Solved

Static route mapping in ASA cannot go out

Posted on 2010-11-17
10
573 Views
Last Modified: 2012-05-10
I have configured the ASA and the DHCP client can access the internet through it. However, all my servers couldn't work and I believe there may be something wrong on my static mapping. Actually, on the server, I could ping a website (eg. yahoo.com) and get reply. However, when I open the IE and visit the site, it will timeout.

Any idea ?

Thanks

ASA Version 8.0(3)
!
hostname ciscoasa
domain-name abc.net
enable password DB49usNvKsc1Eencrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address a.b.122.162 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.150.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif csetest
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.6.1 255.255.255.0
 management-only
!
passwd DB49usNvKsc1 encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name abc.net
same-security-traffic permit intra-interface
access-list inside extended permit ip any any
access-list outside extended permit icmp any host a.b.122.170
access-list outside extended permit icmp any host a.b.122.170 echo-reply
access-list outside extended permit tcp any host a.b.122.170 eq www
access-list outside extended permit tcp any host a.b.122.170 eq citrix-ica
access-list outside extended permit tcp any host a.b.122.170 eq 2598
access-list outside extended permit tcp any host a.b.122.171 eq www
access-list outside extended permit tcp any host a.b.122.171 eq citrix-ica
access-list outside extended permit udp any host a.b.122.171 eq 1604
access-list outside extended permit tcp any host a.b.122.171 eq 2598
access-list outside extended permit tcp any host a.b.122.164 eq https
access-list outside extended permit tcp any host a.b.122.164 eq www
access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.4.0 25
5.255.255.0
access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 25
5.255.255.0
access-list 852-HKO extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 2
55.255.255.0
access-list 852-HKO extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255
.255.255.0
access-list split-tunnel standard permit 192.168.150.0 255.255.255.0
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu csetest 1500
mtu management 1500
ip local pool ipsecpool 192.168.4.100-192.168.4.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit a.b.122.160 255.255.255.224 outside
icmp deny any echo outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No-Nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) a.b.122.164 192.168.150.32 netmask 255.255.255.255
static (inside,outside) a.b.122.169 192.168.150.41 netmask 255.255.255.255
static (inside,outside) a.b.122.170 192.168.150.39 netmask 255.255.255.255
static (inside,outside) a.b.122.171 192.168.150.40 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 a.b.122.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.6.0 255.255.255.0 management
snmp-server host inside 192.168.150.41 community shotgun
no snmp-server location
no snmp-server contact
snmp-server community shotgun
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map mymap 30 match address 852-HKO
crypto map mymap 30 set peer m.90.120.234
crypto map mymap 30 set transform-set 3des
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.150.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.6.2-192.168.6.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy vpnclient internal
group-policy vpnclient attributes
 dns-server value 192.168.150.32 192.168.150.37
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value abc.net

username hkasia password 8mj/pWeC7.xbwRp3 encrypted
tunnel-group dc5510 type remote-access
tunnel-group dc5510 general-attributes
 address-pool ipsecpool
 authorization-server-group LOCAL
 default-group-policy vpnclient
tunnel-group dc5510 ipsec-attributes
 pre-shared-key *
tunnel-group hkasia type remote-access
tunnel-group hkasia general-attributes
 address-pool ipsecpool
 authorization-server-group LOCAL
 default-group-policy vpnclient
tunnel-group hkasia ipsec-attributes
 pre-shared-key *
tunnel-group m.90.120.234 type ipsec-l2l
tunnel-group m.90.120.234 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:12b370d6b778c2ad49f228367ea48985
: end
ciscoasa#

Open in new window

0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 

Author Comment

by:AXISHK
ID: 34155477
One interesting thing, when I remove the static map for a server, it could visit other website. If I put it back, it doesn't work again.
 static (inside,outside) a.b.122.164 192.168.150.32 netmask 255.255.255.255

Actually, the ASA have worked for a long time and it doesn't work recently after cooling problem in the server room which caused all servers to shut down automatically. But that shouldn't affect the routing in ASA.

Any idea why does it happen, or I have missed something on the static mapping ?


0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 150 total points
ID: 34155892
Your routes in the config are correct. I'd get the firewall serviced/replaced immediately. There's no telling what else is happening or what other traffic is being allowed in thats' not supposed to get in.
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 150 total points
ID: 34160451
Might be some tcp mss issue. Your answer is hidden in syslogs. Simply enable syslogs in asdm or to an external syslog, start viewing logs live, then in the search or filter line, type your servers IP so filtering will be narrowed down, then try to enter a website, and ping a website.

If you dont get any logs, then somethng is wrong with server, maybe proxy settings
If you get any logs originated from server, paste them here
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34163973
ONe thing I notice is the Global is set to "Interface". When defining statics, that have to proxyarp on that interface, I have found that the global has to be a specific IP. Since you have 30 IPs in that subnet, you probably have enough. Set "Global (outside) 1 a.b.122.163 netmask 255.255.255.255 " or similar and that should help.

Ultimately, I would do as MrHusy suggests - look at the log and find out what it is saying about traffic
0
 

Author Comment

by:AXISHK
ID: 34164312
How to enable the syslogs with Cisco CLI ? Any guideline  ? Can I just view it on the Cisco Console ?

Tks
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 200 total points
ID: 34164508
from cli:
logging enable
logging timestamp
logging buffer-size 16000
logging buffered informational
logging asdm debugging
logging host inside a.b.c.d     (syslog server, if you have one)

After you add the above, open ASDM, go to monitoring tab, select logging, realtime log, and click View
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34187182
Apperantly you found out the problem from syslogs, since you accepted boilermaker's answer, which was MY suggestion. And you shared points to someone who told you to service the firewall which has absolutely 0 meaning.

Please respect next time
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34187907
Clearly MyHusy want the points, genius that he is. He feels he needs the points  because he thinks he is the only one who would consider using the log. I dont need the points. let him have them. I'm just here to help.
0
 

Author Comment

by:AXISHK
ID: 34193513
How can I assign the mark again ? I couldn't see any button for this...

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question