Pruebas de enrutamiento estático con Cisco ASA
Fecha: 19 de marzo del 2015 Clase: autoestudio en mi cuchitril.
Escenario
Este escenario se creó a partir de una gran duda existencial que teníamos con Pablito Marinozzi desde hace un tiempo.
La misma era saber cómo un Cisco ASA alcanzaba una sucursal a través de una ruta estática, pero que la IP del próximo salto
era de otra subred y sin una ruta para efectuar una búsqueda recurrente. Esto se ve en CCNA 2 pero no tan en detalle.
El árbol no me dejaba ver el bosque, definitivamente el ASA no sabe cómo llegar a la IP del próximo salto porque no tiene
dicha ruta, pero por su propia naturaleza (tiene configurada una interface de salida), genera un ARP para ubicar la MAC
correspondiente a la IP del próximo salto (aunque no sea en el rango de la propia LAN), que es respondido por el router
intermedio (Cisco 1941), al tener configurado (por default) el proxy-arp.
La respuesta siempre estuvo ahí, a la vista.
La ruta correcta debería ser: route inside 172.16.112.0 255.255.255.0 172.16.0.2, pero no es así y eso me tiene con la curiosidad
de cómo es que funciona. Vaya a saber quién configuró esta ruta en su momento.
Configuración inicial de equipos:
ciscoasa# conf t
ciscoasa(config)# int vlan 1
ciscoasa(config-if)# ip add 172.16.0.1 255.255.255.0
ciscoasa(config-if)# exit
ciscoasa(config)# int vlan 2
ciscoasa(config-if)# ip add 200.0.0.1 255.255.255.252
ciscoasa(config-if)# exit
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 200.0.0.2
ciscoasa(config)# route inside 172.16.112.0 255.255.255.0 10.0.0.2 (el próximo salto no es de una red directamente conectada)
ciscoasa(config)#end
ciscoasa#
SW_2950#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW_2950(config)#monitor session 1 source interface Fa0/23
SW_2950(config)#monitor session 1 destination interface Fa0/24 (para capturar con Wireshark)
SW_2950(config)#end
SW_2950#
Cisco1941#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco1941(config)#int gi0/0
Cisco1941(config-if)#ip add 172.16.0.2 255.255.255.0
Cisco1941(config-if)#exit
Cisco1941(config)#int gi0/1
Cisco1941(config-if)#ip add 10.0.0.1 255.255.255.0
Cisco1941(config-if)#exit
Cisco1941(config)#ip route 172.16.112.0 255.255.255.0 10.0.0.2
Cisco1941(config)#end
Cisco1941#
Sucursal#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Sucursal(config)#interface Ethernet0
Sucursal(config-if)#ip add 172.16.112.1 255.255.255.0
Sucursal(config-if)#exit
Sucursal(config)#interface Ethernet1
Sucursal(config-if)#ip add 10.0.0.1 255.255.255.0
Sucursal(config-if)#exit
Sucursal(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.1
Sucursal(config)#end
Sucursal#
Verificación:
Verificamos tablas de enrutamiento:
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 200.0.0.2 to network 0.0.0.0
C 200.0.0.0 255.255.255.252 is directly connected, outside
C 172.16.0.0 255.255.255.0 is directly connected, inside
S 172.16.112.0 255.255.255.0 [1/0] via 10.0.0.2, inside (el próximo salto no es de una red directamente conectada)
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
S* 0.0.0.0 0.0.0.0 [1/0] via 200.0.0.2, outside
ciscoasa#
Cisco1941#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/1
L 10.0.0.1/32 is directly connected, GigabitEthernet0/1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.0/24 is directly connected, GigabitEthernet0/0
L 172.16.0.2/32 is directly connected, GigabitEthernet0/0
S 172.16.112.0/24 [1/0] via 10.0.0.2
Cisco1941#
Sucursal#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.0.0.2 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.112.0 is directly connected, Ethernet0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Ethernet1
S* 0.0.0.0/0 [1/0] via 10.0.0.1
Sucursal#
Verificamos llegar a la sucursal para descartar problemas si el ASA no llega:
Cisco1941#ping 172.16.112.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Cisco1941#
Verificamos llegar a la sucursal desde el ASA:
ciscoasa#capture ASA interface inside (capturamos tráfico símil Wireshark pero en el propio ASA)
ciscoasa#ping 172.16.112.1 (verificamos)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:
????? (no llegamos a la sucursal)
Success rate is 0 percent (0/5)
ciscoasa# sh capture ASA (verificamos tráfico capturado)
12 packets captured
1: 00:36:54.605437 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1 (el ASA necesita la MAC del próximo salto sin
importar si pertenece a la propia red conectada)
2: 00:36:54.605818 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20 (el 1941 le responde como propia)
3: 00:36:55.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1 (pero el ping nunca sale del ASA)
4: 00:36:55.930356 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
5: 00:36:56.929959 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
6: 00:36:56.930265 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
7: 00:37:00.929959 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
8: 00:37:00.930310 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
9: 00:37:05.929975 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
10: 00:37:05.930310 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
11: 00:37:10.929975 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
12: 00:37:10.930387 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
12 packets shown
ciscoasa#
ciscoasa# sh arp (verificamos el proxy ARP)
inside 172.16.0.2 30e4.db53.2b20
inside 10.0.0.2 30e4.db53.2b20
ciscoasa#
Verificamos en sentido inverso (sucursal -> ASA):
Sucursal#ping
Protocol [ip]:
Target IP address: 172.16.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.112.1 (de lo contrario el ping parte de la IP de la interface mas cercana al ASA,
Type of service [0]: que es la 10.0.0.2 y de la cual el ASA no tiene ruta para alcanzarla)
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.112.1
..... (los paquetes llegan al ASA pero no retornan, ver la siguiente captura)
Success rate is 0 percent (0/5)
Sucursal#
ciscoasa# sh capture ASA (verificamos tráfico capturado)
---resumido---
67: 00:56:24.587997 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)
68: 00:56:24.588363 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
69: 00:56:24.588760 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
70: 00:56:25.929914 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
71: 00:56:25.930219 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
72: 00:56:26.586929 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)
73: 00:56:26.929929 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
74: 00:56:26.930326 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
75: 00:56:28.586944 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)
76: 00:56:30.586960 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)
77: 00:56:30.929929 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
78: 00:56:30.930280 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
79: 00:56:32.586929 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo request (hay solicitud pero no hay respuesta)
80: 00:56:35.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
81: 00:56:35.930295 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
82: 00:56:40.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
83: 00:56:40.930265 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
84: 00:56:45.929944 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
85: 00:56:45.930356 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
86: 00:56:50.929959 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
87: 00:56:50.930295 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
87 packets shown
ciscoasa#
Ante la sospecha realizamos un downgrade de versión de ASA:
ciscoasa(config)# no boot system disk0:/asa847-k8.bin (ahora arrancará con la versión previa instalada)
ciscoasa(config)# end
ciscoasa# wri
Building configuration...
Cryptochecksum: b496af45 9469adc2 56d436e5 8726c6b8
3370 bytes copied in 1.110 secs (3370 bytes/sec)
[OK]
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
---resumido---
ciscoasa> ena
Password: *****
ciscoasa# sh version (verificamos)
Cisco Adaptive Security Appliance Software Version 7.2(3) (antes era 8.4 (7))
Device Manager Version 7.3(2)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
---resumido---
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 200.0.0.2 to network 0.0.0.0
C 200.0.0.0 255.255.255.252 is directly connected, outside
C 172.16.0.0 255.255.255.0 is directly connected, inside
S 172.16.112.0 255.255.255.0 [1/0] via 10.0.0.2, inside (verificamos luego del reload)
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
S* 0.0.0.0 0.0.0.0 [1/0] via 200.0.0.2, outside
ciscoasa#
ciscoasa# capture ASA interface inside (generamos nuevamente la captura ya que en el reload se pierde)
ciscoasa# ping 172.16.112.1 (verificamos)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:
!!!!! (gotcha !)
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa#
ciscoasa# sh capture ASA
23 packets captured
1: 01:01:24.708810 802.1Q vlan#1 P0 802.3 encap packet
2: 01:01:26.708688 802.1Q vlan#1 P0 802.3 encap packet
3: 01:01:28.708718 802.1Q vlan#1 P0 802.3 encap packet
4: 01:01:30.708428 802.1Q vlan#1 P0 802.3 encap packet
5: 01:01:32.708306 802.1Q vlan#1 P0 802.3 encap packet
6: 01:01:34.708184 802.1Q vlan#1 P0 802.3 encap packet
7: 01:01:36.708062 802.1Q vlan#1 P0 802.3 encap packet
8: 01:01:38.707955 802.1Q vlan#1 P0 802.3 encap packet
9: 01:01:39.353588 802.1Q vlan#1 P0 arp who-has 10.0.0.2 tell 172.16.0.1
10: 01:01:39.353970 802.1Q vlan#1 P0 arp reply 10.0.0.2 is-at 30:e4:db:53:2b:20
11: 01:01:39.354275 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request (con la versión 7.23 envía el ping)
12: 01:01:39.355587 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply
13: 01:01:39.355770 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request
14: 01:01:39.357006 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply
15: 01:01:39.357113 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request
16: 01:01:39.358334 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply
17: 01:01:39.358456 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request
18: 01:01:39.359676 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply
19: 01:01:39.359798 802.1Q vlan#1 P0 172.16.0.1 > 172.16.112.1: icmp: echo request
20: 01:01:39.361019 802.1Q vlan#1 P0 172.16.112.1 > 172.16.0.1: icmp: echo reply
21: 01:01:40.707833 802.1Q vlan#1 P0 802.3 encap packet
22: 01:01:42.707711 802.1Q vlan#1 P0 802.3 encap packet
23: 01:01:44.707574 802.1Q vlan#1 P0 802.3 encap packet
23 packets shown
ciscoasa#
Verificamos nuevamente el ARP proxy en el Cisco 1941:
ciscoasa# ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 172.16.112.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# sh arp
inside 172.16.0.2 30e4.db53.2b20
inside 10.0.0.2 30e4.db53.2b20 (verificamos el proxy ARP)
ciscoasa#
Realizando la contraprueba, descativamos el proxy-arp en el router intermedio:
ciscoasa# ping 172.16.112.1 (verificación previa)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa#
Cisco1941#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco1941(config)#int gi0/0 (interface adyancente al ASA)
Cisco1941(config-if)#no ip proxy-arp
Cisco1941(config-if)#^Z
Cisco1941#
ciscoasa# ping 172.16.112.1 (funciona de todas maneras ! )
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa#
ciscoasa# clear arp (limpiamos la tabla ARP)
ciscoasa# ping 172.16.112.1 (verificamos nuevamente)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.112.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#
(2015) Can exist another trouble in the world ?
Rosario, Argentina