Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA5505 can't ping external interface and odd rules

Posted on 2013-06-26
8
Medium Priority
?
1,437 Views
Last Modified: 2013-08-20
Access RulesNAT RulesWe have an ASA5505 with ASA version 8.3(1) and ASDM version 6.4(5)

For the life of me just can't get it to respond to pings from the outside. We use this to monitor uptime and we need to get it working ASAP.

The syslog continually reports:
Denied ICMP type=8, code=0 from ip_of_our_monitoring_service on interface ATT

We have created an Access Rule to Permit ICMP echo to the ATT interface, but still can't ping it. Also, we have 2 global rules (one which is not enabled) and 3 really odd NAT Rules (the last 3)  which were not created by me and I'm not really sure why they are there. However, disabling the Global Permit rule immediately breaks the Internet.

Can you guys suggest how to 1) allow pinging of the ATT (external) interface from the outside and 2) Configure the device with the minimum amount of required rules

I should clarify this is a super simple setup. Office with a little over a dozen users, Windows PDC server, remote desktop to the server and a couple of other machines for remote administration purposes, plus uptime monitoring with Nagios (those are the ports 12489 and 5666.) As far as routing, the device is not doing anything you couldn't achieve with a cheapo Linksys router.

Attached are images of the main config areas. I entered the IPs of a couple of objects in red just to clarify what those are.

Thanks!
0
Comment
Question by:omniumnetworking
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1500 total points
ID: 39279626
Add a rule on the acl for the outside interface

permit icmp any any
0
 

Author Comment

by:omniumnetworking
ID: 39279689
Ahh, well I found the pinging problem. In Device Management>Management Access>ICMP> there was a rule: ATT, permit, 0.0.0.0, 0.0.0.0, echo-reply

I changed "echo-reply" to "echo" and now I can ping the interface. I'm still concerned about all those other rules. Should they exist there?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39279720
I don't work with ASDM and don't know what the "global" section applies to but the other rules look explicit.  Without seeing the access-lists and access-group statements, I can't confirm 100% but it doesn't seem properly restricted.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 

Author Comment

by:omniumnetworking
ID: 39280021
Here are access-list and access-group:
access-list ATT_access_in extended permit tcp any interface ATT object-group Rackspace
access-list ATT_access_in extended permit udp any interface ATT eq ntp
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group TripRDP
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group MarcRDP
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group CordDP
access-list ATT_access_in extended permit object-group SNMP any interface ATT
access-list ATT_access_in extended permit object-group Camera any interface ATT
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT eq www
access-list ATT_access_in extended permit tcp any interface ATT eq https
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in remark Trip RDP
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object xxxpdc1 eq 99990
access-list ATT_access_in_1 extended permit object-group NAGIOS object omni object xxxpdc1
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object TripW eq 99991
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object Marcella eq 99992
access-list global_access extended permit ip any any
access-group ATT_access_in_1 in interface ATT
access-group global_access global

Thanks for your help!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39281199
I just wanted to pipe in on the global ACL.  Personally I don't like it but I can see its uses.  Global applies to inbound on ALL interfaces.  It also changes default behavior.

Default behavior with no ACLs defined
traffic from higher security interface to lower is allowed
lower to higher is denied

behavior with ACLs on interfaces (no global defined yet)  these are interface ACLs
looks at entries in ACL only
If no matches are found, it uses an implicit deny

behavior with global ACL and no interface ACL
looks at entries in ACL only
has implicit deny at end if no match found

behavior with interface and global ACLs
check entries in interface ACL first
if no match check global ACL
if no match implicit deny

The reason I don't like the global ACL is because lets say you don't apply an ACL to the inside interface, you believe that since it has a security-level of 100 that it will by default allow all traffic.  However you configured a single rule in the global ACL to ensure ICMP is allowed in on all interfaces.  Guess what you just overroad the default behavior on the inside interface and only ICMP traffic is now allowed regardless of the security level you have configured.  With that said, it is nice if you have ACLs on all interfaces and you have certain rules you want to apply to all interfaces.  Cuts down on duplicate configuration.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39281213
so in your case, you are allowing all traffic (ip any any permit) on all interfaces (at least thru the ASA) pretty much removing most of the reason to run a firewall because of how your global ACL is configured.


run
no access-list global_access extended permit ip any any
no access-group global_access global

but get rid of the global rule you're defining.  It opens your ASA way too much.
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 39285618
I would not run the commands Cyclops has mention right away.  Though I agree that the permit ip any any in the global should not be there, but I suspect that it was put there by someone who did not know how to correctly configure the ASA and needed to get things working.

Before removing those commands you would need to analyze the traffic and identify what ports need to be opened.  Once that is done, you can go ahead and remove those commands.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39296642
MAG03 raises a very good point.  Sorry, I guess I just assumed all necessary permits where on the interface ACL.  Definitely analyze the traffic first before starting to deny traffic to ensure no needed traffic gets denied.  

Personally what I would do is setup a Splunk instance on a server and configure the ASA to forward syslog to it.  Then I would change the ip any any permit on the global to log as well.  This will create a lot of traffic.  potentially more than a free license of splunk will allow.  If this is the case, let it collect data for about a week then turn off logging.  When you try to log too much it will still index but not allow you to search until you are indexing below your "free" daily limit; thus why shutting it off is good.  I say splunk because I've found it to be the best syslog tool for searching logs easily.  you should be able to more easily pick out what traffic is moving thru your ASA and see if you want to allow it or not.  If you do, create an ACL entry on an ACL applied to an interface.  Once done, then remove the global permit ip any any
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question