ASA5505 to Multiple networks

Hello
I have very limited Cisco Security experience -
I have been working on installing a Cisco ASA5505 for internet access only for a remote area (they use a separate MPLS circuit for private network access).

The remote area is comprised of discontinuous networks 172.16.0.0/16 and 10.37.0.0/16.

The ASA is connected to the ISP and it gets a DHCP address from the ISP. Ping to the Internet work fine from the outside interface but not the inside.

I have tried adding a NAT for the inside to the outside and I have not been successful in my attempts.
I have attached the ASA config and version

Any assistance would be greatly appreciated.
ASA5505.txt
CocoCountyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
CocoCountyConnect With a Mentor Author Commented:
Thanks again Akinsd

We decided to utilize a diferent device (rv220w) instead of the ASA. Not as robust as the ASA but for what we intend to use it for its probably more than enough.
0
 
AkinsdNetwork AdministratorCommented:
Post the scrambled result of

show interface ip brief


Also, do a packet trace

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 4444 detailed
0
 
CocoCountyAuthor Commented:
Thanks for looking at this -

Sh interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1                      172.16.18.3     YES CONFIG up                    up
Vlan2                      XX.XX.59.9     YES DHCP   up                    up
Virtual0                   127.0.0.1       YES unset  up                    up
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  down                  down
Ethernet0/7                unassigned      YES unset  down                  down

-----------------------

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 44$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc72fb410, priority=1, domain=permit, deny=false
        hits=13294, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
AkinsdNetwork AdministratorCommented:
Going by the result of your packet trace (Phase 4), this looks like an acl issue.

Post 3 more results

show run nat
show run access-list
show run access-group
0
 
CocoCountyAuthor Commented:
nat (inside) 1 0.0.0.0 0.0.0.0

sh run access-list doesn't return any entries as it is right now.
0
 
CocoCountyAuthor Commented:
AkinsD -

I did have at some point before posting here the ACLs below, but I was not able to get it to work.

sh run access-g

access-group PLACE_INSIDE out interface inside
access-group 101 in interface outside


sh run access-l

access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq www
access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq https
access-list PLACE_INSIDE extended permit icmp object-group NONONINO_INSIDE_NETWORKS any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded


packet-tracer input inside tcp 172.16.18.3 80 4.2.2.2 80 d$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-------
It shows the ACL that is dropping the packet as being a configured rule but I don't understand where i'm making the mistake.
0
 
CocoCountyAuthor Commented:
I will be reposting my question as I my question and initial information provided to the experts was somewhat deficient.
0
 
AkinsdNetwork AdministratorCommented:
The traffic is being dropped even before it gets natted.

The issue is with "access-group 101 in interface outside"

Try this
access-list 101 extended permit ip host  172.16.18.3 any

Run the trace again
0
 
CocoCountyAuthor Commented:
Akinsd

About a week back I decided to restore defaults and reconfigured it, but its still getting the same results on the same acl. I have been considering closing this thread and opening a new one. I do appreciate the time you have spent looking at my problems

I have attached the new config, the file contains everything you had asked me to do in the thread.
0
 
CocoCountyAuthor Commented:
The attached file is the right one
ASA5505-LPMC.rtf
0
 
CocoCountyAuthor Commented:
Thanks for the assistance - the issue was not solved but instead of the ASA we opted for a different solution.

Thanks again, please consider this question closed.
0
 
AkinsdNetwork AdministratorCommented:
Sorry I didn't get back to you on time.

capture capin interface inside match icmp host 172.16.18.3 host 4.2.2.2
capture capout interface outside match icmp host 67.60.15.238 host 4.2.2.2

Run a ping

show cap
0
 
CocoCountyAuthor Commented:
The device being utilized for the task changed for completely different device.
0
All Courses

From novice to tech pro — start learning today.