topic Pinging through ASA from Outside in Network Security

Pinging through ASA from Outside

Rolitto — Mon, 03 Aug 2020 01:42:38 GMT

Hi everyone,

I have this basic scenario:

(LAN) --------- (ASA) ---------- (DSL Router) ---------- (Internet)

I am able to ping the DSL Router from the LAN but not vice versa. Is it a common case with the ASA deployed in between or am I missing something?

I have an explicitly written extended ACL to permit ip any any.

Any sharing thought is appreciated, thank you.

Re: Pinging through ASA from Outside

Rob Ingram — Mon, 03 Aug 2020 06:43:01 GMT

Hi,

Do you have NAT configured for inbound and outbound traffic? I assume you do.

for outbound traffic you probably have a dynamic NAT rule, for all internal traffic to be natted behind the firewall.

For inbound traffic you would need to add a static NAT (in addition to the ACL you have in place), however normally you would not want to ping inbound from the internet to the local LAN.

Re: Pinging through ASA from Outside

Rolitto — Mon, 03 Aug 2020 18:17:20 GMT

Hi Rob,

I did not implement NAT for inbound traffic. As for the outbound traffic, I have dynamic NAT.

Anyways, here's the configuration of the ASA.

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp

object network LAN1

subnet 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

access-list LAN1 extended permit ip any any

access-group LAN1 in interface outside

object network LAN1

nat (inside,outside) dynamic interface

telnet timeout 5

ssh timeout 5

dhcpd auto_config outside

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd dns 192.168.1.1 interface inside

dhcpd lease 86400 interface inside

dhcpd enable inside

I didn't find a necessity implementing NAT from inside-to-outside and from outside-to-inside as I'm dealing with private networks 192.168.1.0/24 (LAN) and 10.10.10.0/24 (Outside). I kept NAT from inside-to-outside though.

Re: Pinging through ASA from Outside

Rob Ingram — Tue, 04 Aug 2020 06:07:23 GMT

Because you have NAT configured from inside to outside, the reply to the inside network will be NATTED. If you do not wish traffic from inside network to the ISP network on the outside, you should define a NAT exemption rule, traffic would now not be natted between those 2 networks. You need to ensure that the ISP router has a route to the 192.168.1.0/24 network via the ASA.

Example NAT exemption config:-

object network ISP 
 subnet 10.10.10.0 255.255.255.0

nat (inside,outside) source static LAN1 LAN1 destination static ISP ISP no-proxy-arp

HTH

Re: Pinging through ASA from Outside

Rolitto — Mon, 03 Aug 2020 22:21:15 GMT

But what sparked my concern is that if the security-level of outside (0), is supposedly been omitted, then the ICMP packets would successfully get through from outside-to-inside, something which made me think that it is more related to ACL rather than NAT... maybe I am wrong!

Having said that, I didn't have an issue with PING replies getting through the ASA from outside-to-inside when the PING requests have been initiated from the inside.

I hope I am being clear in explaining what I meant...

Anyways, I will try to implement the exemption of NAT that you suggested in the previous post, and will let you know the outcome.

Re: Pinging through ASA from Outside

Rolitto — Tue, 04 Aug 2020 00:10:29 GMT

My update:
A- I added the two commands but the latter couldn't be written as suggested, so I had to edit it accordingly per what the Packet Tracer allows me to do. Therefore, the command was:
nat (inside,outside) static LAN1 where LAN1 is 192.168.1.0/24 as I could not add source static LAN1 LAN1 destination static ISP ISP to the command. I knew that the command was incomplete and thus useless, but that's all I could do, so i referred to solution B.
B- I removed all NAT rules to clear my mind from doubts that the NAT rules might be causing, then I tried pinging from outside-to-inside, but that didn't work either.

Re: Pinging through ASA from Outside

Rob Ingram — Tue, 04 Aug 2020 06:08:21 GMT

Does the ISP/DSL router have a route to the 192.168.1.0/24 via the ASA?

The formatting of the commands above were lost in the initial post, I've amended. The NAT exemption rule is global and not defined under an object.

Run packet-tracer from the CLI and provide the output for review.

Re: Pinging through ASA from Outside

Rolitto — Tue, 04 Aug 2020 20:51:51 GMT

Rob, I will apply the rule and will let you know what is the outcome as soon as possible because I am currently unable to resume testing.

Re: Pinging through ASA from Outside

Rolitto — Wed, 05 Aug 2020 21:48:50 GMT

Firstly, the DSL Router has a static route configured pointing to the internal network of the ASA (192.168.1.0/24).

Here's the basic running configuration of the DSL Router:

hostname IR800

boot system flash ir800-universalk9-mz.SPA.155-3.M

ip dhcp excluded-address 10.10.10.1

ip dhcp pool LAN2

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 10.10.10.1

ip cef

no ipv6 cef

license udi pid IR829GW-LTE-NA-AK9 sn FTX1806A5BV-

license boot module ir800 technology-package datak9 disable

spanning-tree mode pvst

interface GigabitEthernet0

no ip address

duplex auto

speed auto

shutdown

interface GigabitEthernet1

description Connecting ASA0

switchport access vlan 2

interface GigabitEthernet2

description Connecting Switch0

switchport mode trunk

interface GigabitEthernet3

interface GigabitEthernet4

interface wlan-ap0

no ip address

interface Wlan-GigabitEthernet0

interface GigabitEthernet5

no ip address

duplex auto

speed auto

interface Cellular0

no ip address

shutdown

interface Cellular1

no ip address

shutdown

interface Vlan1

no ip address

shutdown

interface Vlan2

mac-address 0010.1112.2801

ip address 10.10.10.1 255.255.255.0

ip classless

ip route 192.168.1.0 255.255.255.0 10.10.10.2

ip flow-export version 9

line con 0

line 1 2

line 3

line 4

transport input all

line 8

line 1/3 1/6

line vty 0 4

login

end

Secondly, I edited the configuration on the ASA by adding a class and policy map, so here's the updated running configuration:

hostname ciscoasa
enable password ********************
passwd *****************************
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object network LAN1
subnet 192.168.1.0 255.255.255.0
access-list inbound extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network LAN1
nat (inside,outside) dynamic interface
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 192.168.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d56ac64f9c830fa33a0385ba1c08e6a7
: end

Finally, I have run the packet-tracer command from CLI on ASA, and here's the output:

ciscoasa# packet-tracer input outside icmp 10.10.10.1 0 0 192.168.1.3

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LAN1
nat (inside,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The type and code that I used are 0 0 as I'm investigating for the inbound traffic, otherwise I'll use 8 0 for the outbound traffic.

Re: Pinging through ASA from Outside

Rob Ingram — Thu, 06 Aug 2020 06:17:13 GMT

As you can see in the packet-tracer output the packet is being NATTED behind the outside interface.

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LAN1
nat (inside,outside) dynamic interface
Additional Information:

I do not see the NAT exemption rule in your configuration, either add it (using the example I previously provided) or temporarily remove the dynamic NAT.

Re: Pinging through ASA from Outside

Rolitto — Thu, 06 Aug 2020 20:15:00 GMT

Yes it is, and I did remove the dynamic NAT considered as the easier choice, but that didn't solve my problem.

Here's a capture of packet-tracer from CLI when pinging is initiated from outside-to-inside and in particular from [ext IP address of ASA = 10.10.10.2] to [int IP address of ASA = 192.168.1.1] using inbound traffic with type and code 8 0:

ciscoasa# packet-tracer input outside icmp 10.10.10.2 8 0 192.168.1.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here's a capture of packet-tracer from CLI when pinging is initiated from inside-to-outside and in particular from [int IP address of ASA = 192.168.1.1] to [ext IP address of ASA = 10.10.10.2] using outbound traffic with type and code 8 0:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 363, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Re: Pinging through ASA from Outside

Rob Ingram — Thu, 06 Aug 2020 20:22:08 GMT

192.168.1.1 is the inside IP address of your ASA, so I'd expect your test to fail. The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface (outside) to a far interface (inside).

Ping through the ASA to test, not to the ASA.

Re: Pinging through ASA from Outside

Rolitto — Thu, 06 Aug 2020 21:27:00 GMT

But even pinging initiated from outside-to-inside, precisely to a PC on the local LAN (192.168.1.0/24) doesn't succeed. That means, if I am using the router's IP address of 10.10.10.1 to ping the PC's IP address of 192.168.1.5, the output of the ping reply is timed out.

Re: Pinging through ASA from Outside

Rob Ingram — Thu, 06 Aug 2020 21:37:13 GMT

Provide the full output of "packet-tracer input outside icmp 10.10.10.2 8 0 192.168.1.5"
Provide the current ASA configuration and the output of "show nat detail".
Does the device 192.168.1.5 have a local firewall that could be blocking ping response?

Re: Pinging through ASA from Outside

Rolitto — Fri, 07 Aug 2020 00:12:15 GMT

Rob, I reloaded both devices, the router and the ASA and guess what? It finally worked!

I am now able to ping any inside device from outside the ASA. Therefore, I would like to thank you for solving my issue, and I will mark the issue as solved! 🙂

Re: Pinging through ASA from Outside

Thien are Margo — Sun, 12 May 2024 14:26:27 GMT

Please help me, I am student of university of since in Vietnam. I have a problem about pinging through ASA. I cannot ping from PC2 from outside to 4.0.0.1 of DMZ or 8.0.0.1 of inside although I can ping from DMZ via inside. Can also ping from DMZ and inside to google successfully. I think the problem is related to setting up NAT from the outside in

ASA:

ena
conf t
hostname Asa1

int g0/6
nameif inside1
security-level 100
ip add dhcp
no shut

username thien password 123 privilege 15
http server enable
http 0 0 inside1
exit

int g0/1
nameif DMZ
security-level 50
ip add 4.0.0.254 255.0.0.0
no shut
exit

int g0/2
nameif inside
security-level 100
ip add 8.0.0.254 255.0.0.0
no shut
exit

int g0/0
nameif outside
security-level 0
ip add 3.0.0.254 255.0.0.0
no shut
exit

int g0/3
nameif winter
security-level 50
ip add 9.0.0.254 255.0.0.0
no shut
exit
--------------------------------------------DMZ

object network LAN_DMZ
host 4.0.0.1
nat (DMZ,outside) static 3.0.0.10
exit

object network OUT
host 4.0.0.1
nat (DMZ,winter) static 9.0.0.10
exit

object network LAN_INSIDE
host 8.0.0.1
nat (inside,outside) static 3.0.0.10
exit
route outside 0.0.0.0 0.0.0.0 3.0.0.2

object network OUT_DMZ
no subnet 3.0.0.0 255.0.0.0

--------------------------------------------------------COnf domain

dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.27.2
name-server 8.8.8.8
domain-name google.com
exit

--------------------------------------------------------ko can de ping den google
class-map inspection_default
match default-inspection-traffic
exit

policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
service-policy global_policy global

--------------------------------------------------------------------------

access-list PING extended permit ip any any
access-list PING extended permit icmp any any
access-list PING extended permit tcp any any
access-group PING in interface outside

access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list dmz extended permit tcp any any
access-group dmz in interface DMZ

ena
conf t
int f1/0
ip add 2.0.0.2 255.0.0.0
no shut

int f0/1
ip dhcp
no shut

int s3/0
ip add 5.0.0.2 255.0.0.0
no shut

int f0/0
ip add 3.0.0.2 255.0.0.0
no shut

int f4/0
ip add 4.0.0.2 255.0.0.0
no shut

username thien password 123
ip domain-name thien.vn
enable password 123
line vty 0 4
login local
transport input ssh
exit
ip ssh version 2
crypto key generate rsa
1024

router ospf 1
router-id 2.2.2.2
net 2.0.0.0 0.255.255.255 area 0
net 5.0.0.0 0.255.255.255 area 0
net 3.0.0.0 0.255.255.255 area 0
net 4.0.0.0 0.255.255.255 area 0
default-information originate
exit

interface Loopback0
ip add 10.10.2.1 255.255.255.0
exit

---------------------------------

ip name-server 192.168.27.2
ip name-server 8.8.8.8
ip domain lookup

DMZ

ena
conf t
int f0/1
ip add 4.0.0.1 255.0.0.0
no shut
ip route 0.0.0.0 0.0.0.0 3.0.0.254

username thien password 123
ip domain-name thien.vn
enable password 123
line vty 0 4
login local
transport input ssh
exit
ip ssh version 2
crypto key generate rsa
1024

ip name-server 192.168.27.2
ip name-server 8.8.8.8
ip domain lookup

SERVER:

ena
conf t
int f0/0
ip add 8.0.0.1 255.0.0.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 8.0.0.254

username thien password 123
enable password 123
ip domain name thien.vn
line vty 0 4
login local
transport input ssh
exit
ip ssh version 2
crypto key generate rsa
1024

ip name-server 192.168.27.2
ip domain lookup
ip name-server 8.8.8.8

Re: Pinging through ASA from Outside

MHM Cisco World — Sun, 12 May 2024 14:30:18 GMT

Make new post it better

MHM