No internet on ASA Active/Standby setup: Design issue?

scottsee · March 25, 2015, 06:11:01 PM

Here is the skinny - Public IP's in my configs are not real - and I'm rusty at Routing!!

I setup an Active/Standby pair and can ping the public VLAN3 SVI on my 2960s which I point to in my default route shown in the configs below... But not to my Adtran's default gateway from the ASA's

I can ping the world from my 2960.. Gotta be NAT.. Please take a peak.. I would love my ASA's to experience network attacks and lots and lots of statefull inspections..

Picture of network at bottom...

2960S

Code Select


version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CBO2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uqVO$3wnikm42XEY4xFecIeTu11
!
username ssee privilege 15 secret 5 $1$ijn0$oeM0O6vn6PiVwHeWW/nzK.
no aaa new-model
switch 1 provision ws-c2960s-24ts-l
ip routing
!
!
ip domain-name cbo.networking-forums.org
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-3214976896
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3214976896
 revocation-check none
 rsakeypair TP-self-signed-3214976896
!
spanning-tree mode pvst
spanning-tree extend system-id

vlan internal allocation policy ascending
!
vlan 2
 name ASA-OUTSIDE-FAILOVER
!
vlan 3
 name INTERNET
!
ip ssh version 2
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface GigabitEthernet1/0/1
 switchport access vlan 3
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 switchport access vlan 2
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 switchport access vlan 2
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
!
interface Vlan1
 description INSIDE_NETWORK_BRODACAST_DOMAIN
 ip address 192.168.25.210 255.255.252.0
!
interface Vlan2
 description ASA_OUTSIDE_BROADCAST_DOMAIN
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan3
 description INTERNET
 ip address 63.10.80.98 255.255.255.248
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Vlan3 63.10.80.97
!
!
!
line con 0
 logging synchronous
line vty 0 4
 session-timeout 60 
 login local
line vty 5 15
 session-timeout 60 
 login local
!
end

Active

Code Select


: Saved

: 
: Serial Number: F####
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
: Written by enable_15 at 15:43:29.259 UTC Wed Mar 25 2015
: Call-home enabled from prompt by enable_15 at 14:32:49 UTC Mar 23 2015
!
ASA Version 9.3(2) 
!
hostname ASAPAIR
domain-name networking-forums.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.25.200 255.255.252.0 standby 192.168.25.201 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.0.0.2 255.255.255.0 standby 10.0.0.3 
!
interface GigabitEthernet0/2
 description LAN Failover Interface
!
interface GigabitEthernet0/3
 description STATE Failover Interface
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 no ip address
!
boot system disk0:/asa932-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name networkin-forums.org
object network CBO
 subnet 192.168.24.0 255.255.252.0
object network IO
 subnet 10.10.24.0 255.255.252.0
object network SDPLUS1
 host 10.10.25.110
 description Server Desk Manager Server
object service ServerDesk_AD
 service tcp source eq 8888 destination eq 8888 
 description Service Desk Manager Password Reset
object service ServiceDesk_ManageEngine
 service tcp source eq 8080 destination eq 8080 
 description Manage Engine
object network CBO_East
 subnet 192.168.23.0 255.255.255.0
access-list global_access extended permit icmp any any 
pager lines 24
logging from-address ASA@networking-forums.org
mtu inside 1500
mtu OUTSIDE 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key cisco
failover mac address GigabitEthernet0/0 74a2.e6d4.1111 74a2.e6d4.2222
failover mac address GigabitEthernet0/1 74a2.e6d4.3333 74a2.e6d4.4444
failover link STATEFUL GigabitEthernet0/3
failover interface ip FAILOVER 10.0.1.1 255.255.255.252 standby 10.0.1.2
failover interface ip STATEFUL 10.0.2.1 255.255.255.252 standby 10.0.2.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-733.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,OUTSIDE) source dynamic CBO interface
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.25.20 255.255.255.255 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.25.20 255.255.255.255 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username ssee password qz1.ZhNBUo.b57nw encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect icmp 
  inspect icmp error 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname state 
call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 13
  subscribe-to-alert-group configuration periodic monthly 13
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cdd0658662423da0e5c377e438efdf69
: end

Standby

Code Select

: Saved

: 
: Serial Number: F####
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
: Written by enable_15 at 15:45:05.247 UTC Wed Mar 25 2015
: Call-home enabled from prompt by enable_15 at 14:32:49 UTC Mar 23 2015
!
ASA Version 9.3(2) 
!
hostname ASAPAIR
domain-name dmgaz.org
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.25.200 255.255.252.0 standby 192.168.25.201 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.0.0.2 255.255.255.0 standby 10.0.0.3 
!
interface GigabitEthernet0/2
 description LAN Failover Interface
!
interface GigabitEthernet0/3
 description STATE Failover Interface
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 no ip address
!
boot system disk0:/asa932-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name networking-forums.org
object network CBO
 subnet 192.168.24.0 255.255.252.0
object network IO
 subnet 10.10.24.0 255.255.252.0
object network SDPLUS1
 host 10.10.25.110
 description Server Desk Manager Server
object service ServerDesk_AD
 service tcp source eq 8888 destination eq 8888 
 description Service Desk Manager Password Reset
object service ServiceDesk_ManageEngine
 service tcp source eq 8080 destination eq 8080 
 description Manage Engine
object network CBO_East
 subnet 192.168.23.0 255.255.255.0
access-list global_access extended permit icmp any any 
pager lines 24
logging from-address ASA@networking-forums.org
mtu inside 1500
mtu OUTSIDE 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key cisco
failover mac address GigabitEthernet0/0 74a2.e6d4.1111 74a2.e6d4.2222
failover mac address GigabitEthernet0/1 74a2.e6d4.3333 74a2.e6d4.4444
failover link STATEFUL GigabitEthernet0/3
failover interface ip FAILOVER 10.0.1.1 255.255.255.252 standby 10.0.1.2
failover interface ip STATEFUL 10.0.2.1 255.255.255.252 standby 10.0.2.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-733.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,OUTSIDE) source dynamic CBO interface
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.25.20 255.255.255.255 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
!
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.25.20 255.255.255.255 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username ssee password qz1.ZhNBUo.b57nw encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect icmp 
  inspect icmp error 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname state 
call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 13
  subscribe-to-alert-group configuration periodic monthly 13
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d9e6690ea8cb4932212cb3f95f6a469b
: end

scottsee · March 25, 2015, 08:48:58 PM

Discovered my 2960 did not have a default route.. Added the following - Still does not work...

Code Select


ip default-gateway 63.10.80.97
ip route 0.0.0.0 0.0.0.0 63.10.80.97

Success from 2960

Code Select


CBO2960#ping www.google.com
Translating "www.google.com"...domain server (255.255.255.255) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.224.147, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/13/21 ms
CBO2960#

ASA's - Don't Work

Code Select


ASAPAIR/act# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASAPAIR/act#

deanwebb · March 25, 2015, 09:37:14 PM

What are the results of a show ip route on the switches and show route on the ASAs?

scottsee · March 26, 2015, 01:28:47 AM

I'll post in the morning when I get to work. Thanks..

sergeyrar · March 26, 2015, 02:13:49 AM

Gotta be NAT... yep.

scottsee · March 26, 2015, 10:02:39 AM

What gets me is I can ping 63.10.80.98 from the ASA - Which is the SVI interface on my 2960 for the default route out to the ISP device.. But not 63.10.80.97 with is the IP of the default gateway...

2960

Code Select


Gateway of last resort is 63.10.80.97 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 63.10.80.97
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Vlan2
L        10.0.0.1/32 is directly connected, Vlan2
      63.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        63.10.80.96/29 is directly connected, Vlan3
L        63.10.80.98/32 is directly connected, Vlan3
C     192.168.24.0/22 is directly connected, Vlan1
      192.168.25.0/32 is subnetted, 1 subnets
L        192.168.25.210 is directly connected, Vlan1
CBO2960#

ASA

Code Select


Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, OUTSIDE
C        10.0.0.0 255.255.255.0 is directly connected, OUTSIDE
L        10.0.0.2 255.255.255.255 is directly connected, OUTSIDE
C        10.0.1.0 255.255.255.252 is directly connected, FAILOVER
L        10.0.1.2 255.255.255.255 is directly connected, FAILOVER
C        10.0.2.0 255.255.255.252 is directly connected, STATEFUL
L        10.0.2.2 255.255.255.255 is directly connected, STATEFUL
C     192.168.24.0 255.255.252.0 is directly connected, inside
L        192.168.25.200 255.255.255.255 is directly connected, inside

deanwebb · March 26, 2015, 01:19:49 PM

Seems to me like the issue is the routing on the switch. The ASA ping gets to the switch, but not past it.

routerdork · March 26, 2015, 01:45:08 PM

When you say the public IP's aren't real are you saying it's scrubbed to hide them? Or this is in a lab. I would think real world at some point since you are pinging google. Either way though the 2960 can't do NAT. So you can ping google from the switch, that's because it sources from the public IP on the SVI. The ASA can't because it's sourcing from a private IP that hasn't been NAT'd so it doesn't know how to get back to a private network that the ISP isn't routing. I'm no ASA expert but I think that is what I saw.

deanwebb · March 26, 2015, 02:41:08 PM

Quote from: routerdork on March 26, 2015, 01:45:08 PM
When you say the public IP's aren't real are you saying it's scrubbed to hide them? Or this is in a lab. I would think real world at some point since you are pinging google. Either way though the 2960 can't do NAT. So you can ping google from the switch, that's because it sources from the public IP on the SVI. The ASA can't because it's sourcing from a private IP that hasn't been NAT'd so it doesn't know how to get back to a private network that the ISP isn't routing. I'm no ASA expert but I think that is what I saw.

That's the bit I was missing. I'm too used to our RFC 1918 networks being properly NATted and routed here. You're not on my LAN, which is why it doesn't work for you. If the Outside interface on the ASA was in the same IP range as the Internet gateway, this would work. The ASA can provide NAT for RFC 1918 networks behind it, so all the 10.0.0.0 stuff would get to the Internet via the ASA.

scottsee · March 26, 2015, 03:27:57 PM

Interesting...

So the ASA OUTSIDE interfaces on this ASA failover pair need to have public IP address from my 63.10.80.98 / 29 (ficticious for this thread) IP range, not a RFC 1918?.. furthermore, these OUTSIDE interfaces should be connected to VLAN3 tagged ports on my 2960 switch to communicate with the next hop default route SVI?

I have been shaky on how Primary and Secondary failover interfaces work for OUTSIDE interfaces on this ASA pair.. I knew they need to be on their own broadcast domain but didn't think about them needing to be on the same broadcast domain as the default route's SVI interface..

I'll test and report back.. Thanks!

scottsee · March 26, 2015, 03:40:59 PM

Freaking works you geniuses!!

routerdork · March 27, 2015, 09:05:44 AM

Good deal. Glad it's working.