Cisco ASA 5510 config problem- traffic getting out but not in!!

Hi this is a new question because the previous one wasn't very thorough!

I have set up and ASA 5510 firewall to replace basic Netgear FVs router- and have tried to mimic the rules it has.

I have set up two outside interfaces, one primary (10mg LES) and one backup adsl interface: config as follows:

: Saved
:
ASA Version 7.2(3)
!
hostname Ciscoasa
domain-name xxx.COM
enable password tq6dfNC3ZlBOcGgY encrypted
names
name 192.168.2.50 Mailstorm description Exchange Server
name 192.168.2.40 Filestorm description File Server
name 192.168.2.35 Seastorm description FTP Server
name 192.168.2.52 Xarios description Xarios Server
name 192.168.2.9 Sonicwall description Sonicwall_VPN
name 192.168.2.64 Graham description Used for Sales Force
name 192.168.2.69 Chrissy description Chrissy's PC
dns-guard
!
interface Ethernet0/0
 speed 10
 duplex full
 nameif OUTSIDE_PRIMARY
 security-level 0
 ip address 193.x.x.x.250 255.255.255.252
 ospf cost 10
!
interface Ethernet0/1
 nameif OUTSIDE_BACKUP
 security-level 0
 ip address 217.x.x.73 255.255.255.248
 ospf cost 10
!
interface Ethernet0/2
 nameif INSIDE
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup OUTSIDE_PRIMARY
dns domain-lookup OUTSIDE_BACKUP
dns domain-lookup INSIDE
dns server-group DefaultDNS
 domain-name xx.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service xmpp_tls tcp
 description Spark
 port-object range 5222 5222
object-group service VPN_8008 tcp
 port-object range 8008 8008
object-group service atrweb tcp
 description ATRWEB
 port-object range 8000 8000
object-group service SMTP_allowed tcp
 description For exchange mail Delivery
 port-object eq smtp
object-group service XARIOS_HTTP tcp
 description XARIOS HTTP
 port-object range 9090 9090
object-group service XARIOS_HTTP_2 tcp
 description XARIOS_HTTP_2
 port-object range 9091 9091
object-group network Exchange_Server
 description Exchange Server
 network-object host Mailstorm
object-group network File_Server
 description File_Server
 network-object host Filestorm
object-group network TH_DCs
 description TH DC's
 network-object host Filestorm
 network-object host Mailstorm
object-group network Irvine_Local
 network-object 192.168.12.0 255.255.255.0
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp host 194.159.181.194 eq https host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list INSIDE_access_in extended permit ip any any
access-list OUTSIDE_PRIMARY_1_cryptomap extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging host INSIDE Chrissy 6/1470
mtu OUTSIDE_PRIMARY 1500
mtu OUTSIDE_BACKUP 1500
mtu INSIDE 1500
mtu management 1500
no failover
monitor-interface OUTSIDE_PRIMARY
monitor-interface OUTSIDE_BACKUP
monitor-interface INSIDE
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE_PRIMARY) 1 interface
global (OUTSIDE_BACKUP) 1 interface
global (INSIDE) 1 interface
nat (INSIDE) 1 192.168.2.0 255.255.255.0
static (INSIDE,OUTSIDE_PRIMARY) 193.x.x.250 192.168.2.1 netmask 255.255.255.255
access-group OUTSIDE_PRIMARY_access_in in interface OUTSIDE_PRIMARY
access-group OUTSIDE_BACKUP_access_in in interface OUTSIDE_BACKUP
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE_PRIMARY 0.0.0.0 0.0.0.0 193.x.x.249 1 track 1
route OUTSIDE_BACKUP 0.0.0.0 0.0.0.0 217.x.x.78 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
http 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
http 192.168.2.5 255.255.255.255 INSIDE
http 192.168.1.0 255.255.255.0 management
http Chrissy 255.255.255.255 INSIDE
http 192.168.2.68 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 193.195.216.249 interface OUTSIDE_PRIMARY
 num-packets 4
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable OUTSIDE_PRIMARY
crypto isakmp enable OUTSIDE_BACKUP
crypto isakmp enable INSIDE
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
ssh 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
ssh 192.168.2.68 255.255.255.255 INSIDE
ssh Chrissy 255.255.255.255 INSIDE
ssh 192.168.2.5 255.255.255.255 INSIDE
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth enable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username admin password Zn1g.2LlcLd5BGRL encrypted privilege 15
tunnel-group 12.35.202.180 type ipsec-l2l
tunnel-group 12.35.202.180 ipsec-attributes
 pre-shared-key *
smtp-server 192.168.2.50
prompt hostname context
Cryptochecksum:d8f254e85fdf9371c70f304389173337
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

In short after much deliberation I can get out on the internet fine on the OUTSIDE_PRIMARY- I can ping the internet the GW out, but not the interface IP- this is fine though as icmp not allowed by default. On a piblic connection I can ping it, but I can't get in to from outside in what so ever. From my limited knowledge, I have set up the outside_in rules as needed and the inisde_in rules to permit any any.

A friend said I shouldn't have to configure the outside_outgoing rules- as high to low security on inerfaces is automatically allowed.

So, as nothing gets in I think I am missing something that should be quite obvious- a nat or route???I know it denies but default but I need some traffic allowe in.

Any ideas?

Thanks in advance!
LVL 2
orphancAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
When constructing the ACL's, you have to specify the translated (public) addresses as the destination address to allow inbound traffic.  Currently, you have names defined that map to inside (private) IP addresses:

name 192.168.2.50 Mailstorm description Exchange Server
name 192.168.2.40 Filestorm description File Server
name 192.168.2.35 Seastorm description FTP Server
name 192.168.2.52 Xarios description Xarios Server
name 192.168.2.9 Sonicwall description Sonicwall_VPN
name 192.168.2.64 Graham description Used for Sales Force
name 192.168.2.69 Chrissy description Chrissy's PC

These names are then referenced as the destination in your ACL statements.  Also, you have specified the SOURCE port for incoming traffic to be allowed in.  Most times this will not work because the source port in the 4-tuple is ephemeral.  In 99.999% of ACL's, you should omit the source port and only specify the destination port.  This is why your traffic is not being allowed inbound.

You'll first need to put in some static NAT statements for each inside host you want to allow inbound traffic to, and then reference that translated address as the destination in your ACL's.  However, looking at your netmask on your OUTSIDE_PRIMARY interface, you don't have any public IP addresses available to use for translations.  You can always use the interface IP itself (193.xx.xx.250) and then configure port redirection, but you'll have to do some port substitution on the outside to redirect inbound traffic to multiple inside hosts on the same destination port.  Let me explain by using the below example commands:

static (inside,outside) tcp interface 5222 Filestorm 5222 netmask 255.255.255.255
static (inside,outside) tcp interface https Mailstorm https netmask 255.255.255.255
static (inside,outside) tcp interface smtp Mailstorm smtp netmask 255.255.255.255
static (inside,outside) tcp interface ftp Seastorm ftp netmask 255.255.255.255
static (inside,outside) tcp interface pptp Filestorm pptp netmask 255.255.255.255
static (inside,outside) tcp interface www Seastorm www netmask 255.255.255.255
access-list OUTSIDE_PRIMARY_access_in permit tcp any interface outside eq 5222
access-list OUTSIDE_PRIMARY_access_in permit tcp any interface outside eq https
access-list OUTSIDE_PRIMARY_access_in permit tcp any interface outside eq smtp
access-list OUTSIDE_PRIMARY_access_in permit tcp any interface outside eq ftp
access-list OUTSIDE_PRIMARY_access_in permit tcp any interface outside eq pptp
access-list OUTSIDE_PRIMARY_access_in permit tcp any interface outside eq 5222
access-group OUTSIDE_ACCESS_primary_in in interface outside

The above static commands would configure port redirection for traffic that is directed to the outside interface IP address of the ASA itself (193.xx.xx.250).  The traffic would be redirected to a different inside host (Filestorm, Mailstorm, etc.) depending on which destination port the traffic is being directed to.  For example, if SMTP traffic were received on 193.xx.xx.250, it would be redirected to inside host Mailstorm (192.168.2.50).  If PPTP traffic were received on 193.xx.xx.250, it would be redirected to inside host Filestorm (192.168.2.40)....etc, etc...

The access list statements would then allow all that traffic through the firewall.  The special keywords "interface outside" are used as the destination in the ACL's because you don't have individual public IP's to give out to all of your inside hosts that you want to allow traffic to, so you share the interface IP for the inbound traffic.

Also, I noticed that you have several hosts that you want to allow the same destination port traffic to on the inside.  You can only put in a single static translation per destination port, so take for example the following commands that you already have in your configuration:

access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp host 194.159.181.194 eq https host Sonicwall eq https

In the above ACL's, you are allowing HTTPS traffic to 2 different inside hosts.  Since you can only implement a single static command performing port redirection to a specific destination port, you will have to change this to be something like this:

static (inside,outside) tcp interface https Mailstorm https netmask 255.255.255.255
static (inside,outside) tcp interface 444 Sonicwall https netmask 255.255.255.255
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any host Mailstorm eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp host 194.159.181.194 host Sonicwall eq 444

Then, for host 194.159.181.194, you will have to send traffic to port TCP 444 in order to reach the inside Sonicwall host on port TCP 443 because you implemented port redirection on it's static translation command above.  Why did we do this?  Because we are already using the TCP 443 (HTTPS) port to redirect traffic to the Mailstorm server with the first static above.  Make sense?

Also, this same thing will have to be done on your OUTSIDE_BACKUP interface...it looks like you have a few more public IP's to work with on that interface so you may want to implement some one-to-one static NAT's on that interface rather than implementing port redirection (PAT) on the OUTSIDE_PRIMARY.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
orphancAuthor Commented:
Thank you so much!!! This is exactly correct and what I was looking for. I was staring at it too long; and couldn't see what I had done wrong, as on a previous ASA I had set up I had a DMZ and all hosts were NAT's to unique public addresses, so wasn't difficult- this is one IP (int) used for many, and got confused with how to break down port redirection.

Thanks for everything- your solution was worth every point.
0
orphancAuthor Commented:
Exactly the answer! Thanks for everything- your solution was worth every point. :)
0
batry_boyCommented:
Glad to assist...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.