topic Re: CISCO ASA 5520, ASA version7, No internet to host in Network Security

CISCO ASA 5520, ASA version7, No internet to host

Rahul Kapadia — Thu, 21 Jan 2021 05:23:11 GMT

I have an issue that my connected clients behind the firewall are not getting Internet

interface GigabitEthernet0/0
nameif Inside
security-level 100
no ip address
!
interface GigabitEthernet0/0.20
vlan 20
nameif VLAN20
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/0.100
vlan 100
nameif VLAN100
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.168.100.50 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network WAN
network-object host 192.168.100.1
object-group network LAN
network-object 192.168.1.0 255.255.255.0
object-group service SERVICES tcp
port-object eq www
port-object eq https
object-group network inside-server
object-group network INSIDE_VLAN100
network-object 192.168.1.0 255.255.255.0
access-list VLAN100_IN extended permit tcp any any eq www
access-list VLAN100_IN extended permit tcp any any eq https
access-list VLAN100_IN extended permit udp any any eq www
access-list VLAN20_IN extended permit tcp any any eq www
access-list VLAN20_IN extended permit tcp any any eq https
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq https
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging facility 23
mtu Inside 1500
mtu outside 1500
mtu VLAN100 1500
mtu VLAN20 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (VLAN100) 100 192.168.1.0 255.255.255.0
nat (VLAN20) 100 192.168.20.0 255.255.255.0
access-group OUT_IN in interface outside
access-group VLAN100_IN in interface VLAN100
access-group VLAN20_IN in interface VLAN20
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username Admin password YBPmIylkw2GMywL/ encrypted
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Inside
http 192.168.100.0 255.255.255.0 outside
http 192.168.100.50 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 VLAN100
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.250 VLAN100
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config outside
dhcpd enable VLAN100
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect NetBIOS
inspect tftp
!
service-policy global_policy global

Re: CISCO ASA 5520, ASA version7, No internet to host

Marvin Rhoads — Thu, 21 Jan 2021 07:18:31 GMT

This access-list, as applied to your outside interface with the access-group command is unnecessary and incorrect:

access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq https

The return traffic from sessions initiated by hosts on VLANs 20 and 100 will be permitted because it is part of an allowed connection.

By putting in that incorrect ACL, you are adding an implicit deny at the end, thus blocking traffic. Also, it is an incorrectly formed ACL - the destination port for return traffic that's part of http and https sessions will be ephemeral ports on the initiating hosts.

Re: CISCO ASA 5520, ASA version7, No internet to host

Rahul Kapadia — Thu, 21 Jan 2021 12:01:29 GMT

Hello Mr,Marvin

I've removed access-group OUT_IN and got internet access on my LAN but websites are not opening.

I've checked logs on ASA and found following logs

Jan 21 2021 15:56:30: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/58346 dst outside:8.8.4.4/53 by access-group "VLAN100_IN"
Jan 21 2021 15:56:30: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/64495 dst outside:8.8.4.4/53 by access-group "VLAN100_IN"
Jan 21 2021 15:56:30: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/49393 dst outside:8.8.8.8/53 by access-group "VLAN100_IN"
Jan 21 2021 15:56:30: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/49393 dst outside:8.8.4.4/53 by access-group "VLAN100_IN"
Jan 21 2021 15:56:30: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/49559 dst outside:8.8.4.4/53 by access-group "VLAN100_IN"
Jan 21 2021 15:56:31: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/64495 dst outside:8.8.4.4/53 by access-group "VLAN100_IN"
Jan 21 2021 15:56:31: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/63410 dst outside:8.8.8.8/53 by access-group "VLAN100_IN"
Jan 21 2021 15:56:31: %ASA-4-106023: Deny udp src VLAN100:192.168.1.50/63410 dst outside:8.8.4.4/53 by access-group "VLAN100_IN"

Will you please guide with this logs?

Re: CISCO ASA 5520, ASA version7, No internet to host

Rob Ingram — Thu, 21 Jan 2021 12:19:14 GMT

@Rahul Kapadia

That's DNS that is being dropped, you need to modify your ACL VLAN100_IN to permit DNS. E.g.

access-list VLAN100_IN extended permit udp any any eq 53

Re: CISCO ASA 5520, ASA version7, No internet to host

Rahul Kapadia — Sun, 24 Jan 2021 07:09:29 GMT

ROB,

Thank you its working now.

My topology is--

ISP modem--->ASA(outside)--->ASA(inside 'VLAN100,VLAN20')--->Cisco Switch

My LAN network getting internet access but wifi clients are not getting internet.

I'm using Cisco WLC and Cisco Access Points connected with Cisco switch.

While checking logs for WIFI clients I found bellow logs

Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/29908 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/9567 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/19870 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/14337 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/14472 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/26685 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/18035 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/9165 to VLAN20:192.168.2.1/53
Jan 24 2021 10:47:53: %ASA-7-710005: UDP request discarded from 192.168.2.3/24719 to VLAN20:192.168.2.1/53

192.168.2.3 is WIFI client connected using mobile device, Do I need to permit particular range of ports according to logs?

Re: CISCO ASA 5520, ASA version7, No internet to host

Rahul Kapadia — Sun, 24 Jan 2021 09:16:53 GMT

Hello ROB,

It was a bad configuration on cisco WLC, problem solved now

Thank You @Marvin Rhoads and @Rob Ingram for help, I appreciate it 🙂