Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA5505 to Multiple networks

Posted on 2014-01-08
17
Medium Priority
?
351 Views
Last Modified: 2014-02-11
Hello
I have very limited Cisco Security experience -
I have been working on installing a Cisco ASA5505 for internet access only for a remote area (they use a separate MPLS circuit for private network access).

The remote area is comprised of discontinuous networks 172.16.0.0/16 and 10.37.0.0/16.

The ASA is connected to the ISP and it gets a DHCP address from the ISP. Ping to the Internet work fine from the outside interface but not the inside.

I have tried adding a NAT for the inside to the outside and I have not been successful in my attempts.
I have attached the ASA config and version

Any assistance would be greatly appreciated.
ASA5505.txt
0
Comment
Question by:CocoCounty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
17 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 39766151
Post the scrambled result of

show interface ip brief


Also, do a packet trace

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 4444 detailed
0
 

Author Comment

by:CocoCounty
ID: 39766225
Thanks for looking at this -

Sh interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1                      172.16.18.3     YES CONFIG up                    up
Vlan2                      XX.XX.59.9     YES DHCP   up                    up
Virtual0                   127.0.0.1       YES unset  up                    up
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  down                  down
Ethernet0/7                unassigned      YES unset  down                  down

-----------------------

packet-tracer input inside tcp 172.16.18.3 4444 4.2.2.2 44$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc72fb410, priority=1, domain=permit, deny=false
        hits=13294, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39766428
Going by the result of your packet trace (Phase 4), this looks like an acl issue.

Post 3 more results

show run nat
show run access-list
show run access-group
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:CocoCounty
ID: 39766440
nat (inside) 1 0.0.0.0 0.0.0.0

sh run access-list doesn't return any entries as it is right now.
0
 

Author Comment

by:CocoCounty
ID: 39768410
AkinsD -

I did have at some point before posting here the ACLs below, but I was not able to get it to work.

sh run access-g

access-group PLACE_INSIDE out interface inside
access-group 101 in interface outside


sh run access-l

access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq www
access-list PLACE_INSIDE extended permit tcp object-group NONONINO_INSIDE_NETWORKS any eq https
access-list PLACE_INSIDE extended permit icmp object-group NONONINO_INSIDE_NETWORKS any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded


packet-tracer input inside tcp 172.16.18.3 80 4.2.2.2 80 d$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc746bdc0, priority=500, domain=permit, deny=true
        hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.18.3, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-------
It shows the ACL that is dropping the packet as being a configured rule but I don't understand where i'm making the mistake.
0
 

Author Comment

by:CocoCounty
ID: 39814943
I will be reposting my question as I my question and initial information provided to the experts was somewhat deficient.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39815021
The traffic is being dropped even before it gets natted.

The issue is with "access-group 101 in interface outside"

Try this
access-list 101 extended permit ip host  172.16.18.3 any

Run the trace again
0
 

Author Comment

by:CocoCounty
ID: 39818512
Akinsd

About a week back I decided to restore defaults and reconfigured it, but its still getting the same results on the same acl. I have been considering closing this thread and opening a new one. I do appreciate the time you have spent looking at my problems

I have attached the new config, the file contains everything you had asked me to do in the thread.
0
 

Author Comment

by:CocoCounty
ID: 39820958
The attached file is the right one
ASA5505-LPMC.rtf
0
 

Author Comment

by:CocoCounty
ID: 39839051
Thanks for the assistance - the issue was not solved but instead of the ASA we opted for a different solution.

Thanks again, please consider this question closed.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39839735
Sorry I didn't get back to you on time.

capture capin interface inside match icmp host 172.16.18.3 host 4.2.2.2
capture capout interface outside match icmp host 67.60.15.238 host 4.2.2.2

Run a ping

show cap
0
 

Accepted Solution

by:
CocoCounty earned 0 total points
ID: 39839769
Thanks again Akinsd

We decided to utilize a diferent device (rv220w) instead of the ASA. Not as robust as the ASA but for what we intend to use it for its probably more than enough.
0
 

Author Closing Comment

by:CocoCounty
ID: 39849658
The device being utilized for the task changed for completely different device.
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question