Unable to Contact Networks Behind ASA 5506-X

dj0321 — Mon, 20 Jul 2020 07:26:05 GMT

Hello Folks,

I am running into an issue where I cannot touch / connect with any networks that are not directly connected to the ASA from the WAN interface. However, if I am connected through SSL VPN or connected to one of the networks hosted by the ASA, I can touch devices hosted behind the WAN interface. I have a series of NAT rules in place. Not sure if one of them is are causing problem or not. My setup is basically like this : Cisco ASA 5506 -> Verizon Router -> Internet.

When I am on the 192.168.1.0 network hosted by verzion, when I try to probe or connect with services behind the ASA I can't make contact. Hopefully, this makes sense. Anyone's assistance is greatly appreciated. Here is my config:

STORM-ASA(config)# show running-config
: Saved

ASA Version 9.8(4)20
!
hostname STORM-ASA
names
no mac-address auto
ip local pool VPN_POOL 10.10.30.100-10.10.30.120 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif WAN
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif LAN
security-level 100
ip address 10.10.20.254 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
nameif Management
security-level 0
ip address dhcp setroute
!
banner exec UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner exec
banner exec You must have explicit, authorized permission to access or configure this device.
banner exec
banner exec Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner exec
banner exec All activities performed on this device are logged and monitored.
banner login UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner login
banner login You must have explicit, authorized permission to access or configure this device.
banner login
banner login Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner login
banner login All activities performed on this device are logged and monitored.
banner motd UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner motd
banner motd You must have explicit, authorized permission to access or configure this device.
banner motd
banner motd Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner motd
banner motd All activities performed on this device are logged and monitored.
banner asdm UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner asdm
banner asdm You must have explicit, authorized permission to access or configure this device.
banner asdm
banner asdm Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
banner asdm
banner asdm All activities performed on this device are logged and monitored.
boot system disk0:/asa984-20-lfbff-k8.SPA
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WAN
dns server-group DefaultDNS
name-server 192.168.1.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NAT_10.10.20.0_24
subnet 10.10.20.0 255.255.255.0
object network STORMRUNNER_TEST
host 173.79.28.87
object network VPN_Pool
range 10.10.30.100 10.10.30.120
object network NETWORK_OBJ_10.10.30.96_27
subnet 10.10.30.96 255.255.255.224
object network Verizon_router
host 192.168.1.1
object network VPN_GW
host 10.10.30.1
object network NAT_VPN
range 10.10.30.100 10.10.30.120
object network 192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network NAT_WAN_to_LAN
range 10.10.30.100 10.10.30.120
object network NAT_LAN_to_WAN
subnet 10.10.20.0 255.255.255.0
object network all
subnet 10.10.20.0 255.255.255.0
object network vCenter
host 192.168.1.200
description vCenter
object network Nessus-Server
host 192.168.1.105
object service Nessus_Port
service tcp destination eq 8834
object-group network Dell_Workstation
network-object host 10.10.20.100
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp-udp destination eq domain
object-group service SMB_Ports
service-object tcp-udp destination eq 139
service-object tcp-udp destination eq 445
object-group network LAN_NETWORK
network-object 10.10.20.0 255.255.255.0
object-group service Testing_Group
service-object ip
service-object icmp
group-object SMB_Ports
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object tcp-udp destination eq cifs
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp-udp destination eq kerberos
service-object tcp-udp destination eq nfs
service-object tcp-udp destination eq pim-auto-rp
service-object tcp-udp destination eq sip
service-object tcp-udp destination eq sunrpc
service-object tcp-udp destination eq tacacs
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
object-group icmp-type ICMP_ALLOW
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group network 10.10.20.0
network-object 10.10.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object 192.168.1.0
network-object object Verizon_router
object-group network DM_INLINE_NETWORK_2
network-object object 192.168.1.0
network-object object Verizon_router
access-list LAN_access_in extended deny tcp object-group Dell_Workstation object STORMRUNNER_TEST eq https log critical
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group Dell_Workstation any
access-list global_access extended permit object-group Testing_Group 10.10.20.0 255.255.255.0 any
access-list global_access extended permit object-group Testing_Group object VPN_Pool 10.10.20.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list WAN_access_in_1 extended permit object-group Testing_Group object Verizon_router object VPN_Pool
access-list WAN_access_in_1 extended permit object-group Testing_Group object 192.168.1.0 object VPN_Pool
access-list WAN_access_in_1 extended permit object-group Testing_Group any 10.10.20.0 255.255.255.0
access-list Split-Tunnel standard permit host 192.168.1.200
access-list Split-Tunnel standard permit host 192.168.1.123
access-list Split-Tunnel standard permit host 192.168.1.153
pager lines 24
logging enable
logging asdm informational
mtu WAN 1406
mtu LAN 1500
mtu Management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7131.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (WAN,WAN) source static Verizon_router Verizon_router dns no-proxy-arp route-lookup description PING TROUBLZESHOOT
nat (WAN,WAN) source dynamic VPN_Pool interface
nat (LAN,LAN) source dynamic NAT_10.10.20.0_24 interface
!
object network NAT_VPN
nat (WAN,WAN) dynamic interface dns
object network all
nat (LAN,WAN) dynamic interface
access-group WAN_access_in_1 in interface WAN
access-group LAN_access_in in interface LAN
access-group global_access global
route WAN 0.0.0.0 0.0.0.0 192.168.1.1 1
route LAN 10.10.30.0 255.255.255.0 10.10.30.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 10
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 LAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
keypair ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint2-1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 WAN
ssh 10.10.20.100 255.255.255.255 LAN
ssh timeout 45
ssh version 2
ssh cipher encryption fips
ssh cipher integrity fips
ssh key-exchange group dh-group14-sha1
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local

dhcp-client client-id interface Management
dhcpd address 10.10.20.100-10.10.20.250 LAN
dhcpd dns 192.168.1.1 interface LAN
dhcpd lease 1500 interface LAN
dhcpd enable LAN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source WAN prefer
ssl server-version tlsv1.1
ssl client-version tlsv1.1
ssl cipher tlsv1.2 high
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point ASDM_TrustPoint2 WAN
ssl trust-point ASDM_TrustPoint2 LAN
webvpn
port 8443
enable WAN
enable LAN
dtls port 8443
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-linux64-4.8.03052-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.8.03052-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy Split-Tunnel internal
group-policy Split-Tunnel attributes
dns-server value 192.168.1.199
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
default-domain value abcteam.com
split-dns value abcteam.com storm.us
split-tunnel-all-dns disable
group-policy Full-Tunnel internal
group-policy Full-Tunnel attributes
dns-server value 192.168.1.199 192.168.1.1
vpn-tunnel-protocol ssl-client
default-domain value abcteam.com
split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy
username test password $sha512$5000$5KC8R8JyRSDkbQ/D5WycnA==$ZnyBQ3acSODZHMaoJaPcqA== pbkdf2
username dean password $sha512$5000$zvtKT4f7tUtxBMTOVxMCMA==$qSb2qEcGRmlPlQK/JwybNA== pbkdf2 privilege 15
tunnel-group Full-Tunnel type remote-access
tunnel-group Full-Tunnel general-attributes
address-pool VPN_POOL
default-group-policy Full-Tunnel
tunnel-group Full-Tunnel webvpn-attributes
group-alias Full-Tunnel enable
tunnel-group Split-Tunnel type remote-access
tunnel-group Split-Tunnel general-attributes
address-pool VPN_POOL
default-group-policy Split-Tunnel
tunnel-group Split-Tunnel webvpn-attributes
group-alias Split-Tunnel enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3ebf2eeec1e783558c13689264793724
: end

Re: Unable to Contact Networks Behind ASA 5506-X

Seb Rupik — Mon, 20 Jul 2020 07:48:10 GMT

Hi there,

This sounds like the sort of behaviour you would want from a firewall!

That point aside, if you want your 192.168.1.0/24 (I'm guessing on that subnet mask), then you need to make the following addition to you WAN inbound ACL:

!
access-list WAN_access_in_1 ext permit tcp 192.168.1.0 255.255.255.0 any
!

EDIT----

You will also need to configure 'no-nat' for the return traffic:

!
nat (LAN,WAN) source static all all destination static 192.168.1.0 192.168.1.0 no-proxy-arp
!

...and ensure devices in the 192.168.1.0/24 know that to reach the 10.10.20..0/24 subnet it must go via ASA Gi1/1 IP address.

cheers,

Seb.

Re: Unable to Contact Networks Behind ASA 5506-X

dj0321 — Mon, 20 Jul 2020 17:04:27 GMT

Thanks a lot! This worked. This case can be marked as resolved.

Re: Unable to Contact Networks Behind ASA 5506-X

Seb Rupik — Tue, 21 Jul 2020 08:12:47 GMT

Good to hear, but you need to mark it as solved 🙂

topic Re: Unable to Contact Networks Behind ASA 5506-X in Network Security

Unable to Contact Networks Behind ASA 5506-X

Re: Unable to Contact Networks Behind ASA 5506-X

Re: Unable to Contact Networks Behind ASA 5506-X

Re: Unable to Contact Networks Behind ASA 5506-X