Internal Subnets not getting OUT via ASA outside interface

roliveira11 — Fri, 21 Feb 2020 17:33:09 GMT

Hello Everyone,

It may very well be the time of day I'm writing this and long hours of looking at the screen.. but I'm setting up a lab ASA with an inside and outside interface. Inside interface is connected to a L3 Nexus 3064 using a transit VLAN ( 172.31.100.0/29) with simply a default route on the N3K pointing to the ASA's inside interface (172.31.100.1) - I have 3 different internal subnets I'd like to get out to the internet via any protocol.

LabMgmt- 10.0.0.0/24

VM_NetworkA- 10.0.1.0/24

VM_NetworkB- 10.0.2.0/24AC

The gateways of the above networks reside on the Nexus 3k (all .1 respectively) I'm using the Nexus 3k as a test by sourcing the gateway IP address to 1.1.1.1 for example. The ASA itself can ping 1.1.1.1 but the none of the Nexus internal networks can. Below is the configuration,.. I must be missing something really silly..

I show a capture of testing with 10.0.2.1. any help would be appreciated! Thanks in advance!

Boston-LabASA# show capture
capture capinside type raw-data interface inside [Capturing - 570 bytes]
match ip host 10.0.2.1 any
capture asp-drop type raw-data interface inside [Capturing - 570 bytes]
match ip host 10.0.2.1 any
Boston-LabASA#
Boston-LabASA#
Boston-LabASA#
Boston-LabASA#
Boston-LabASA#
Boston-LabASA#
Boston-LabASA# show cap
Boston-LabASA# show capture capinside

5 packets captured

1: 02:17:13.132378 10.0.2.1 > 1.1.1.1: icmp: echo request
2: 02:17:15.140724 10.0.2.1 > 1.1.1.1: icmp: echo request
3: 02:17:17.151450 10.0.2.1 > 1.1.1.1: icmp: echo request
4: 02:17:19.161780 10.0.2.1 > 1.1.1.1: icmp: echo request
5: 02:17:21.172125 10.0.2.1 > 1.1.1.1: icmp: echo request
5 packets shown
Boston-LabASA#
Boston-LabASA#
Boston-LabASA# show cap asp-drop

5 packets captured

Boston-LabASA# sh run
: Saved
:
: Serial Number: FCH1928JDWD
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(3)4
!
hostname Boston-LabASA
names
ip local pool LABVPNUserPool 192.168.177.5-192.168.177.50 mask 255.255.255.0
!
interface GigabitEthernet0/0
description outside
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
description inside
nameif inside
security-level 100
ip address 172.31.100.1 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
security-level 100
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa983-18-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name focustsi.com
object network LabMgmt_Network
subnet 10.0.0.0 255.255.255.0
object network VM_NetworkA
subnet 10.0.1.0 255.255.255.0
object network VM_NetworkB
subnet 10.0.2.0 255.255.255.0
access-list no-nat extended permit ip 10.0.0.0 255.255.255.0 192.168.177.0 255.255.255.0
access-list no-nat extended permit ip 172.31.100.0 255.255.255.0 192.168.177.0 255.255.255.0
access-list no-nat extended permit ip 10.0.1.0 255.255.255.0 192.168.177.0 255.255.255.0
access-list no-nat extended permit ip 10.0.2.0 255.255.255.0 192.168.177.0 255.255.255.0
access-list no-nat extended permit ip 10.0.3.0 255.255.255.0 192.168.177.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network LabMgmt_Network
nat (inside,outside) dynamic interface
object network VM_NetworkA
nat (inside,outside) dynamic interface
object network VM_NetworkB
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.255.255.0 172.31.100.2 1
route inside 10.0.1.0 255.255.255.0 172.31.100.2 1
route inside 10.0.2.0 255.255.255.0 172.31.100.2 1
route inside 10.0.3.0 255.255.255.0 172.31.100.2 1
route outside 192.168.177.0 255.255.255.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
quit
telnet timeout 5
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-sha1
ssl trust-point localtrust outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.00748-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy LABVPNUser internal
group-policy LABVPNUser attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value no-nat
address-pools value LABVPNUserPool
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 19
subscribe-to-alert-group configuration periodic monthly 19
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4aa9921ecd5699aecf89ac952f135196
: end
Boston-LabASA#

Re: Internal Subnets not getting OUT via ASA outside interface

Deepak Kumar — Wed, 09 Oct 2019 04:44:07 GMT

Hi,

Apply an ACL on the outside interface in IN direction:

access-list OUTSIDE-IN extended permit icmp any any
!
access-group OUTSIDE-IN in interface outside

If this will not work then share the Packet Tracer output with us.

Re: Internal Subnets not getting OUT via ASA outside interface

bhargavdesai — Wed, 09 Oct 2019 07:06:49 GMT

Your configuration looks good. If you are testing internet connectivity through PING (ICMP), you must inspect ICMP as Cisco ASA by default does not inspect ICMP. To do so you can use below command.
"fixup protocol icmp"

You can also use the other method mentioned by Expert Deepak Kumar.

If you still facing problem please post the output of packet tracer from ASA.
packet-tracer input INSIDE icmp 10.0.0.10 8 0 1.1.1.1 detailed

HTH
### RATE ALL HELPFUL RESPONSES ###

topic Internal Subnets not getting OUT via ASA outside interface in Network Security

Internal Subnets not getting OUT via ASA outside interface

Re: Internal Subnets not getting OUT via ASA outside interface

Re: Internal Subnets not getting OUT via ASA outside interface