About snferguson

Hi all, I'll preface this as I'm the sole networking guy at my job and I'm still green. Apologies for any dumb questions, I've tried to read the manual for relevant info and used my google-fu to no avail.   I'm using a PA-3020 on firmware 8.0.6.   I've been asked to integrate a new Cisco ASA for a financial system that allows a tunnel between my site, and their servers to load the webpage client for the software.   I've setup a DMZ for the ASA, and confirmed with the other party that their tunnel is up and able to communicate. So no issues on the DMZ side.   I was told to institute static routes to allow hosts to traverse via the ASA over the tunnel. The ASA has two interfaces configured, one for WAN, which is in our DMZ on the IP 10.10.254.1.   The other ASA interface is meant for our internal LAN, and the interface is configured for 10.10.3.253.   I'm not 100% sure but I have a feeling my static route is not functioning as intended. Setting a route via windows to the ASA's internal interface (10.10.3.253) will allow me to traverse the tunnel to the needed webpage. Similarly, using another L3 device (velocloud) with static routes set to the ASA's internal IP (10.10.3.253) also allows me traverse the tunnel to the web page.   Looking at the CLI, I confirmed the routing table and tested the route and it seems to forward it to ASA's LAN interface at 10.10.3.253. I've checked my firewall security policies, and explicitly allowed traffic on my 10.10.3.0/24 segment to and from the ASA's interface at 10.10.3.253. Is there anything I've missed, or misconfigured?   A tracert via windows reveals the following:    C:\Users\sferguson>tracert -d 208.64.237.43 Tracing route to 208.64.237.43 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.10.3.111 2 22 ms 22 ms 23 ms 208.*.237.43   Which is indicitivate to me for traversal over a tunnel My tests:     *@PA-3020> show routing fib -------------------------------------------------------------------------------- virtual-router name: Primary VR interfaces: ethernet1/3 ethernet1/4 ethernet1/5 ethernet1/12 tunnel tunnel.99 tunnel.100 tunnel.101 route table: flags: u - up, h - host, g - gateway, e - ecmp, * - preferred path id destination nexthop flags interface mtu -------------------------------------------------------------------------------- 91 0.0.0.0/0 72.*.182.1 ug ethernet1/3 1500 7 10.10.1.0/24 0.0.0.0 u tunnel.99 1500 71 10.10.2.0/24 0.0.0.0 u tunnel.101 1500 30 10.10.3.0/24 0.0.0.0 u ethernet1/4 1500 29 10.10.3.111/32 0.0.0.0 uh ethernet1/4 1500 135 10.10.254.0/24 0.0.0.0 u ethernet1/5 1500 134 10.10.254.254/32 0.0.0.0 uh ethernet1/5 1500 12 10.99.99.0/24 10.99.99.0 ug tunnel 1500 76 40.*.92.104/29 0.0.0.0 u ethernet1/12 1500 75 40.*.92.106/32 0.0.0.0 uh ethernet1/12 1500 88 72.*.182.0/29 0.0.0.0 u ethernet1/3 1500 87 72.*.182.2/32 0.0.0.0 uh ethernet1/3 1500 147 207.*.128.0/21 10.10.3.253 ug ethernet1/4 1500 148 207.*.139.0/25 10.10.3.253 ug ethernet1/4 1500 149 208.*.237.43/32 10.10.3.253 ug ethernet1/4 1500 150 208.*.237.44/32 10.10.3.253 ug ethernet1/4 1500 -------------------------------------------------------------------------------- *@PA-3020> show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast VIRTUAL ROUTER: Primary VR (id 1) ========== destination nexthop metric flags age interface next-AS 0.0.0.0/0 40.*.92.105 200 S ethernet1/12 0.0.0.0/0 72.*.182.1 10 A S ethernet1/3 10.10.1.0/24 0.0.0.0 10 A S tunnel.99 10.10.2.0/24 0.0.0.0 10 A S tunnel.101 10.10.3.0/24 10.10.3.111 0 A C ethernet1/4 10.10.3.111/32 0.0.0.0 0 A H 10.10.254.0/24 10.10.254.254 0 A C ethernet1/5 10.10.254.254/32 0.0.0.0 0 A H 10.99.99.0/24 10.99.99.0 10 A S tunnel 40.*.92.104/29 40.*.92.106 0 A C ethernet1/12 40.*.92.106/32 0.0.0.0 0 A H 72.*.182.0/29 72.*.182.2 0 A C ethernet1/3 72.*.182.2/32 0.0.0.0 0 A H 207.2*.128.0/21 10.10.3.253 1 A S ethernet1/4 207.2*.139.0/25 10.10.3.253 1 A S ethernet1/4 208.*.237.43/32 10.10.3.253 1 A S ethernet1/4 208.*.237.44/32 10.10.3.253 1 A S ethernet1/4 total routes shown: 17 *@PA-3020> test routing fib-lookup virtual-router "Primary VR" ip 208.*.237.44 -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: Primary VR destination: 208.*.237.44 result: via 10.10.3.253 interface ethernet1/4, source 10.10.3.111, metric 1 -------------------------------------------------------------------------------- *@PA-3020> test security-policy-match from "LAN Zone" to "LAN Zone" source 10.10.3.24 destination 10.10.3.253 destination-port 443 application web-browsing protocol 6 "*-1; index: 14" { from "LAN Zone"; source any; source-region none; to "LAN Zone"; destination 10.10.3.253; destination-region none; user any; category any; application/service any/any/any/any; action allow; icmp-unreachable: no terminal yes; }     Diagram for reference:   https://imgur.com/a/dsXoBKJ ... View more

Hello, I'm attempting to add routes via cmd using the 'route' command but I'm encountering issues, none of my traffic is being passed by the gateway.   My intent is for a host (10.10.3.22 in this example) to egress out of R1 (10.10.3.250) to another network on 10.10.2.0. Checking my firewalls logs at R1 (10.10.3.250), I see no traffic even being taken by R1, from the time I changed my interfaces gateway from R1, to R2. My gateway on my host (10.10.3.22) is set to R2 (10.10.3.254) and was statically assigned rather than by DHCP.   Is there a reason why R1 is not taking my traffic? Is it a AD security issue, or something else I may have overlooked?   ... View more