Solved

Cisco ASA 5505

Posted on 2010-09-16
23
398 Views
Last Modified: 2012-05-10
Greetings.

I created a new VLAN.
The internal vlan is security 100
Outside is 0
New VLAN 50

Nothing from the New VLAN is reaching the Outiside.  Any ideas of where I should look?
0
Comment
Question by:bill_lynch
  • 13
  • 10
23 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33696130
What license have you got? If you want the 5505 to have 3 fully router intefaces, you need a sec plus license, not a base license. Run a sh ver and see what the license type is.

Also, a post of the config would be useful to see what's going on.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33696411

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is 0021.a046.dc48, irq 11
 1: Ext: Ethernet0/0         : address is 0021.a046.dc40, irq 255
 2: Ext: Ethernet0/1         : address is 0021.a046.dc41, irq 255
 3: Ext: Ethernet0/2         : address is 0021.a046.dc42, irq 255
 4: Ext: Ethernet0/3         : address is 0021.a046.dc43, irq 255
 5: Ext: Ethernet0/4         : address is 0021.a046.dc44, irq 255
 6: Ext: Ethernet0/5         : address is 0021.a046.dc45, irq 255
 7: Ext: Ethernet0/6         : address is 0021.a046.dc46, irq 255
 8: Ext: Ethernet0/7         : address is 0021.a046.dc47, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33696421
We do have a Base License.  ARe you sure this is it?   All I did was create a new VLAN with security 50 and added a port to it.  It only needs access to the Outside so based on the security numbers, no other configuration should be needed right?
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33696439
The ASA did make me restrict the new VLAN from going to the inside VLAN.  But I thought that it could still go to the outside vlan.
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33696520
You should be OK then. What about the rest of the config?
Nat's, ACL's etc?
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33696529
Can you post a sanitised config?
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33700778
enable password zzzzzzzzzzzzzzzzz encrypted
passwd zzzzzzzzzzzzzzzz encrypted
names
name 192.168.168.0 Plus_Data_Ctr
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address zz.zzz.zzz.zzz 255.255.255.240
!
interface Vlan12
no forward interface Vlan1
nameif Castle
security-level 50
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
dns server-group DefaultDNS
domain-name plusconsulting.com
same-security-traffic permit intra-interface
object-group service commvault_ports tcp
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8410
port-object eq 8411
port-object eq 8412
port-object eq 8413
port-object eq 8414
port-object eq 8415
port-object eq 8416
port-object eq 8417
port-object eq 8418
port-object eq 8419
port-object eq 8420
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list outside_1_cryptomap extended permit ip Plus_Data_Ctr 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list split_tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list split_tunnel extended permit ip Plus_Data_Ctr 255.255.255.0 192.168.150.0 255.255.255.0
access-list 101 extended permit tcp any interface outside object-group commvault_ports
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Castle 1500
ip local pool vpnpool 192.168.150.1-192.168.150.100
ip local pool vpntest 192.168.1.247-192.168.1.248
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8600 192.168.1.231 8600 netmask 255.255.255.255
static (inside,outside) tcp interface 8400 192.168.1.231 8400 netmask 255.255.255.255
static (inside,outside) tcp interface 8401 192.168.1.231 8401 netmask 255.255.255.255
static (inside,outside) tcp interface 8402 192.168.1.231 8402 netmask 255.255.255.255
static (inside,outside) tcp interface 8410 192.168.1.231 8410 netmask 255.255.255.255
static (inside,outside) tcp interface 8411 192.168.1.231 8411 netmask 255.255.255.255
static (inside,outside) tcp interface 8412 192.168.1.231 8412 netmask 255.255.255.255
static (inside,outside) tcp interface 8413 192.168.1.231 8413 netmask 255.255.255.255
static (inside,outside) tcp interface 8414 192.168.1.231 8414 netmask 255.255.255.255
static (inside,outside) tcp interface 8415 192.168.1.231 8415 netmask 255.255.255.255
static (inside,outside) tcp interface 8416 192.168.1.231 8416 netmask 255.255.255.255
static (inside,outside) tcp interface 8417 192.168.1.231 8417 netmask 255.255.255.255
static (inside,outside) tcp interface 8418 192.168.1.231 8418 netmask 255.255.255.255
static (inside,outside) tcp interface 8419 192.168.1.231 8419 netmask 255.255.255.255
static (inside,outside) tcp interface 8420 192.168.1.231 8420 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.212.156.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 100 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 66.207.135.2
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 200 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d97533a3b10a73d0d48ab713868e85d0
: end
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33700782
VLAN 12 (Castle) is the new VLAN that needs access to the Outside only.
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33701727
You don't have any NAT setup for vlan 12. Try adding:

nat (castle) 1 0.0.0.0 0.0.0.0
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33701772
BTW, I would try to modify the above entry with the config to remove the public IP's and passwords as a minimum for security
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33701864
yeah I saw that after I pasted,  now I have to figure out how to edit a comment :)
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 9

Author Comment

by:bill_lynch
ID: 33701894
Here's a screen capture.  When I do a trace it says it's getting caught on this access list, but I'm not sure why.  I added the NAT that you suggested above.
ScreenHunter-02-Sep.-17-10.38.gif
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33702040
Looking at that you have added a new acl compared to the running config. Currently, the castle network can only get to the outside network (subnet on the outside interface). Can you post the current acls?

sh access-list
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33702081

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_1_cryptomap; 2 elements
access-list outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0 (hitcnt=38) 0x6866a0ab
access-list outside_1_cryptomap line 2 extended permit ip Plus_Data_Ctr 255.255.255.0 Plus_Data_Ctr 255.255.255.0 (hitcnt=0) 0x77a2b657
access-list inside_nat0_outbound; 3 elements
access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0 (hitcnt=0) 0xb2158562
access-list inside_nat0_outbound line 2 extended permit ip 192.168.150.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0 (hitcnt=0) 0xc263c1e6
access-list inside_nat0_outbound line 3 extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0 (hitcnt=0) 0x14a3f274
access-list split_tunnel; 2 elements
access-list split_tunnel line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0 (hitcnt=0) 0x96070c07
access-list split_tunnel line 2 extended permit ip Plus_Data_Ctr 255.255.255.0 192.168.150.0 255.255.255.0 (hitcnt=0) 0xe16519e1
access-list 101; 14 elements
access-list 101 line 1 extended permit tcp any interface outside object-group commvault_ports 0x9d0079d7
access-list 101 line 1 extended permit tcp any interface outside eq 8400 (hitcnt=1) 0x49fe141e
access-list 101 line 1 extended permit tcp any interface outside eq 8401 (hitcnt=0) 0x0dbdfdb1
access-list 101 line 1 extended permit tcp any interface outside eq 8402 (hitcnt=0) 0x96daecb6
access-list 101 line 1 extended permit tcp any interface outside eq 8410 (hitcnt=0) 0x64374768
access-list 101 line 1 extended permit tcp any interface outside eq 8411 (hitcnt=0) 0x252549ec
access-list 101 line 1 extended permit tcp any interface outside eq 8412 (hitcnt=0) 0x5e1e3572
access-list 101 line 1 extended permit tcp any interface outside eq 8413 (hitcnt=0) 0x1ca7bec0
access-list 101 line 1 extended permit tcp any interface outside eq 8414 (hitcnt=0) 0xc72b3779
access-list 101 line 1 extended permit tcp any interface outside eq 8415 (hitcnt=0) 0xfc36e76c
access-list 101 line 1 extended permit tcp any interface outside eq 8416 (hitcnt=0) 0xaab99704
access-list 101 line 1 extended permit tcp any interface outside eq 8417 (hitcnt=0) 0xf2bce0e7
access-list 101 line 1 extended permit tcp any interface outside eq 8418 (hitcnt=0) 0x5221c3ae
access-list 101 line 1 extended permit tcp any interface outside eq 8419 (hitcnt=0) 0x7e64d9f8
access-list 101 line 1 extended permit tcp any interface outside eq 8420 (hitcnt=0) 0xd65f881f
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33702096
castle should only be configured to get to the outsid and the outside to it.  Currently the computers on the castle vlan can get to the default gateway but not past it.  When I do a packet trace from inside the asdm gui, it says it is getting stuck at the ACL
0
 
LVL 16

Accepted Solution

by:
InteraX earned 500 total points
ID: 33702126
Try adding the following

access-list castle_in extended permit ip any any
access-group castle_in in interface castle

This should create an ACL and bind it to inbound traffic on the castle interface.
I'm not sure it will allow it because of the license though.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33702256
still nothing.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33702289
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list outside_1_cryptomap extended permit ip Plus_Data_Ctr 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 Plus_Data_Ctr 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list split_tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list split_tunnel extended permit ip Plus_Data_Ctr 255.255.255.0 192.168.150.0 255.255.255.0
access-list 101 extended permit tcp any interface outside object-group commvault_ports
access-list castle_in extended permit ip any any
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Castle 1500
ip local pool vpnpool 192.168.150.1-192.168.150.100
ip local pool vpntest 192.168.1.247-192.168.1.248
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Castle) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8600 192.168.1.231 8600 netmask 255.255.255.255
static (inside,outside) tcp interface 8400 192.168.1.231 8400 netmask 255.255.255.255
static (inside,outside) tcp interface 8401 192.168.1.231 8401 netmask 255.255.255.255
static (inside,outside) tcp interface 8402 192.168.1.231 8402 netmask 255.255.255.255
static (inside,outside) tcp interface 8410 192.168.1.231 8410 netmask 255.255.255.255
static (inside,outside) tcp interface 8411 192.168.1.231 8411 netmask 255.255.255.255
static (inside,outside) tcp interface 8412 192.168.1.231 8412 netmask 255.255.255.255
static (inside,outside) tcp interface 8413 192.168.1.231 8413 netmask 255.255.255.255
static (inside,outside) tcp interface 8414 192.168.1.231 8414 netmask 255.255.255.255
static (inside,outside) tcp interface 8415 192.168.1.231 8415 netmask 255.255.255.255
static (inside,outside) tcp interface 8416 192.168.1.231 8416 netmask 255.255.255.255
static (inside,outside) tcp interface 8417 192.168.1.231 8417 netmask 255.255.255.255
static (inside,outside) tcp interface 8418 192.168.1.231 8418 netmask 255.255.255.255
static (inside,outside) tcp interface 8419 192.168.1.231 8419 netmask 255.255.255.255
static (inside,outside) tcp interface 8420 192.168.1.231 8420 netmask 255.255.255.255
access-group 101 in interface outside
access-group castle_in in interface Castle
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33702326
Looks like it's the license blocking it.
I'll check the documentation and report back.
0
 
LVL 9

Author Comment

by:bill_lynch
ID: 33702329
nevermind I am able to browse the internet

something must be up with icmp because it isn't letting me ping.

Thanks for the help InteraX!
0
 
LVL 9

Author Closing Comment

by:bill_lynch
ID: 33702342
spot on!
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33702416
Documentation says the following.

Maximum Active VLAN Interfaces for Your License
In transparent firewall mode, you can configure the following VLANs depending on your license:
• Base license—2 active VLANs.
• Security Plus license—3 active VLANs, one of which must be for failover.
In routed mode, you can configure the following VLANs depending on your license: Base license
• Base license—3 active VLANs. The third VLAN can only be configured to initiate traffic to one
other VLAN. See Figure 6-1 for more information.
• Security Plus license—20 active VLANs.

From what I can read, I'm not sure what is causing the porblem. I may need a little more time to invesigate this one.
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33702496
Thanks,

If ICMP isn't working, it doesn't look like you are inspecting it from the config. ICMP will only work if you inspect it as it doesn't have any session info.

policy-map global_policy
 class inspection_default
  inspect icmp
 exit
exit
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now