhere]

Can anybody tell me do I need to setup routing on this ASA 5505 in order to allow internal traffic??
Thanks

 

[billybluelight]

Hi can you use the ASDM applet by

https://ipadress

to it and run the gui interface if so. click on configuration tab at the top, go to the interface tab on the left and side and at the bottom is a tick box that says enable traffic between two or more hosts on the same interface, tick this box, apply and save and this will deliver the correct commands to the asa for you. Hope this helps.

 

[brianinms]

Well the majority of your statics appear to be backwards. If you are trying to nat a machine through your firewall then it should be ...

static (inside,outside)

 

[nottallhere]

Thanks billybluelight but I have allready tried that. No joy.

I don't think the ASA is acting as gateway for the internal network some reason. However I can ping between the servers ok. icmp travel ok other traffic won't.

 

[nottallhere]

Real don't think it's a NAT issue since the packet tracer comes up fine and icmp traffic is ok and all in-out traffic ok, it's just internal traffic other than icmp that's the problem. Thinking it's either routing or packet filtering problem or some other feature causing the problem.

 

[brianinms]

Well if all your machines are on the 192.168.50.0 255.255.255.0 network and you are trying to communicate from machine to machine then it isnt an ASA issue. If you are on the same subnet your traffic isn't even sent to the default gateway to be processed.

 

[wkim623]

Hi Notallhere,

I've been having the same issue with my setup, and I still can't seem to find an answer. I'm still researching and trying other things. I'll let you know if I find the answer, or if you figured it out. Could you let me know? Thanks!

 

[nottallhere]

Glad I'm not alone wkim623. Do you have the same setup as me 5505 with security+ and failover configured?

Let me know if you find anything.

To get around it have resorted to transparent firewall with the latest IOS, but I still havent been given the 19 public IPs I will need from ISP for this to work so. So I may need to go back to NAT plus ISP is not keen on me doing transparent firewall for some reason.