0

I have tried getting my ASA to route traffic between subnets, i got it working for 10 minutes but after some changes (unfortunately not an ASA expert) i have broken something.

One example is 192.168.35.0/24 and 192.168.42.0/24 pings OK but IP traffic does not flow, not sure what was changed so appreciate review of the config.

I have the following interfaces and objects, the security levels are set accordingly (higher to lower) as it becomes painful with nat rules to have them set the same priority so happy to keep as is:

!
interface GigabitEthernet1/1
 description Trunk
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1.10
 description Management
 vlan 10
 nameif Vlan_Management
 security-level 100
 ip address 192.168.255.1 255.255.255.0
!
interface GigabitEthernet1/1.35
 vlan 35
 nameif vlan_Users
 security-level 90
 ip address 192.168.35.1 255.255.255.0
!
interface GigabitEthernet1/1.42
 description Voice
 vlan 42
 nameif vlan_Voice
 security-level 80
 ip address 192.168.42.1 255.255.255.0
!
interface GigabitEthernet1/1.100
 description Guest
 vlan 100
 nameif vlan_Guest
 security-level 10
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet1/1.101
 description Lab
 vlan 101
 nameif vlan_Lab
 security-level 20
 ip address 192.168.101.1 255.255.255.0
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 description Internet
 nameif Outside
 security-level 0
 pppoe client vpdn group ISP
 ip address pppoe setroute
!
object network Users
 subnet 192.168.35.0 255.255.255.0
object network Remote_8
 subnet 10.10.8.0 255.255.252.0
 description Remote Site
object network Remote_200
 subnet 10.10.200.0 255.255.255.0
 description remote1
object network Corp
 subnet 192.168.35.0 255.255.255.0
object network Voice
 subnet 192.168.42.0 255.255.255.0
object network Lab
 subnet 192.168.100.0 255.255.255.0
object network Guest
 subnet 192.168.100.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object object Remote_8
 network-object object Remote_200

There is a site to site IPSEC VPN between sites with NAT rules applied to that traffic, although scoped to the external interface note sure if that is causing an issue.

I have allowed IP traffic and sure that inter-subnet traffic is not being NAT (i don't think NAT is required when going from higher to lower security groups?), any ideas please what the issue could be?

Remaining relevant config below, thanks in advance:

pbkdf2
names
ip local pool VPN 192.168.35.2-192.168.35.240 mask 255.255.255.0
ip local pool webVPN 192.168.35.241-192.168.35.245 mask 255.255.255.0
ip local pool VPNN_addresses 192.168.35.246-192.168.35.248 mask 255.255.255.0
!
dns domain-lookup Vlan_Management
dns domain-lookup vlan_Users
dns domain-lookup vlan_Voice
dns domain-lookup vlan_Guest
dns domain-lookup vlan_Lab
dns domain-lookup Outside
same-security-traffic permit inter-interface
access-list Vlan_Corp_access_in extended permit ip any any
access-list Vlan_Corp_access_in extended permit ip 192.168.35.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Vlan_Corp_access_in extended permit ip 192.168.35.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list Vlan_Corp_access_in extended permit ip 192.168.35.0 255.255.255.0 interface Outside
access-list Outside_access_in extended permit ip any any
access-list Outside_cryptomap_1 extended permit ip object Users object Remote_8
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list vlan_Voice_access_in extended permit ip any any
access-list vlan_Voice_access_in extended permit ip 192.168.42.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list vlan_Voice_access_in extended permit ip 192.168.42.0 255.255.255.0 interface Outside
access-list vlan_Voice_access_in extended permit ip 192.168.42.0 255.255.255.0 any
access-list vlan_Lab_access_in_1 extended permit ip 192.168.101.0 255.255.255.0 interface Outside
access-list vlan_Guest_access_in extended permit ip 192.168.100.0 255.255.255.0 interface Outside
icmp permit any echo vlan_Users
icmp permit any echo-reply vlan_Users
no arp permit-nonconnected
nat (vlan_Users,Outside) source static Users Users destination static Remote_8 Remote_8 no-proxy-arp route-lookup
nat (vlan_Users,Outside) source static any any destination static Corp Corp no-proxy-arp route-lookup
nat (Outside,Outside) source static any any destination static Corp Corp no-proxy-arp route-lookup
!
object network Users
 nat (vlan_Users,Outside) dynamic interface
object network Lab
 nat (vlan_Lab,Outside) dynamic interface
object network Voice
 nat (vlan_Voice,Outside) dynamic interface
object network Guest
 nat (vlan_Guest,Outside) dynamic interface
access-group Vlan_Corp_access_in in interface vlan_Users
access-group vlan_Voice_access_in in interface vlan_Voice
access-group vlan_Guest_access_in in interface vlan_Guest
access-group vlan_Lab_access_in_1 in interface vlan_Lab
access-group Outside_access_in in interface Outside
route Outside 10.10.8.0 255.255.252.0 1.2.3.4 1
route Outside 10.10.200.0 255.255.255.255 1.2.3.4 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
service sw-reset-button
!
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname ispuser
vpdn group ISP ppp authentication pap
vpdn username ispuser password ***** store-local
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable Outside
 cache
  disable
 error-recovery disable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 banner none
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 vpn-tunnel-protocol l2tp-ipsec
group-policy WVPN_policy internal
group-policy WVPN_policy attributes
vpn-tunnel-protocol ssl-clientless
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy 1.2.3.4 internal
group-policy 1.2.3.4 attributes
 vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN
 address-pool VPNN_addresses
 authorization-server-group LOCAL
 authorization-server-group (Outside) LOCAL
 default-group-policy WVPN_policy
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool webVPN
 authentication-server-group (Outside) LOCAL
 dhcp-server subnet-selection 192.168.35.3
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy 1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context

Packet tracer reports OK from users to voice:

ASA# packet-tracer input vlan_Users tcp 192.168.35.3 15000 192.168.42.5 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.42.5 using egress ifc  vlan_Voice

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Vlan_Corp_access_in in interface vlan_Users
access-list Vlan_Corp_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 152, packet dispatched to next module

Result:
input-interface: vlan_Users
input-status: up
input-line-status: up
output-interface: vlan_Voice
output-status: up
output-line-status: up
Action: allow

And also from voice to user (this drops due to implicit rule that it is on a lower security group number):

ASA# packet-tracer input vlan_Voice tcp 192.168.42.5 15000 192.168.35.3 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.35.3 using egress ifc  vlan_Users

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: vlan_Voice
input-status: up
input-line-status: up
output-interface: vlan_Users
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Checking wire wireshark on the server and pinging from the remote client, we saw TCP ACKed unseen segment] [TCP Previous segment not captured] [TCP Port numbers reused] messages, in the end we found TCP traffic inspection on the firewall was blocking the traffic as the packets were either out of sequence or out of order.

Whilst this fixed it, concerned had to do this - anything i have missed or could this be a bug? Will upgrade the firmware from August 2017 to the latest 2018 release.

morleyc
  • 1,120
  • 13
  • 45
  • 86
  • So... it sounds like you didn't backup the existing config before making the changes... which is a good, but painful, lesson to learn. Unless you did make a backup? – joeqwerty Jun 22 '18 at 03:18
  • I'm reviewing this, but a quick question: did you save the change? Or can you reboot and clear the running config back to the flash-saved config? – Rob Pearson Jun 22 '18 at 04:35
  • Also, what does the ASDM packet tracer tool say is the breakdown? – Rob Pearson Jun 22 '18 at 05:26
  • Made some other additions in other areas that did work... when I said was working was an interval of 15 mins where all was good. Strange thing is packet tracer says it is allowed, I thought was NAT between internal subnets but that appears to be ok – morleyc Jun 22 '18 at 05:55
  • Packet tracer says that everything works for both directions? I ask because I've done it a few times where I know that sending traffic out of an interface is working, but failed to check that the return path was also open. In the meantime, I don't see anything obvious to cause this. I'd like to eliminate the very old version of software that you're on as a possibility - do you have anything preventing you from updating to the current interim release of 9.2? – Rob Pearson Jun 24 '18 at 19:15
  • I missed your second packet tracer post, where you have a deny happening due to the security level difference. Try raising the security level to match your other network. – Rob Pearson Jun 25 '18 at 22:26
  • Hi Rob, thanks for the replies. Managed to fx it - `TCP traffic inspection on the firewall was blocking the traffic as the packets were either out of sequence or out of order`, not sure if a bug but will upgrade the firmware to be sure. – morleyc Jun 26 '18 at 12:07
  • Please take a look at queue limits in this article - https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/conns_connlimits.html - are you upgrading to at least v9.1? For some reason or another I had thought you were on v8.2 at the start of this... – Rob Pearson Jun 26 '18 at 16:27

1 Answers1

0

This is a NAT problem. The nat-control yes-or-no for different aspects is fuzzy and not always correct. Edit the conf like this:

nat (vlan_Users,vlan_Voice) source static Users Users dest static Voice Voice
Jonas Bjork
  • 376
  • 1
  • 4