Solved

ASA 5505 Access Rules / NAT not allowing inbound traffic

Posted on 2008-06-25
9
2,650 Views
Last Modified: 2012-05-05
I have a new ASA 5505 10 User appliance connecting a 20Mbps Cable Internet connection to the Internal network.  I have configured Access rules and NAT, but obviously do not have something right as the ASA is not passing http, https or smtp traffic to the internal server.  In a possibly related condition, I am able to authenticate the Client-Access VPN connection through the ASA, but cannot talk to anything inside over the connection.  Any feedback would be appreciated as this Windows/Mainframe guy is stumped....   config is below.

Notes:-----------------------------------------------------------------------------------------------------------------
X.X.X.A is the outside interface IP of the ASA  (Static IP)
X.X.X.B is another public IP address in our external range not directly assigned to an interface. (Static)

Presently, all services (http, https, smtp) are serviced by a single server at 192.168.0.51
Remote users will connect using Cisco VPN Client 5.x through Server 2008 NPS (RADIUS)

: Saved

:

ASA Version 8.0(3) 

!

hostname ASGASA

domain-name asg.int

enable password ************ encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.50 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address X.X.X.A 255.255.255.224 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ********* encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.0.51

 domain-name asg.int

same-security-traffic permit intra-interface

access-list ASG_VPN_splitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 any 

access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0 

access-list inside_outbound_nat0_acl extended permit ip any 172.16.1.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.0 

access-list Outside_access_in extended permit tcp any host X.X.X.B eq smtp 

access-list Outside_access_in extended permit tcp any host X.X.X.B eq https 

access-list Outside_access_in extended permit tcp any host X.X.X.B eq www 

access-list Outside_access_in extended permit icmp any any echo-reply 

access-list ASG_VPN_splitTunnelAcl_1 standard permit any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool IP_Pool 172.16.1.1-172.16.1.254

ip verify reverse-path interface outside

ip audit attack action alarm drop

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) X.X.X.B 192.168.0.51 netmask 255.255.255.255 

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 <GATEWAY IP> 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

 accounting-mode simultaneous

aaa-server RADIUS host 192.168.0.51

 key ***********

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 40

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

management-access inside
 

threat-detection basic-threat

threat-detection statistics

webvpn

 enable outside

 svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 1

 svc enable

 tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

 dns-server value 192.168.0.51

 vpn-tunnel-protocol svc 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ASG_VPN_splitTunnelAcl

 default-domain value asg.int

 address-pools value IP_Pool

 webvpn

  svc keep-installer installed

  svc keepalive 60

  svc dpd-interval client 30

  svc dpd-interval gateway 30

group-policy ASG_VPN internal

group-policy ASG_VPN attributes

 dns-server value 192.168.0.51

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ASG_VPN_splitTunnelAcl_1

group-policy WebVPN internal

group-policy WebVPN attributes

 vpn-tunnel-protocol webvpn

username ASGAdmin password ************ encrypted privilege 15

 vpn-group-policy ASG_VPN

tunnel-group ASG_VPN type remote-access

tunnel-group ASG_VPN general-attributes

 address-pool IP_Pool

 default-group-policy ASG_VPN

tunnel-group ASG_VPN ipsec-attributes

 pre-shared-key ******

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

 address-pool IP_Pool

 authentication-server-group RADIUS LOCAL

 default-group-policy SSLVPN

tunnel-group SSLVPN webvpn-attributes

 group-alias SSLVPN enable

tunnel-group WebVPN type remote-access

tunnel-group WebVPN general-attributes

 address-pool IP_Pool

 authentication-server-group RADIUS LOCAL

 default-group-policy WebVPN

tunnel-group WebVPN webvpn-attributes

 group-alias WebVPN enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 1028

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

  inspect icmp error 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:0677d64b89eabf0f07a3978587cb24c0

: end

asdm image disk0:/asdm-603.bin

asdm location 192.168.0.52 255.255.255.255 inside

asdm location 192.168.0.53 255.255.255.255 inside

no asdm history enable

Open in new window

0
Comment
Question by:ASGWichita
  • 5
  • 3
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Have you checked with your provider that it allows client servers?  I'm not seeing anything on initial review regarding http/https/smtp access.

And, do the firewall logs give any indication of the failure if the traffic is making it to the unit?
0
 

Author Comment

by:ASGWichita
Comment Utility
I am on a business connection known to support the services.  The PIX that this ASA is replacing was performing all of these services,  at least until the APC failed and a surge nailed it.  I can also plug-up a cheap-o Netgear router and everything works fine, so I have narrowed it down to the ASA config itself.

All I am seeing in the logs is that the session has been:

6      Jun 25 2008      20:24:47      302013      <REMOTEIP>      192.168.0.51       Built inbound TCP connection 166 for outside:<REMOTEIP>/2102 (<REMOTE IP>/2102) to inside:192.168.0.51/443 (X.X.X.A/443)

6      Jun 25 2008      20:25:17      302014      <REMOTEIP>      192.168.0.51       Teardown TCP connection 166 for outside:<REMOTEIP>/2102 to inside:192.168.0.51/443 duration 0:00:30 bytes 0 SYN Timeout

The Packet Tracer is showing the packet passes successfully to the endpoint both inside and outside.   It's weird,  so I am sure I am missing something simple.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
inspect http
inspect https
inspect smtp
0
 

Author Comment

by:ASGWichita
Comment Utility
I'm sorry,  You lost me.  Those are not valid commands,  what are you recommending?

Thanks for your help
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:ASGWichita
Comment Utility
I have added the inspect http, but cannot find anything for https or smtp.  Do those inspection maps need to be created somehow?  
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
config t

policy-map global_policy
 class inspection_default
 inspect http
 inspect https
 inspect smtp

end

I'm wondering if the CBAC engine requires inspection of these packets.
0
 

Author Comment

by:ASGWichita
Comment Utility
Errors received below...    I am not seeing smtp or https as options in the ASDM GUI either.  Do they need to be added somewhere?
----------------------------------

Result of the command: "config t"

The command has been sent to the device


Result of the command: "policy-map global_policy"

The command has been sent to the device


Result of the command: "class inspection_default"

The command has been sent to the device


Result of the command: "inspect http"

The command has been sent to the device


Result of the command: "inspect https"

inspect https
            ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "inspect smtp"

inspect smtp
         ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "end"

Command failed
0
 

Accepted Solution

by:
ASGWichita earned 0 total points
Comment Utility
No answer identified,  called in consultant to review and correct.
0
 

Expert Comment

by:innosource
Comment Utility
I am having the same problem as above. What was done to resolve this issue? Thanks.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now