Solved

cisco asa 5505

Posted on 2013-05-16
23
353 Views
Last Modified: 2013-06-09
Cisco asa 5005 with static address does not pass outgoing traffic.  I have add a default route, still no joy.

config:

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.40.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.31.7.254 255.255.255.0
!
ftp mode passive
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit ip interface inside any
access-list outside_access_in extended permit icmp interface inside any
access-list outside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.40.11 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.40.41 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.31.7.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.40.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca

crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username jandrews password sD1y3m.eceHU7/ey encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:9a5e60389e9a1345b8d843b685d99d03
: end
asdm location 192.168.40.11 255.255.255.255 inside
no asdm history enable
0
Comment
Question by:jandrews5923
  • 9
  • 6
  • 4
  • +2
23 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39172110
it's because you're firewalling it.  take off the ACL on the inside interface in the inbound direction.  or if you really want to block traffic in that direction on the inside interface you need to add rules to the inside_access_in ACL.
0
 

Author Comment

by:jandrews5923
ID: 39172160
is that:
access-group inside_access_in in interface inside
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39172169
yup, that's it.  since that acl only allows icmp, that is all you'll be able to do.

as per

access-list inside_access_in extended permit icmp any any
0
 

Author Comment

by:jandrews5923
ID: 39172218
I have removed the ACL but still cannot ping nor connect to external addresses.  I do have asdm working from external addresses.  I have tried pinging the external interface, next hop and so on with no success.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39172245
ping won't work because your other ACL doesn't allow the return icmp traffic

add 'inspect icmp' to the inspection_default class-map

you should be able to bring up a browser and go to www.google.com.  if not, first run 'nslookup www.google.com 4.2.2.2' from the client command line and make sure its resolving properly.  if not then please post your current config.  after you remove the application of that inside acl it should work
0
 

Author Comment

by:jandrews5923
ID: 39172511
added the inspect for icmp no change.  I also tried browsing just to try a different protocol with no success.   the nslookup works because it uses another internal host that has internet access.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39173637
I don't see any NAT statement in overload mode.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174444
akinsd, this is an ASA not an IOS device.  the "overload" is the same as the global/nat 1 commands you see in the config.

jandrews,  ok, lets try some other things just to test basics.  from the asa try to ping 4.2.2.2.  If that doesn't work, try to ping 172.31.7.1 (or whatever your next hop is).  If that doesn't work, then that needs to be looked into.  Is it the correct address to use because that should work.

you can also test things out by going into the ASDM or the ASA CLI and use the packet-tracer tool to simulate traffic.  it will then tell you exactly what will happen to the packet (acl, nat, etc.)  Honestly, everything "looks" right so I'm wondering if a parameter is incorrect.
0
 

Author Comment

by:jandrews5923
ID: 39175909
The more I dig into this, I think the is a problem with the 5505 as it will route for a few minutes at a time the then stop answering network requests.  I have tried different switch ports and scan the network for duplicate addresses.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175928
so it works sometimes then?  the 5505 is a pretty solid device so it shouldn't be causing any irregularities.  if you can get out via the firewall sometimes then I'd say the 5505 is configured fine and you're right you need to look elsewhere for the issue.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39178792
Are you sure you can ping 172.31.7.1 from ASA?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 39183845
Note that there is no NAT-rule for ICMP-traffic and the firewall only allows ICMP-traffic coming in on the inside interface.
Hence, you can either add the NAT for ICMP or apply the below access list entry for testing the other protocols.

access-list inside_access_in extended permit ip any any

If you want to allow dynamic traffic from inside to outside for browsing, chatting etc you need to use a dynamic NAT-rule.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39183998
there is already dynamic NAT (rather PAT) with the following (though it would different in 8.3+):

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

ICMP is already allowed from inside to outside via:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.40.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.31.7.254 255.255.255.0

due to security level settings.  Adding the inspect icmp will allow return echo replies.  

Personally I am still leaning toward issues elsewhere outside the ASA at this point.  While I could be wrong, this config is extremely simple and not much can be wrong.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39184005
Did you add

access-list inside_access_in extended permit ip any any

to your config, as it was suggested before?
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 39184009
Sorry for missing that!

I would also follow Cyclops idea, start with pinging the Inside IP of the firewall, then ping the default gateway of the firewall.

Then set ASDM-logger to Debug and check what errors is reported when you try to ping something that fails.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39184049
fgasimzade,

that ACL application is not needed.  as stated, due to the way the security levels are configured, no ACL applied to the inside interface means that everything is allowed by default.  Adding that ACL you specified doesn't permit more, rather it permits less protocols so for testing purposes there is no reason to apply it, but there is reason to leave it off.

jandrews,


and agree with MarcusSjogren.  use the logger to help out.  also you may want to try the packet tracer tool to simulate traffic and see if something is wrong there.  Easier than getting a client to test everything out with.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39184069
Cyclops3590,

I agree, but you have an access list applied to the inside interface here and it permits only ICMP

access-list inside_access_in extended permit icmp any any
access-group inside_access_in in interface inside
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39184078
gotcha, ok, I see what you're saying now.
ya, i already mentioned to remove that access-group command in the first comment.

one thing I did forget though is that if it is desired to ping the outside interface the following must be added

same-security-traffic permit intra-interface
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39184091
If you want to ping your outside interface from inside, ASA will not let do it.

ASA architecture designed this way, you can not ping farthest to you interface

same-security-traffic permit intra-interface command allows traffic to go and return through the same interface
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39184448
Concentrate on NAT and you'll be fine.
Situation - works but stops
Means a limit is reached which most likely will be NAT related unless you have flapping or unstable interface.
If I can go out through a door 2 times a day, I don't need access cos I already have access, I only need permission to go more than 2ce if that's what I desire
Food for thought
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39184579
fgasimzade is correct about the same-security-traffic.  I knew that was how it was documented but for some reason I thought I had it working  using that before.  Apparently I'm mis-remembering the scenario and what I did a long time ago.  Thanks for correcting my mis-information.
0
 

Accepted Solution

by:
jandrews5923 earned 0 total points
ID: 39219755
The 5505 was replaced with another device that worked just fine
0
 

Author Closing Comment

by:jandrews5923
ID: 39232737
I need to close this thread.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now