Pruebas de enrutamiento estático con Cisco ASA

Fecha: 19 de marzo del 2015 Clase: autoestudio en mi cuchitril.

 

Escenario

 

Este escenario se creó a partir de una gran duda existencial que teníamos con Pablito Marinozzi desde hace un tiempo.

La misma era saber cómo un Cisco ASA alcanzaba una sucursal a través de una ruta estática, pero que la IP del próximo salto

era de otra subred y sin una ruta para efectuar una búsqueda recurrente. Esto se ve en CCNA 2 pero no tan en detalle.

 

El árbol no me dejaba ver el bosque, definitivamente el ASA no sabe cómo llegar a la IP del próximo salto porque no tiene

dicha ruta, pero por su propia naturaleza (tiene configurada una interface de salida), genera un ARP para ubicar la MAC

correspondiente a la IP del próximo salto (aunque no sea en el rango de la propia LAN), que es respondido por el router

intermedio (Cisco 1941), al tener configurado (por default) el proxy-arp.

 

La respuesta siempre estuvo ahí, a la vista.

 

 

La ruta correcta debería ser: route inside 172.16.112.0 255.255.255.0 172.16.0.2, pero no es así y eso me tiene con la curiosidad

de cómo es que funciona. Vaya a saber quién configuró esta ruta en su momento.

 

Configuración inicial de equipos:

 

ciscoasa# conf t

ciscoasa(config)# int vlan 1

ciscoasa(config-if)# ip add 172.16.0.1 255.255.255.0

ciscoasa(config-if)# exit

ciscoasa(config)# int vlan 2

ciscoasa(config-if)# ip add 200.0.0.1 255.255.255.252

ciscoasa(config-if)# exit

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 200.0.0.2

ciscoasa(config)# route inside 172.16.112.0 255.255.255.0 10.0.0.2 (el próximo salto no es de una red directamente conectada)

ciscoasa(config)#end

ciscoasa#

 

SW_2950#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SW_2950(config)#monitor session 1 source interface Fa0/23

SW_2950(config)#monitor session 1 destination interface Fa0/24 (para capturar con Wireshark)

SW_2950(config)#end

SW_2950#

 

Cisco1941#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Cisco1941(config)#int gi0/0

Cisco1941(config-if)#ip add 172.16.0.2 255.255.255.0

Cisco1941(config-if)#exit

Cisco1941(config)#int gi0/1

Cisco1941(config-if)#ip add 10.0.0.1 255.255.255.0

Cisco1941(config-if)#exit

Cisco1941(config)#ip route 172.16.112.0 255.255.255.0 10.0.0.2

Cisco1941(config)#end

Cisco1941#

 

Sucursal#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Sucursal(config)#interface Ethernet0

Sucursal(config-if)#ip add 172.16.112.1 255.255.255.0

Sucursal(config-if)#exit

Sucursal(config)#interface Ethernet1

Sucursal(config-if)#ip add 10.0.0.1 255.255.255.0

Sucursal(config-if)#exit

Sucursal(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.1

Sucursal(config)#end

Sucursal#

 

Verificación:

 

Verificamos tablas de enrutamiento:

 

ciscoasa# sh route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is 200.0.0.2 to network 0.0.0.0

 

C    200.0.0.0 255.255.255.252 is directly connected, outside

C    172.16.0.0 255.255.255.0 is directly connected, inside

S    172.16.112.0 255.255.255.0 [1/0] via 10.0.0.2, inside (el próximo salto no es de una red directamente conectada)

C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

S*   0.0.0.0 0.0.0.0 [1/0] via 200.0.0.2, outside

ciscoasa#

 

Cisco1941#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

 

Gateway of last resort is not set

 

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.0.0.0/24 is directly connected, GigabitEthernet0/1

L        10.0.0.1/32 is directly connected, GigabitEthernet0/1

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C        172.16.0.0/24 is directly connected, GigabitEthernet0/0

L        172.16.0.2/32 is directly connected, GigabitEthernet0/0

S        172.16.112.0/24 [1/0] via 10.0.0.2

Cisco1941#

 

Sucursal#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

 

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.112.0 is directly connected, Ethernet0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.0.0.0 is directly connected, Ethernet1

S*   0.0.0.0/0 [1/0] via 10.0.0.1

Sucursal#

 

Verificamos llegar a la sucursal para descartar problemas si el ASA no llega:

 

Cisco1941#ping 172.16.112.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Cisco1941#

 

Verificamos llegar a la sucursal desde el ASA:

 

ciscoasa#capture ASA interface inside (capturamos tráfico símil Wireshark pero en el propio ASA)

ciscoasa#ping 172.16.112.1 (verificamos)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:

????? (no llegamos a la sucursal)

Success rate is 0 percent (0/5)

ciscoasa# sh capture ASA (verificamos tráfico capturado)

 

12 packets captured

 

   1: 00:36:54.605437 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1 (el ASA necesita la MAC del próximo salto sin                

                                                                                                                                            importar si pertenece a la propia red conectada)

   2: 00:36:54.605818 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20 (el 1941 le responde como propia)

   3: 00:36:55.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1 (pero el ping nunca sale del ASA)

   4: 00:36:55.930356 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

   5: 00:36:56.929959 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

   6: 00:36:56.930265 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

   7: 00:37:00.929959 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

   8: 00:37:00.930310 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

   9: 00:37:05.929975 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  10: 00:37:05.930310 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  11: 00:37:10.929975 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  12: 00:37:10.930387 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

12 packets shown

ciscoasa#

 

ciscoasa# sh arp (verificamos el proxy ARP)

        inside 172.16.0.2 30e4.db53.2b20

        inside 10.0.0.2 30e4.db53.2b20

ciscoasa#

 

Verificamos en sentido inverso (sucursal -> ASA):

 

Sucursal#ping

Protocol [ip]:

Target IP address: 172.16.0.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.16.112.1 (de lo contrario el ping parte de la IP de la interface mas cercana al ASA,

Type of service [0]:                                             que es la 10.0.0.2 y de la cual el ASA no tiene ruta para alcanzarla)

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.112.1

..... (los paquetes llegan al ASA pero no retornan, ver la siguiente captura)

Success rate is 0 percent (0/5)

Sucursal#

 

ciscoasa# sh capture ASA (verificamos tráfico capturado)

  ---resumido---

  67: 00:56:24.587997 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request  (hay solicitud pero no hay respuesta)

  68: 00:56:24.588363 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  69: 00:56:24.588760 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  70: 00:56:25.929914 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  71: 00:56:25.930219 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  72: 00:56:26.586929 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)

  73: 00:56:26.929929 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  74: 00:56:26.930326 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  75: 00:56:28.586944 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)

  76: 00:56:30.586960 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)

  77: 00:56:30.929929 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  78: 00:56:30.930280 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  79: 00:56:32.586929 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)

  80: 00:56:35.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  81: 00:56:35.930295 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  82: 00:56:40.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  83: 00:56:40.930265 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  84: 00:56:45.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  85: 00:56:45.930356 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  86: 00:56:50.929959 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  87: 00:56:50.930295 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

87 packets shown

ciscoasa#

 

Ante la sospecha realizamos un downgrade de versión de ASA:

 

ciscoasa(config)# no boot system disk0:/asa847-k8.bin (ahora arrancará con la versión previa instalada)

ciscoasa(config)# end

ciscoasa# wri

Building configuration...

Cryptochecksum: b496af45 9469adc2 56d436e5 8726c6b8

 

3370 bytes copied in 1.110 secs (3370 bytes/sec)

[OK]

ciscoasa# reload

Proceed with reload? [confirm]

ciscoasa#

 

***

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down webvpn

Shutting down File system

 

***

*** --- SHUTDOWN NOW ---

Process shutdown finished

---resumido---

 

ciscoasa> ena

Password: *****

ciscoasa# sh version (verificamos)

 

Cisco Adaptive Security Appliance Software Version 7.2(3) (antes era 8.4 (7))

Device Manager Version 7.3(2)

 

Compiled on Wed 15-Aug-07 16:08 by builders

System image file is "disk0:/asa723-k8.bin"

---resumido---

 

ciscoasa# sh route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is 200.0.0.2 to network 0.0.0.0

 

C    200.0.0.0 255.255.255.252 is directly connected, outside

C    172.16.0.0 255.255.255.0 is directly connected, inside

S    172.16.112.0 255.255.255.0 [1/0] via 10.0.0.2, inside (verificamos luego del reload)

C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

S*   0.0.0.0 0.0.0.0 [1/0] via 200.0.0.2, outside

ciscoasa#

 

ciscoasa# capture ASA interface inside (generamos nuevamente la captura ya que en el reload se pierde)

 

ciscoasa# ping 172.16.112.1 (verificamos)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:

!!!!! (gotcha !)

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa#

 

ciscoasa# sh capture ASA

23 packets captured

   1: 01:01:24.708810 802.1Q vlan#1 P0 802.3 encap packet

   2: 01:01:26.708688 802.1Q vlan#1 P0 802.3 encap packet

   3: 01:01:28.708718 802.1Q vlan#1 P0 802.3 encap packet

   4: 01:01:30.708428 802.1Q vlan#1 P0 802.3 encap packet

   5: 01:01:32.708306 802.1Q vlan#1 P0 802.3 encap packet

   6: 01:01:34.708184 802.1Q vlan#1 P0 802.3 encap packet

   7: 01:01:36.708062 802.1Q vlan#1 P0 802.3 encap packet

   8: 01:01:38.707955 802.1Q vlan#1 P0 802.3 encap packet

   9: 01:01:39.353588 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1

  10: 01:01:39.353970 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20

  11: 01:01:39.354275 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request (con la versión 7.23 envía el ping)

  12: 01:01:39.355587 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply

  13: 01:01:39.355770 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request

  14: 01:01:39.357006 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply

  15: 01:01:39.357113 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request

  16: 01:01:39.358334 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply

  17: 01:01:39.358456 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request

  18: 01:01:39.359676 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply

  19: 01:01:39.359798 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request

  20: 01:01:39.361019 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply

  21: 01:01:40.707833 802.1Q vlan#1 P0 802.3 encap packet

  22: 01:01:42.707711 802.1Q vlan#1 P0 802.3 encap packet

  23: 01:01:44.707574 802.1Q vlan#1 P0 802.3 encap packet

23 packets shown

ciscoasa#

 

Verificamos nuevamente el ARP proxy en el Cisco 1941:

 

ciscoasa# ping 172.16.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ping 172.16.112.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# sh arp

        inside 172.16.0.2 30e4.db53.2b20

        inside 10.0.0.2 30e4.db53.2b20 (verificamos el proxy ARP)

ciscoasa#

 

 

Realizando la contraprueba, descativamos el proxy-arp en el router intermedio:

 

ciscoasa# ping 172.16.112.1 (verificación previa)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa#

 

Cisco1941#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Cisco1941(config)#int gi0/0 (interface adyancente al ASA)

Cisco1941(config-if)#no ip proxy-arp

Cisco1941(config-if)#^Z

Cisco1941#

 

ciscoasa# ping 172.16.112.1 (funciona de todas maneras ! )

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa#

 

ciscoasa# clear arp (limpiamos la tabla ARP)

ciscoasa# ping 172.16.112.1 (verificamos nuevamente)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa#

 

 

(2015) Can exist another trouble in the world ?

Rosario, Argentina