Solved

Cisco ASA5505 can't ping external interface and odd rules

Posted on 2013-06-26
8
1,360 Views
Last Modified: 2013-08-20
Access RulesNAT RulesWe have an ASA5505 with ASA version 8.3(1) and ASDM version 6.4(5)

For the life of me just can't get it to respond to pings from the outside. We use this to monitor uptime and we need to get it working ASAP.

The syslog continually reports:
Denied ICMP type=8, code=0 from ip_of_our_monitoring_service on interface ATT

We have created an Access Rule to Permit ICMP echo to the ATT interface, but still can't ping it. Also, we have 2 global rules (one which is not enabled) and 3 really odd NAT Rules (the last 3)  which were not created by me and I'm not really sure why they are there. However, disabling the Global Permit rule immediately breaks the Internet.

Can you guys suggest how to 1) allow pinging of the ATT (external) interface from the outside and 2) Configure the device with the minimum amount of required rules

I should clarify this is a super simple setup. Office with a little over a dozen users, Windows PDC server, remote desktop to the server and a couple of other machines for remote administration purposes, plus uptime monitoring with Nagios (those are the ports 12489 and 5666.) As far as routing, the device is not doing anything you couldn't achieve with a cheapo Linksys router.

Attached are images of the main config areas. I entered the IPs of a couple of objects in red just to clarify what those are.

Thanks!
0
Comment
Question by:omniumnetworking
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 39279626
Add a rule on the acl for the outside interface

permit icmp any any
0
 

Author Comment

by:omniumnetworking
ID: 39279689
Ahh, well I found the pinging problem. In Device Management>Management Access>ICMP> there was a rule: ATT, permit, 0.0.0.0, 0.0.0.0, echo-reply

I changed "echo-reply" to "echo" and now I can ping the interface. I'm still concerned about all those other rules. Should they exist there?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39279720
I don't work with ASDM and don't know what the "global" section applies to but the other rules look explicit.  Without seeing the access-lists and access-group statements, I can't confirm 100% but it doesn't seem properly restricted.
0
 

Author Comment

by:omniumnetworking
ID: 39280021
Here are access-list and access-group:
access-list ATT_access_in extended permit tcp any interface ATT object-group Rackspace
access-list ATT_access_in extended permit udp any interface ATT eq ntp
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group TripRDP
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group MarcRDP
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group CordDP
access-list ATT_access_in extended permit object-group SNMP any interface ATT
access-list ATT_access_in extended permit object-group Camera any interface ATT
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT eq www
access-list ATT_access_in extended permit tcp any interface ATT eq https
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in remark Trip RDP
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object xxxpdc1 eq 99990
access-list ATT_access_in_1 extended permit object-group NAGIOS object omni object xxxpdc1
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object TripW eq 99991
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object Marcella eq 99992
access-list global_access extended permit ip any any
access-group ATT_access_in_1 in interface ATT
access-group global_access global

Thanks for your help!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39281199
I just wanted to pipe in on the global ACL.  Personally I don't like it but I can see its uses.  Global applies to inbound on ALL interfaces.  It also changes default behavior.

Default behavior with no ACLs defined
traffic from higher security interface to lower is allowed
lower to higher is denied

behavior with ACLs on interfaces (no global defined yet)  these are interface ACLs
looks at entries in ACL only
If no matches are found, it uses an implicit deny

behavior with global ACL and no interface ACL
looks at entries in ACL only
has implicit deny at end if no match found

behavior with interface and global ACLs
check entries in interface ACL first
if no match check global ACL
if no match implicit deny

The reason I don't like the global ACL is because lets say you don't apply an ACL to the inside interface, you believe that since it has a security-level of 100 that it will by default allow all traffic.  However you configured a single rule in the global ACL to ensure ICMP is allowed in on all interfaces.  Guess what you just overroad the default behavior on the inside interface and only ICMP traffic is now allowed regardless of the security level you have configured.  With that said, it is nice if you have ACLs on all interfaces and you have certain rules you want to apply to all interfaces.  Cuts down on duplicate configuration.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39281213
so in your case, you are allowing all traffic (ip any any permit) on all interfaces (at least thru the ASA) pretty much removing most of the reason to run a firewall because of how your global ACL is configured.


run
no access-list global_access extended permit ip any any
no access-group global_access global

but get rid of the global rule you're defining.  It opens your ASA way too much.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39285618
I would not run the commands Cyclops has mention right away.  Though I agree that the permit ip any any in the global should not be there, but I suspect that it was put there by someone who did not know how to correctly configure the ASA and needed to get things working.

Before removing those commands you would need to analyze the traffic and identify what ports need to be opened.  Once that is done, you can go ahead and remove those commands.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39296642
MAG03 raises a very good point.  Sorry, I guess I just assumed all necessary permits where on the interface ACL.  Definitely analyze the traffic first before starting to deny traffic to ensure no needed traffic gets denied.  

Personally what I would do is setup a Splunk instance on a server and configure the ASA to forward syslog to it.  Then I would change the ip any any permit on the global to log as well.  This will create a lot of traffic.  potentially more than a free license of splunk will allow.  If this is the case, let it collect data for about a week then turn off logging.  When you try to log too much it will still index but not allow you to search until you are indexing below your "free" daily limit; thus why shutting it off is good.  I say splunk because I've found it to be the best syslog tool for searching logs easily.  you should be able to more easily pick out what traffic is moving thru your ASA and see if you want to allow it or not.  If you do, create an ACL entry on an ACL applied to an interface.  Once done, then remove the global permit ip any any
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now