Announcement

Collapse
No announcement yet.

ASA - Blocking LAN Traffic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA - Blocking LAN Traffic

    Hi

    I was after some advice here.

    Recently deployed an Exchange Server at one of our satellite offices - this is all part of our main domain in HQ.

    Migrated one users mailbox to the new server and they have been having nothing but trouble.

    6 - 10 times a day they lose connectivity to the Exchange Server, cannot ping it or anything.

    Now I have been looking at the ASDM Log and I am seeing things like :

    Deny inbound icmp src inside:192.168.X.X dst inside:servername (type 8, code 0)

    I am guessing that this is were the root of the issues lies, but why is this happening?

    Can anyone please offer some assistance.

    Thanks

    Paul

  • #2
    Re: ASA - Blocking LAN Traffic

    Is it a VPN to the other office or is this just a firewall between your networks?
    On the PIX it is common to turn off the DNS and SMTP fixups but the ASA should be a little more lenient (I would check the defaults).

    I assume this site is a different AD site and has its own GC?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: ASA - Blocking LAN Traffic

      Hi Andy

      I don't think you are quite understanding.

      Sorry I shouldn't have mentioned it was a satellite office, not really an important fact.

      The PC trying to access the exchange is on the lan, 192.168.1.68, the server is on the same LAN 192.168.1.13.

      But I am getting that error I previously mentioned.

      Any ideas

      Comment


      • #4
        Re: ASA - Blocking LAN Traffic

        If the traffic isn't going through the ASA then it shouldn't be an issue.

        Are the Exchange, DC and client all up to date with patches?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: ASA - Blocking LAN Traffic

          Hi Andy

          Okay so my FW is a ASA5505, so the LAN Switch is plugged into one of the VLAN ports on the firewall.

          Still getting the same error as I was - Deny inbound icmp src inside:192.168.X.X dst inside:servername (type 8, code 0)

          Now the strange thing is the workstations and the servers are all on the same network, same switch everything, but it gets even weirder.

          The Exchange Server also has got VMWare Installed on it with a server running, the server that is in the VM works fine, pings fine etc, even when the Exchange Server doesnt.

          So that counts out the hardware for the Exchange Server.

          The issue has to be the firewall but I cannot figure out why, so below is my config, see if you can spot anything : (thanks in advance)

          Code:
          ASA Version 8.0(4) 
          !
          hostname Company-ASA5505
          names
          name 192.168.100.0 company_London_LAN
          name 192.168.200.0 company_Guernsey_LAN
          name 217.206.142.238 company_London_WAN
          name 192.168.30.0 company_London_DMZ
          name 192.168.254.0 company_DR_LAN
          name 192.168.200.13 companygsy-exch01
          name 193.109.254.0 ML1
          name 195.245.230.0 ML2
          name 195.216.0.0 ML3
          name 212.125.64.0 ML4
          name 62.231.128.0 ML5
          name 62.173.108.0 ML6
          name 85.158.136.0 ML7
          name 194.106.220.0 ML8
          name 194.205.110.128 ML9
          name 212.125.74.44 ML10
          name 212.125.75.0 ML11
          name 216.82.240.0 ML12
          !
          interface Vlan1
           description LAN
           nameif inside
           security-level 100
           ip address 192.168.2.5 255.255.255.0 
          !
          interface Vlan2
           nameif outside
           security-level 0
           ip address 112.40.24.50 255.255.255.252 
          !
          interface Ethernet0/0
           switchport access vlan 2
          !
          interface Ethernet0/1
           description LAN
           speed 100
           duplex full
          !
          interface Ethernet0/2
           description LAN
           speed 100
           duplex full
          !
          interface Ethernet0/3
           description LAN
           speed 100
           duplex full
          !
          boot system disk0:/asa804-k8.bin
          object-group network MessageLabs
           network-object ML1 255.255.255.0
           network-object ML8 255.255.255.0
           network-object host ML9
           network-object ML3 255.255.0.0
           network-object ML2 255.255.255.0
           network-object ML4 255.255.255.0
           network-object host ML10
           network-object ML11 255.255.255.0
           network-object ML12 255.255.255.0
           network-object ML6 255.255.255.0
           network-object ML5 255.255.255.0
           network-object ML7 255.255.255.0
          access-list outside_cryptomap_20 extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_LAN 255.255.255.0 
          access-list outside_cryptomap_20 extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_DMZ 255.255.255.0 
          access-list Group_VPN_splitTunnelAcl extended permit ip company_Guernsey_LAN 255.255.255.0 any 
          access-list inside_nat0_outbound extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_LAN 255.255.252.0 
          access-list inside_nat0_outbound extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_DMZ 255.255.255.0 
          access-list inside_nat0_outbound extended permit ip company_Guernsey_LAN 255.255.255.0 company_DR_LAN 255.255.255.0 
          access-list inside_nat0_outbound extended permit ip any 192.168.2.96 255.255.255.224 
          access-list inside_access_in extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_LAN 255.255.252.0 
          access-list inside_access_in extended permit ip company_Guernsey_LAN 255.255.255.0 any 
          access-list inside_access_in extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_DMZ 255.255.255.0 
          access-list outside_1_cryptomap extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_LAN 255.255.252.0 
          access-list outside_1_cryptomap extended permit ip company_Guernsey_LAN 255.255.255.0 company_London_DMZ 255.255.255.0 
          access-list outside_2_cryptomap extended permit ip company_Guernsey_LAN 255.255.255.0 company_DR_LAN 255.255.255.0 
          access-list outside_access_in extended permit tcp object-group MessageLabs host 112.40.24.50 eq smtp 
          access-list outside_access_in extended permit tcp any host 112.40.24.50 eq https 
          access-list outside_access_in extended permit tcp any host 112.40.24.50 eq www 
          ip local pool Group_VPN 192.168.2.100-192.168.2.120 mask 255.255.255.0
          icmp unreachable rate-limit 1 burst-size 1
          asdm image disk0:/asdm-615.bin
          no asdm history enable
          arp timeout 14400
          global (outside) 1 interface
          nat (inside) 0 access-list inside_nat0_outbound
          nat (inside) 1 0.0.0.0 0.0.0.0
          static (inside,outside) tcp interface smtp companygsy-exch01 smtp netmask 255.255.255.255  dns 
          static (inside,outside) tcp interface www companygsy-exch01 www netmask 255.255.255.255  dns 
          static (inside,outside) tcp interface https companygsy-exch01 https netmask 255.255.255.255  dns 
          static (outside,inside) tcp companygsy-exch01 smtp 112.40.24.50 smtp netmask 255.255.255.255  dns 
          access-group inside_access_in in interface inside
          access-group outside_access_in in interface outside
          route outside 0.0.0.0 0.0.0.0 112.40.24.49 1
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
          timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
          dynamic-access-policy-record DfltAccessPolicy
          aaa authentication telnet console LOCAL 
          http server enable
          http company_Guernsey_LAN 255.255.255.0 inside
          no snmp-server location
          no snmp-server contact
          snmp-server enable traps snmp authentication linkup linkdown coldstart
          service resetoutside
          crypto ipsec security-association lifetime seconds 28800
          crypto ipsec security-association lifetime kilobytes 4608000
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
          crypto map outside_map 20 match address outside_cryptomap_20
          crypto map outside_map 20 set peer 219.106.172.239 
          crypto map outside_map 20 set transform-set ESP-3DES-MD5
          crypto map outside_map 20 set security-association lifetime seconds 28800
          crypto map outside_map 20 set security-association lifetime kilobytes 4608000
          crypto map outside_map0 1 match address outside_1_cryptomap
          crypto map outside_map0 1 set pfs 
          crypto map outside_map0 1 set peer 219.106.172.239 
          crypto map outside_map0 1 set transform-set ESP-3DES-MD5
          crypto map outside_map0 1 set security-association lifetime seconds 28800
          crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
          crypto map outside_map0 2 match address outside_2_cryptomap
          crypto map outside_map0 2 set pfs 
          crypto map outside_map0 2 set peer 211.222.107.216 
          crypto map outside_map0 2 set transform-set ESP-3DES-MD5
          crypto map outside_map0 2 set security-association lifetime seconds 28800
          crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
          crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
          crypto map outside_map0 interface outside
          crypto isakmp enable outside
          crypto isakmp policy 20
           authentication pre-share
           encryption 3des
           hash md5
           group 2
           lifetime 86400
          crypto isakmp policy 40
           authentication pre-share
           encryption 3des
           hash md5
           group 1
           lifetime 86400
          crypto isakmp policy 60
           authentication pre-share
           encryption 3des
           hash sha
           group 2
           lifetime 86400
          crypto isakmp ipsec-over-tcp port 10000 
          no vpn-addr-assign aaa
          no vpn-addr-assign dhcp
          telnet company_Guernsey_LAN 255.255.255.0 inside
          telnet 219.106.172.239  255.255.255.248 outside
          telnet timeout 5
          ssh company_Guernsey_LAN 255.255.255.0 inside
          ssh 219.106.172.239  255.255.255.248 outside
          ssh timeout 5
          console timeout 0
          dhcpd auto_config outside
          !
          dhcpd address 192.168.2.50-192.168.2.81 inside
          dhcpd dns 192.168.1.1 212.30.8.150 interface inside
          dhcpd wins 192.168.1.111 interface inside
          !
          
          threat-detection basic-threat
          threat-detection statistics access-list
          no threat-detection statistics tcp-intercept
          group-policy Guernsey internal
          group-policy Guernsey attributes
           wins-server value 192.168.2.12 192.168.1.111
           dns-server value 192.168.2.12 192.168.1.111
           vpn-tunnel-protocol IPSec 
           default-domain value oam.company.com
          group-policy Group_VPN internal
          group-policy Group_VPN attributes
           wins-server value 192.168.1.111
           dns-server value 192.168.1.1 212.30.8.150
           vpn-idle-timeout 30
           split-tunnel-policy tunnelspecified
           split-tunnel-network-list value Group_VPN_splitTunnelAcl
           default-domain value company.co.uk
          username xxx password xxx encrypted privilege 15
           vpn-group-policy Group_VPN
          tunnel-group company_London_VPN type ipsec-l2l
          tunnel-group company_London_VPN ipsec-attributes
           pre-shared-key *
          tunnel-group Group_VPN type remote-access
          tunnel-group Group_VPN general-attributes
           address-pool Group_VPN
           default-group-policy Group_VPN
          tunnel-group Group_VPN ipsec-attributes
           pre-shared-key *
          tunnel-group 219.106.172.239 type ipsec-l2l
          tunnel-group 219.106.172.239 ipsec-attributes
           pre-shared-key *
          tunnel-group 211.222.107.216 type ipsec-l2l
          tunnel-group 211.222.107.216 ipsec-attributes
           pre-shared-key *
          tunnel-group Guernsey type remote-access
          tunnel-group Guernsey general-attributes
           address-pool Group_VPN
           default-group-policy Guernsey
          tunnel-group Guernsey ipsec-attributes
           pre-shared-key *
          !
          class-map inspection_default
           match default-inspection-traffic
          !
          !
          policy-map type inspect dns preset_dns_map
           parameters
            message-length maximum 512
          policy-map global_policy
           class inspection_default
            inspect dns preset_dns_map 
            inspect ftp 
            inspect h323 h225 
            inspect h323 ras 
            inspect rsh 
            inspect rtsp 
            inspect sqlnet 
            inspect skinny  
            inspect sunrpc 
            inspect xdmcp 
            inspect sip  
            inspect netbios 
            inspect tftp 
          !
          service-policy global_policy global
          prompt hostname context 
          Cryptochecksum:9040a522f839a14e692ede9a1b431297
          : end
          Last edited by AndyJG247; 6th March 2009, 15:22.

          Comment


          • #6
            Re: ASA - Blocking LAN Traffic

            Originally posted by [email protected] View Post
            The Exchange Server also has got VMWare Installed on it with a server running
            ERK! Don't like the sound of that but your choice.


            Maybe barking up the wrong tree here but
            Deny inbound icmp src inside:192.168.X.X dst inside:servername (type 8, code 0)

            the X.X you added, what was the first one?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment

            Working...
            X