ASGWichita
asked on
ASA 5505 Access Rules / NAT not allowing inbound traffic
I have a new ASA 5505 10 User appliance connecting a 20Mbps Cable Internet connection to the Internal network. I have configured Access rules and NAT, but obviously do not have something right as the ASA is not passing http, https or smtp traffic to the internal server. In a possibly related condition, I am able to authenticate the Client-Access VPN connection through the ASA, but cannot talk to anything inside over the connection. Any feedback would be appreciated as this Windows/Mainframe guy is stumped.... config is below.
Notes:--------------------
X.X.X.A is the outside interface IP of the ASA (Static IP)
X.X.X.B is another public IP address in our external range not directly assigned to an interface. (Static)
Presently, all services (http, https, smtp) are serviced by a single server at 192.168.0.51
Remote users will connect using Cisco VPN Client 5.x through Server 2008 NPS (RADIUS)
Notes:--------------------
X.X.X.A is the outside interface IP of the ASA (Static IP)
X.X.X.B is another public IP address in our external range not directly assigned to an interface. (Static)
Presently, all services (http, https, smtp) are serviced by a single server at 192.168.0.51
Remote users will connect using Cisco VPN Client 5.x through Server 2008 NPS (RADIUS)
: Saved
:
ASA Version 8.0(3)
!
hostname ASGASA
domain-name asg.int
enable password ************ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.50 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.A 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ********* encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.51
domain-name asg.int
same-security-traffic permit intra-interface
access-list ASG_VPN_splitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip any 172.16.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host X.X.X.B eq smtp
access-list Outside_access_in extended permit tcp any host X.X.X.B eq https
access-list Outside_access_in extended permit tcp any host X.X.X.B eq www
access-list Outside_access_in extended permit icmp any any echo-reply
access-list ASG_VPN_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IP_Pool 172.16.1.1-172.16.1.254
ip verify reverse-path interface outside
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.B 192.168.0.51 netmask 255.255.255.255
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <GATEWAY IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
accounting-mode simultaneous
aaa-server RADIUS host 192.168.0.51
key ***********
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.168.0.51
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ASG_VPN_splitTunnelAcl
default-domain value asg.int
address-pools value IP_Pool
webvpn
svc keep-installer installed
svc keepalive 60
svc dpd-interval client 30
svc dpd-interval gateway 30
group-policy ASG_VPN internal
group-policy ASG_VPN attributes
dns-server value 192.168.0.51
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ASG_VPN_splitTunnelAcl_1
group-policy WebVPN internal
group-policy WebVPN attributes
vpn-tunnel-protocol webvpn
username ASGAdmin password ************ encrypted privilege 15
vpn-group-policy ASG_VPN
tunnel-group ASG_VPN type remote-access
tunnel-group ASG_VPN general-attributes
address-pool IP_Pool
default-group-policy ASG_VPN
tunnel-group ASG_VPN ipsec-attributes
pre-shared-key ******
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool IP_Pool
authentication-server-group RADIUS LOCAL
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
address-pool IP_Pool
authentication-server-group RADIUS LOCAL
default-group-policy WebVPN
tunnel-group WebVPN webvpn-attributes
group-alias WebVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1028
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0677d64b89eabf0f07a3978587cb24c0
: end
asdm image disk0:/asdm-603.bin
asdm location 192.168.0.52 255.255.255.255 inside
asdm location 192.168.0.53 255.255.255.255 inside
no asdm history enable
ASKER
I am on a business connection known to support the services. The PIX that this ASA is replacing was performing all of these services, at least until the APC failed and a surge nailed it. I can also plug-up a cheap-o Netgear router and everything works fine, so I have narrowed it down to the ASA config itself.
All I am seeing in the logs is that the session has been:
6 Jun 25 2008 20:24:47 302013 <REMOTEIP> 192.168.0.51 Built inbound TCP connection 166 for outside:<REMOTEIP>/2102 (<REMOTE IP>/2102) to inside:192.168.0.51/443 (X.X.X.A/443)
6 Jun 25 2008 20:25:17 302014 <REMOTEIP> 192.168.0.51 Teardown TCP connection 166 for outside:<REMOTEIP>/2102 to inside:192.168.0.51/443 duration 0:00:30 bytes 0 SYN Timeout
The Packet Tracer is showing the packet passes successfully to the endpoint both inside and outside. It's weird, so I am sure I am missing something simple.
All I am seeing in the logs is that the session has been:
6 Jun 25 2008 20:24:47 302013 <REMOTEIP> 192.168.0.51 Built inbound TCP connection 166 for outside:<REMOTEIP>/2102 (<REMOTE IP>/2102) to inside:192.168.0.51/443 (X.X.X.A/443)
6 Jun 25 2008 20:25:17 302014 <REMOTEIP> 192.168.0.51 Teardown TCP connection 166 for outside:<REMOTEIP>/2102 to inside:192.168.0.51/443 duration 0:00:30 bytes 0 SYN Timeout
The Packet Tracer is showing the packet passes successfully to the endpoint both inside and outside. It's weird, so I am sure I am missing something simple.
inspect http
inspect https
inspect smtp
inspect https
inspect smtp
ASKER
I'm sorry, You lost me. Those are not valid commands, what are you recommending?
Thanks for your help
Thanks for your help
ASKER
I have added the inspect http, but cannot find anything for https or smtp. Do those inspection maps need to be created somehow?
config t
policy-map global_policy
class inspection_default
inspect http
inspect https
inspect smtp
end
I'm wondering if the CBAC engine requires inspection of these packets.
policy-map global_policy
class inspection_default
inspect http
inspect https
inspect smtp
end
I'm wondering if the CBAC engine requires inspection of these packets.
ASKER
Errors received below... I am not seeing smtp or https as options in the ASDM GUI either. Do they need to be added somewhere?
--------------------------
Result of the command: "config t"
The command has been sent to the device
Result of the command: "policy-map global_policy"
The command has been sent to the device
Result of the command: "class inspection_default"
The command has been sent to the device
Result of the command: "inspect http"
The command has been sent to the device
Result of the command: "inspect https"
inspect https
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "inspect smtp"
inspect smtp
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "end"
Command failed
--------------------------
Result of the command: "config t"
The command has been sent to the device
Result of the command: "policy-map global_policy"
The command has been sent to the device
Result of the command: "class inspection_default"
The command has been sent to the device
Result of the command: "inspect http"
The command has been sent to the device
Result of the command: "inspect https"
inspect https
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "inspect smtp"
inspect smtp
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "end"
Command failed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am having the same problem as above. What was done to resolve this issue? Thanks.
And, do the firewall logs give any indication of the failure if the traffic is making it to the unit?