Solved

ASA5505 to Multiple networks

Posted on 2014-01-08
17
339 Views
Last Modified: 2014-02-11
Hello
I have very limited Cisco Security experience -
I have been working on installing a Cisco ASA5505 for internet access only for a remote area (they use a separate MPLS circuit for private network access).

The remote area is comprised of discontinuous networks 172.16.0.0/16 and 10.37.0.0/16.

The ASA is connected to the ISP and it gets a DHCP address from the ISP. Ping to the Internet work fine from the outside interface but not the inside.

I have tried adding a NAT for the inside to the outside and I have not been successful in my attempts.
I have attached the ASA config and version

Any assistance would be greatly appreciated.
ASA5505.txt
0
Comment
Question by:CocoCounty
  • 9
  • 4
17 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 39766151
Post the scrambled result of

show interface ip brief


Also, do a packet trace

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 4444 detailed
0
 

Author Comment

by:CocoCounty
ID: 39766225
Thanks for looking at this -

Sh interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1                      172.16.18.3     YES CONFIG up                    up
Vlan2                      XX.XX.59.9     YES DHCP   up                    up
Virtual0                   127.0.0.1       YES unset  up                    up
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  down                  down
Ethernet0/7                unassigned      YES unset  down                  down

-----------------------

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 44$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc72fb410, priority=1, domain=permit, deny=false
        hits=13294, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39766428
Going by the result of your packet trace (Phase 4), this looks like an acl issue.

Post 3 more results

show run nat
show run access-list
show run access-group
0
 

Author Comment

by:CocoCounty
ID: 39766440
nat (inside) 1 0.0.0.0 0.0.0.0

sh run access-list doesn't return any entries as it is right now.
0
 

Author Comment

by:CocoCounty
ID: 39768410
AkinsD -

I did have at some point before posting here the ACLs below, but I was not able to get it to work.

sh run access-g

access-group PLACE_INSIDE out interface inside
access-group 101 in interface outside


sh run access-l

access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq www
access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq https
access-list PLACE_INSIDE extended permit icmp object-group NONONINO_INSIDE_NETWORKS any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded


packet-tracer input inside tcp 172.16.18.3 80 4.2.2.2 80 d$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-------
It shows the ACL that is dropping the packet as being a configured rule but I don't understand where i'm making the mistake.
0
 

Author Comment

by:CocoCounty
ID: 39814943
I will be reposting my question as I my question and initial information provided to the experts was somewhat deficient.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:Akinsd
ID: 39815021
The traffic is being dropped even before it gets natted.

The issue is with "access-group 101 in interface outside"

Try this
access-list 101 extended permit ip host  172.16.18.3 any

Run the trace again
0
 

Author Comment

by:CocoCounty
ID: 39818512
Akinsd

About a week back I decided to restore defaults and reconfigured it, but its still getting the same results on the same acl. I have been considering closing this thread and opening a new one. I do appreciate the time you have spent looking at my problems

I have attached the new config, the file contains everything you had asked me to do in the thread.
0
 

Author Comment

by:CocoCounty
ID: 39820958
The attached file is the right one
ASA5505-LPMC.rtf
0
 

Author Comment

by:CocoCounty
ID: 39839051
Thanks for the assistance - the issue was not solved but instead of the ASA we opted for a different solution.

Thanks again, please consider this question closed.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39839735
Sorry I didn't get back to you on time.

capture capin interface inside match icmp host 172.16.18.3 host 4.2.2.2
capture capout interface outside match icmp host 67.60.15.238 host 4.2.2.2

Run a ping

show cap
0
 

Accepted Solution

by:
CocoCounty earned 0 total points
ID: 39839769
Thanks again Akinsd

We decided to utilize a diferent device (rv220w) instead of the ASA. Not as robust as the ASA but for what we intend to use it for its probably more than enough.
0
 

Author Closing Comment

by:CocoCounty
ID: 39849658
The device being utilized for the task changed for completely different device.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now