Solved

ASA5505 to Multiple networks

Posted on 2014-01-08
17
345 Views
Last Modified: 2014-02-11
Hello
I have very limited Cisco Security experience -
I have been working on installing a Cisco ASA5505 for internet access only for a remote area (they use a separate MPLS circuit for private network access).

The remote area is comprised of discontinuous networks 172.16.0.0/16 and 10.37.0.0/16.

The ASA is connected to the ISP and it gets a DHCP address from the ISP. Ping to the Internet work fine from the outside interface but not the inside.

I have tried adding a NAT for the inside to the outside and I have not been successful in my attempts.
I have attached the ASA config and version

Any assistance would be greatly appreciated.
ASA5505.txt
0
Comment
Question by:CocoCounty
  • 9
  • 4
17 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 39766151
Post the scrambled result of

show interface ip brief


Also, do a packet trace

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 4444 detailed
0
 

Author Comment

by:CocoCounty
ID: 39766225
Thanks for looking at this -

Sh interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1                      172.16.18.3     YES CONFIG up                    up
Vlan2                      XX.XX.59.9     YES DHCP   up                    up
Virtual0                   127.0.0.1       YES unset  up                    up
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  down                  down
Ethernet0/7                unassigned      YES unset  down                  down

-----------------------

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 44$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc72fb410, priority=1, domain=permit, deny=false
        hits=13294, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39766428
Going by the result of your packet trace (Phase 4), this looks like an acl issue.

Post 3 more results

show run nat
show run access-list
show run access-group
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:CocoCounty
ID: 39766440
nat (inside) 1 0.0.0.0 0.0.0.0

sh run access-list doesn't return any entries as it is right now.
0
 

Author Comment

by:CocoCounty
ID: 39768410
AkinsD -

I did have at some point before posting here the ACLs below, but I was not able to get it to work.

sh run access-g

access-group PLACE_INSIDE out interface inside
access-group 101 in interface outside


sh run access-l

access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq www
access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq https
access-list PLACE_INSIDE extended permit icmp object-group NONONINO_INSIDE_NETWORKS any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded


packet-tracer input inside tcp 172.16.18.3 80 4.2.2.2 80 d$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-------
It shows the ACL that is dropping the packet as being a configured rule but I don't understand where i'm making the mistake.
0
 

Author Comment

by:CocoCounty
ID: 39814943
I will be reposting my question as I my question and initial information provided to the experts was somewhat deficient.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39815021
The traffic is being dropped even before it gets natted.

The issue is with "access-group 101 in interface outside"

Try this
access-list 101 extended permit ip host  172.16.18.3 any

Run the trace again
0
 

Author Comment

by:CocoCounty
ID: 39818512
Akinsd

About a week back I decided to restore defaults and reconfigured it, but its still getting the same results on the same acl. I have been considering closing this thread and opening a new one. I do appreciate the time you have spent looking at my problems

I have attached the new config, the file contains everything you had asked me to do in the thread.
0
 

Author Comment

by:CocoCounty
ID: 39820958
The attached file is the right one
ASA5505-LPMC.rtf
0
 

Author Comment

by:CocoCounty
ID: 39839051
Thanks for the assistance - the issue was not solved but instead of the ASA we opted for a different solution.

Thanks again, please consider this question closed.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39839735
Sorry I didn't get back to you on time.

capture capin interface inside match icmp host 172.16.18.3 host 4.2.2.2
capture capout interface outside match icmp host 67.60.15.238 host 4.2.2.2

Run a ping

show cap
0
 

Accepted Solution

by:
CocoCounty earned 0 total points
ID: 39839769
Thanks again Akinsd

We decided to utilize a diferent device (rv220w) instead of the ASA. Not as robust as the ASA but for what we intend to use it for its probably more than enough.
0
 

Author Closing Comment

by:CocoCounty
ID: 39849658
The device being utilized for the task changed for completely different device.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question