topic Re: Allow traffic through ASA in Network Security

Allow traffic through ASA

pa_slepko — Wed, 25 Apr 2018 17:08:10 GMT

Hello,

Our core switch routes all traffic to our Cisco ASA 5520. We have point of sale stations that are being set up for credit card transactions. In order to complete that setup, our workstations need to be able to communicate with two addresses: 63.111.40.6 and 209.235.25.1. When I do a trace route from the point of sale, it recognizes the first hop which is a VLAN Interface on our core, but then times out.

Can someone confirm that means the traffic is being dropped at the ASA and not the core?

What permit statements would I need to configure on the ASA? Below are commands that I've tried to no avail:

access-list inside_access_in remark permit for Hort POS to access TPOSN

access-list inside_access_in extended permit ip any object-group TPOSN_ALLOW

access-list inside_access_in extended permit tcp any object-group TPOSN_ALLOW

access-list outside_access_in remark allow TPOSN to talk to Hort POS

access-list outside_access_in extended permit ip object-group TPOSN_ALLOW object-group HORT_POS

access-list outside_access_in extended permit tcp object-group TPOSN_ALLOW object-group HORT_POS

TPOSN_ALLOW is an object group that represents 63.111.40.6 and 209.235.25.1

HORT_POS is an object group that represents the Point of Sale stations

Any assistance is appreciated. I am pretty green when it comes to configuring Cisco security appliances.

Thanks,

Tony

Re: Allow traffic through ASA

raufm — Wed, 25 Apr 2018 18:00:15 GMT

capture asp type asp-drop

then check capture with command

show capture asp

to check and see if your traffic is getting dropped to host 63.111.40.6 or 209.235.25.1

can also run

packet-tracer input <insert interface inside nameif> tcp 10.10.10.10 22 63.111.40.6 22 detail

to check and see if traffic is allowed or dropped by ACL / NAT

PS: Please replace 10.10.10.10 with your inside IP host address,

You are looking for something like this at the end:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Re: Allow traffic through ASA

pa_slepko — Wed, 25 Apr 2018 19:49:19 GMT

Hello,

These are the results from the first commands:

accasa# capture asp type asp-drop

accasa# show capture asp

0 packet captured

0 packet shown

accasa#

These are the results from the packet-tracer commands:

packet-tracer input inside tcp 10.30.144.6 22 63.111.40.6 22 detail

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

packet-tracer input outside tcp 10.30.144.6 22 63.111.40.6 22 detail

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

Re: Allow traffic through ASA

soumbis12 — Thu, 26 Apr 2018 03:12:04 GMT

Try the private IP as destination instead of the public IP in the second packet tracer.

Re: Allow traffic through ASA

raufm — Thu, 26 Apr 2018 12:09:59 GMT

packet-tracer input outside tcp 10.30.144.6 22 63.111.40.6 22 detail

This will fail as Source-address 10.30.144.6 is associated with inside address and traffic per command is originating from outside. You can try it by reversing the IP addresses.

packet-trace input outside tcp 63.111.40.6 22 10.30.144.6 22 detail.

Another thing you can try is capture command on Inside interface and also on outside interface.

capture CapInside interface inside match ip any host 63.111.40.6

capture CapOutside interface outside match ip host 63.111.40.6 any

Then initiate traffic from client and check the capture

Show capture CapInside

Show capture CapOutside

Do you see traffic headed out on CapInside, if yes then the issue is not the core, if no traffic then its the core or the client. If traffic is coming back from remote IP then issue is not within the ASA.

Do you see traffic going out on CapOutside to remote IP ?, do you see response coming back from the Remote IP ? If traffic is going out but not coming back then the issue is remote site, if traffic is coming back but not making it to the CapInside then issue is on the ASA.

You may have to repeat the capture for your other public IP.