Solved

Static route mapping in ASA cannot go out

Posted on 2010-11-17
10
568 Views
Last Modified: 2012-05-10
I have configured the ASA and the DHCP client can access the internet through it. However, all my servers couldn't work and I believe there may be something wrong on my static mapping. Actually, on the server, I could ping a website (eg. yahoo.com) and get reply. However, when I open the IE and visit the site, it will timeout.

Any idea ?

Thanks

ASA Version 8.0(3)

!

hostname ciscoasa

domain-name abc.net

enable password DB49usNvKsc1Eencrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address a.b.122.162 255.255.255.224

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.150.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 nameif csetest

 security-level 0

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.6.1 255.255.255.0

 management-only

!

passwd DB49usNvKsc1 encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name abc.net

same-security-traffic permit intra-interface

access-list inside extended permit ip any any

access-list outside extended permit icmp any host a.b.122.170

access-list outside extended permit icmp any host a.b.122.170 echo-reply

access-list outside extended permit tcp any host a.b.122.170 eq www

access-list outside extended permit tcp any host a.b.122.170 eq citrix-ica

access-list outside extended permit tcp any host a.b.122.170 eq 2598

access-list outside extended permit tcp any host a.b.122.171 eq www

access-list outside extended permit tcp any host a.b.122.171 eq citrix-ica

access-list outside extended permit udp any host a.b.122.171 eq 1604

access-list outside extended permit tcp any host a.b.122.171 eq 2598

access-list outside extended permit tcp any host a.b.122.164 eq https

access-list outside extended permit tcp any host a.b.122.164 eq www

access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.4.0 25

5.255.255.0

access-list No-Nat extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 25

5.255.255.0

access-list 852-HKO extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0 2

55.255.255.0

access-list 852-HKO extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255

.255.255.0

access-list split-tunnel standard permit 192.168.150.0 255.255.255.0

access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu csetest 1500

mtu management 1500

ip local pool ipsecpool 192.168.4.100-192.168.4.150 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit a.b.122.160 255.255.255.224 outside

icmp deny any echo outside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list No-Nat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) a.b.122.164 192.168.150.32 netmask 255.255.255.255

static (inside,outside) a.b.122.169 192.168.150.41 netmask 255.255.255.255

static (inside,outside) a.b.122.170 192.168.150.39 netmask 255.255.255.255

static (inside,outside) a.b.122.171 192.168.150.40 netmask 255.255.255.255

access-group outside in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 a.b.122.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.6.0 255.255.255.0 management

snmp-server host inside 192.168.150.41 community shotgun

no snmp-server location

no snmp-server contact

snmp-server community shotgun

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map mymap 30 match address 852-HKO

crypto map mymap 30 set peer m.90.120.234

crypto map mymap 30 set transform-set 3des

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal 30

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.150.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.6.2-192.168.6.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

group-policy vpnclient internal

group-policy vpnclient attributes

 dns-server value 192.168.150.32 192.168.150.37

 vpn-idle-timeout 30

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value split-tunnel

 default-domain value abc.net



username hkasia password 8mj/pWeC7.xbwRp3 encrypted

tunnel-group dc5510 type remote-access

tunnel-group dc5510 general-attributes

 address-pool ipsecpool

 authorization-server-group LOCAL

 default-group-policy vpnclient

tunnel-group dc5510 ipsec-attributes

 pre-shared-key *

tunnel-group hkasia type remote-access

tunnel-group hkasia general-attributes

 address-pool ipsecpool

 authorization-server-group LOCAL

 default-group-policy vpnclient

tunnel-group hkasia ipsec-attributes

 pre-shared-key *

tunnel-group m.90.120.234 type ipsec-l2l

tunnel-group m.90.120.234 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:12b370d6b778c2ad49f228367ea48985

: end

ciscoasa#

Open in new window

0
Comment
Question by:AXISHK
  • 3
  • 3
  • 2
  • +1
10 Comments
 

Author Comment

by:AXISHK
ID: 34155477
One interesting thing, when I remove the static map for a server, it could visit other website. If I put it back, it doesn't work again.
 static (inside,outside) a.b.122.164 192.168.150.32 netmask 255.255.255.255

Actually, the ASA have worked for a long time and it doesn't work recently after cooling problem in the server room which caused all servers to shut down automatically. But that shouldn't affect the routing in ASA.

Any idea why does it happen, or I have missed something on the static mapping ?


0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 150 total points
ID: 34155892
Your routes in the config are correct. I'd get the firewall serviced/replaced immediately. There's no telling what else is happening or what other traffic is being allowed in thats' not supposed to get in.
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 150 total points
ID: 34160451
Might be some tcp mss issue. Your answer is hidden in syslogs. Simply enable syslogs in asdm or to an external syslog, start viewing logs live, then in the search or filter line, type your servers IP so filtering will be narrowed down, then try to enter a website, and ping a website.

If you dont get any logs, then somethng is wrong with server, maybe proxy settings
If you get any logs originated from server, paste them here
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34163973
ONe thing I notice is the Global is set to "Interface". When defining statics, that have to proxyarp on that interface, I have found that the global has to be a specific IP. Since you have 30 IPs in that subnet, you probably have enough. Set "Global (outside) 1 a.b.122.163 netmask 255.255.255.255 " or similar and that should help.

Ultimately, I would do as MrHusy suggests - look at the log and find out what it is saying about traffic
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:AXISHK
ID: 34164312
How to enable the syslogs with Cisco CLI ? Any guideline  ? Can I just view it on the Cisco Console ?

Tks
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 200 total points
ID: 34164508
from cli:
logging enable
logging timestamp
logging buffer-size 16000
logging buffered informational
logging asdm debugging
logging host inside a.b.c.d     (syslog server, if you have one)

After you add the above, open ASDM, go to monitoring tab, select logging, realtime log, and click View
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34187182
Apperantly you found out the problem from syslogs, since you accepted boilermaker's answer, which was MY suggestion. And you shared points to someone who told you to service the firewall which has absolutely 0 meaning.

Please respect next time
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34187907
Clearly MyHusy want the points, genius that he is. He feels he needs the points  because he thinks he is the only one who would consider using the log. I dont need the points. let him have them. I'm just here to help.
0
 

Author Comment

by:AXISHK
ID: 34193513
How can I assign the mark again ? I couldn't see any button for this...

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 port led all amber 5 72
Flashing Cisco Meraki MR18 with OpenWRT firmware ? 5 163
VLAN Tagged traffic 2 36
Move configuration from Cisco 3560 to 3750X 6 43
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now