topic Re: ASA 5506 outside access in Network Security

ASA 5506 outside access

Ben F — Fri, 21 Feb 2020 14:15:02 GMT

Hello. Recently we installed a brand new ASA 5506 for a client. After the installation we were able to SSH into the device via the outside interface and the outside interface responded to pings. Now, the ASA will not respond and we cannot SSH to it. I did a capture and could see the pings reaching the ASA, but no reply was being sent. We had specific rules for what subnets could ping the interface, but during this changed it to "icmp permit any inside" and even added "icmp permit any echo outside" and "icmp permit any echo-reply outside"just to see if that made any difference. There are no other ACLs configured on the device. "Inspect ICMP" is also configured under the policy map. Users are still able to get to the internet and a "what's my ip" Google search shows the correct public IP. The only thing I haven't tried that I can think of is just a restart since that will require a scheduled downtime. Is there anything else that could be causing this?

Re: ASA 5506 outside access

GRANT3779 — Mon, 28 Aug 2017 17:20:47 GMT

Hi,

What is the current output ftom

sh run ssh

and also

sh run icmp

Re: ASA 5506 outside access

Ben F — Tue, 29 Aug 2017 14:26:12 GMT

Hello! Luckily we have an agent on one of the client servers and I was able to SSH from inside. Here is the output for those commands. I removed our public IP addresses for obvious reasons. Thanks!

ASA# sh run ssh
ssh stricthostkeycheck
ssh <REMOVED_IP> 255.255.255.240 outside
ssh <REMOVED_IP> 255.255.255.224 outside
ssh <REMOVED_IP> 255.255.255.255 outside
ssh <REMOVED_IP> 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
ASA# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
ASA#

Re: ASA 5506 outside access

Ben F — Tue, 29 Aug 2017 15:13:19 GMT

Did a packet capture and can see the packets arriving...

ASA# capture TEST_ICMP type asp-drop all real-time detail trace

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture
---cut---
16: 10:11:46.739234 0000.5e00.01<cut> <MAC_REMOVED> 0x0800 Length: 74
      <MyIP > <TargetIP>: icmp: echo request (ttl 110, id 17150) Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA 5506 outside access

GRANT3779 — Tue, 29 Aug 2017 15:20:13 GMT

What is output from

show run access-group

and

show run access-list

Also - for SSH to the Outside Interface, have you enabled ssh debugging when attemtping to that specific interface?

Re: ASA 5506 outside access

Ben F — Tue, 29 Aug 2017 15:43:12 GMT

Here is the command output. I will try the SSH debug next.

ASA# sh run access-group
ASA# sh run access-list
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
access-list ICMP_TEST standard permit host <MyIP>
ASA#

Re: ASA 5506 outside access

GRANT3779 — Tue, 29 Aug 2017 16:17:10 GMT

The ICMP one is odd. My understanding is when you send icmp tarffic direct to an ASA Interface (e.g not through the ASA) an Interface ACL plays no part at all on whether it is allowed/not allowed. It is specifically the icmp command that dictates what happens. I would remove all the ICMP permit commands you have for testing - This then allows all ICMP traffic to the ASA on all Interfaces by default.

no icmp permit any outside
no icmp permit any echo outside
no icmp permit any echo-reply outside

I would test ICMP from Outside your Network to the ASA Outside Interface as well incase you are coming in via the Inside Interface first somehow (not sure on your topology so can only throw things out there). You did say it was working before though and nothing has changed. Maybe a reboot will help when you are able to do it. I have had many random ASA issues appear and solved by a reload 🙂

Re: ASA 5506 outside access

Ben F — Tue, 29 Aug 2017 16:28:34 GMT

Yeah, removing the ICMP commands didn't help. I was discussing this with the other engineer and we are thinking that we didn't actually test the SSH so I'm guessing it never worked. They are using a PPPoE connection on their WAN, but I don't know if that would do anything....especially since I can see the packets arriving and getting dropped at the ASA. I'm still fairly new to the ASAs, but from what I've experienced, this should work. Perplexed!!