• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10966
  • Last Modified:

Cisco ASA 5515X basic configuration problems ASA 8.6(1)

I am upgrading an old PIX 515E firewall to an ASA 5515X and the new IOS is giving me some problems. I know the changes aren't that earth shattering but I am having trouble getting the device to pass internet traffic at all. My only concern as that I added a VPN setup and with it there were some group policies added which may or may not effect my other NAT settings. I usually use the CLI for everything but I was thumbing around in the GUI to try and get this to work so if my config looks sloppy its probably because the GUI added the verbiage.

This is almost embarrassing because I'm sure I'm missing one line or have added a counterproductive line to my config but I am not seeing it.

My outside gateway is X.Y.2.1 in this case and my inside network is 10.0.0.0 255.0.0.0 (or 10.1.19.x for most of my business network). I also have a block of 100 static IPs on the X.Y.2.1 scheme.

The commands below are the ones that I think are necessary for outside access but obviously something is wrong and below that I will post my entire config in case I am killing my NAT elsewhere by accident. Any help would be greatly appreciated

Pertinent Config info:

ASA Version 8.6(1)

object network inside-net
 subnet 10.0.0.0 255.0.0.0

object network inside-net
 nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.Y.2.1 1

route inside 10.0.0.0 255.0.0.0 10.1.19.1 1

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.19.0

255.255.255.0 any
access-list inside_access_in extended permit tcp object phorad-mail-server-1 any eq smtp
access-list inside_access_in extended deny tcp 10.1.19.0 255.255.255.0 any eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit tcp any host X.Y.2.2 eq https
access-list outside_in extended permit tcp any host X.Y.2.2 eq www
access-list outside_in extended permit tcp any host X.Y.2.2 eq 993
access-list outside_in extended permit tcp any host X.Y.2.2 eq 465
access-list outside_in extended permit tcp any host X.Y.2.2 eq smtp
access-list outside_in extended permit tcp any host X.Y.2.22 eq 3389
access-list outside_in extended permit udp any host X.Y.2.22 eq 3389
access-list outside_in extended permit tcp any host X.Y.2.5 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.7
access-list outside_in extended permit tcp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.9
access-list outside_in extended permit udp any host X.Y.2.9
access-list outside_in extended permit tcp any host X.Y.2.10 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.11 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.23
access-list outside_in extended permit udp any host X.Y.2.23
access-list outside_in extended permit tcp any host X.Y.2.3 eq ftp
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5900
access-list outside_in extended permit udp any host X.Y.2.7
access-list outside_in extended permit udp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.13
access-list outside_in extended permit udp any host X.Y.2.13
access-list outside_in extended permit tcp any host X.Y.2.15
access-list outside_in extended permit udp any host X.Y.2.15
access-list outside_in extended deny icmp any any






Entire Configuration:


ASA Version 8.6(1)
!
hostname Company-5515x-mdf1
domain-name DOMAIN_A
enable password XCbZD7hp/.NcVa5C encrypted
passwd XCbZD7hp/.NcVa5C encrypted
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.19.75 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address X.Y.2.50 255.255.255.128
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa861-smp-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 10.1.19.2
 domain-name DOMAIN_A
object network Company-mail-server-1
 host 10.1.19.6
 description Exchange Server
object network external-mail-ip-address
 host X.Y.2.2
 description External IP address for Mail Server
object network Company-ftp-server-1
 host 10.1.19.3
 description Primary FTP server
object network Company-terminal-server-1
 host 10.1.19.8
 description Primary CITY Terminal Server
object network Company_A-Omnia-Processor
 host 10.11.19.49
 description Company_A Omnia Processor at TX site
object network Company_B-Omnia-Processor
 host 10.11.19.39
 description Company_B Omnia Processor at TX site
object network Company_C-Omnia-Processor
 host 10.11.19.48
 description Company_C Omnia Processor at TX site
object network Company-ftp-pub-app-server-1
 host 10.1.19.9
 description Server 2008 ftp - published application server
object network Business-IP-Range
 range 10.1.19.0 10.1.19.254
object network Company_A-Stream-PC
 host 10.1.19.18
object network Company_B-Stream-PC
 host 10.1.19.19
object network Company_C-Stream-PC
 host 10.1.19.17
object network external-Company_A-stream-address
 host X.Y.2.6
 description External Address for Company_A Stream PC
object network external-Company_B-stream-address
 host X.Y.2.5
 description External Address for Company_B Stream PC
object network external-Company_C-stream-address
 host X.Y.2.14
 description External Address for Company_C Stream PC
object network Company_C-studio-IP-camera
 host 10.1.19.43
 description Company_C Air Studio IP camera
object network VOIP-IP-Range
 range 10.21.19.0 10.21.19.254
 description VOIP IP Address Range
object network external-Company_A-omnia-ip-address
 host 62.234.2.11
 description External IP for Company_A Omnia processor at TX site
object network external-Company_B-omnia-ip-address
 host X.Y.2.10
 description External IP for Company_B Omnia processor at TX site
object network Company-audio-server-1
 host 10.11.19.2
 description CITY primary audio server
object network Company-audio-server-2
 host 10.11.19.100
 description CITY secondary audio server
object network NETWORK_OBJ_10.7.7.128_26
 subnet 10.7.7.128 255.255.255.192
object network inside-net
 subnet 10.0.0.0 255.0.0.0
object-group network outbound-allowable-ports
 network-object object Business-IP-Range
 network-object object VOIP-IP-Range
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq 3389
 service-object tcp destination eq 4002
 service-object tcp destination eq 4009
 service-object tcp destination eq 4010
 service-object tcp destination eq 4011
 service-object tcp destination eq 8000
 service-object tcp destination eq 8443
 service-object tcp destination eq 8800
 service-object tcp destination eq 9901
 service-object tcp destination eq 9902
 service-object tcp destination eq 9903
 service-object tcp destination eq citrix-ica
 service-object tcp destination eq echo
 service-object tcp destination eq ftp
 service-object tcp destination eq ftp-data
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination eq nntp
 service-object tcp destination eq ssh
 service-object udp destination eq ntp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.19.0 255.255.255.0

any
access-list inside_access_in extended permit tcp object Company-mail-server-1 any eq smtp
access-list inside_access_in extended deny tcp 10.1.19.0 255.255.255.0 any eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit tcp any host X.Y.2.2 eq https
access-list outside_in extended permit tcp any host X.Y.2.2 eq www
access-list outside_in extended permit tcp any host X.Y.2.2 eq 993
access-list outside_in extended permit tcp any host X.Y.2.2 eq 465
access-list outside_in extended permit tcp any host X.Y.2.2 eq smtp
access-list outside_in extended permit tcp any host X.Y.2.22 eq 3389
access-list outside_in extended permit udp any host X.Y.2.22 eq 3389
access-list outside_in extended permit tcp any host X.Y.2.5 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.7
access-list outside_in extended permit tcp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.9
access-list outside_in extended permit udp any host X.Y.2.9
access-list outside_in extended permit tcp any host X.Y.2.10 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.11 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.23
access-list outside_in extended permit udp any host X.Y.2.23
access-list outside_in extended permit tcp any host X.Y.2.3 eq ftp
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5900
access-list outside_in extended permit udp any host X.Y.2.7
access-list outside_in extended permit udp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.13
access-list outside_in extended permit udp any host X.Y.2.13
access-list outside_in extended permit tcp any host X.Y.2.15
access-list outside_in extended permit udp any host X.Y.2.15
access-list outside_in extended deny icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpn-pool 10.7.7.151-10.7.7.175 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
!
object network Company-mail-server-1
 nat (inside,outside) static external-mail-ip-address
object network Company_A-Omnia-Processor
 nat (any,any) static external-Company_A-omnia-ip-address
object network Company_B-Omnia-Processor
 nat (any,any) static external-Company_A-omnia-ip-address
object network inside-net
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.Y.2.1 1
route inside 10.0.0.0 255.0.0.0 10.1.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map ACCESSMAP
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GROUP protocol ldap
aaa-server LDAP_SRV_GROUP (inside) host 10.1.19.2
 ldap-base-dn dc=DOMAIN_A, dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN="Administrator",OU="Administrator",DC="DOMAIN_A",DC="local"
 sasl-mechanism digest-md5
 server-type microsoft
 ldap-attribute-map ACCESSMAP
aaa-server LDAP_SRV_GROUP (inside) host 10.1.19.3
 ldap-base-dn dc=DOMAIN_A, dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN="Administrator",OU="Administrator",DC="DOMAIN_A",DC="local"
 server-type microsoft
 ldap-attribute-map ACCESSMAP
user-identity default-domain LOCAL
http server enable
http 10.1.19.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA

ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA

ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.1.19.0 255.255.255.224 inside
telnet timeout 5
ssh 10.1.19.0 255.255.255.224 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 132.163.4.101 source outside
ntp server 132.163.4.102 source outside
ntp server 132.163.4.103 source outside
ssl encryption des-sha1
webvpn
 csd image disk0:/csd_3.5.2008-k9.pkg
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3
group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ikev1 ssl-client
 webvpn
  anyconnect ask none default anyconnect
group-policy vpn-ipsec-client internal
group-policy vpn-ipsec-client attributes
 dns-server value 10.1.19.2 10.1.19.3
 vpn-tunnel-protocol ikev1 ssl-clientless
 split-tunnel-policy tunnelspecified
 default-domain value DOMAIN_A
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
 banner value This is the ALLOWACCESS Policy
 vpn-tunnel-protocol ikev1 ssl-client
 webvpn
  anyconnect ask none default anyconnect
username User_A password ptL2GtG1qXXbDeUg encrypted privilege 15
username admin password O68Yn/LPDoD3PiBu encrypted privilege 15
tunnel-group remote-1 type remote-access
tunnel-group remote-1 general-attributes
 authentication-server-group LDAP_SRV_GROUP
 authorization-server-group LDAP_SRV_GROUP
tunnel-group vpn-ipsec-client type remote-access
tunnel-group vpn-ipsec-client general-attributes
 address-pool vpn-pool
 authentication-server-group LDAP_SRV_GROUP LOCAL
 default-group-policy vpn-ipsec-client
tunnel-group vpn-ipsec-client ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 10
  subscribe-to-alert-group configuration periodic monthly 10
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0bd81c02f2342c7aa14ab6ce016393c4
: end
[OK]
Company-5515x-mdf1#
0
ditobot
Asked:
ditobot
  • 2
1 Solution
 
fgasimzadeCommented:
not sure but i think in outside access lists  statements you need to enter inside ip addresses not public ones. this was introdused from asa version 8.3
0
 
Ernie BeekCommented:
First, do you need: route inside 10.0.0.0 255.0.0.0 10.1.19.1 1 ?
This is having an overlap with the directly connected network (10.1.19.0/24)

Second, try removing the inside acces list for now:

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.19.0 255.255.255.0 any
access-list inside_access_in extended permit tcp object Company-mail-server-1 any eq smtp
access-list inside_access_in extended deny tcp 10.1.19.0 255.255.255.0 any eq smtp


This might be blocking some things as well.

Third, anything showing in the logs of the ASA?
1
 
Ernie BeekCommented:
And like fgasimzade said (good catch, should have seen that ;) the outside access list now uses the inside ip addresses.

Have a look at:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

It shows the differences between the old and the new NAT methods.
0
 
ditobotAuthor Commented:
Thanks, the change to the IOS in the ASA with version 8.4 really through me for a loop.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now