topic This is as you say even more in Network Security

ASA 5505 with Security+ not passing traffic through ASA

Chris Heighway — Tue, 12 Mar 2019 09:24:24 GMT

I am having a very strange issue. Initially I thought this was a simple fix...5 hours later i am still in the same predicament. I am simply trying to use an ASA 5505 as a router. Why not use a router you ask, unfortunately I do not have that option. The ASA is running 9.2(4) code. We have another ASA on the remote end (5512 running the same code) and it works as expected routing traffic from the outside interface to the inside and vice versa. I have created ACL's allowing any any still to no avail. Attached is a drawing of the connectivity and the config file from the ASA in question. Any assistance would be greatly appreciated.

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.1.0 House-1
name 10.2.1.0 House-2
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif private
security-level 100
ip address 192.168.1.250 255.255.255.0
!
interface Vlan2
nameif engineering
security-level 100
ip address 10.3.200.31 255.255.255.0
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network House-1
subnet 10.1.1.0 255.255.255.0
description Created during name migration
object network House-2
subnet 10.2.1.0 255.255.255.0
description Created during name migration
object-group network DM_INLINE_NETWORK_1
network-object object House-1
network-object object House-2
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2626
port-object eq 2627
object-group service DM_INLINE_TCP_2 tcp
port-object eq 2626
port-object eq 2627
object-group network DM_INLINE_NETWORK_2
network-object host 10.3.201.165
network-object host 10.3.201.37
network-object host 10.3.201.38
object-group network DM_INLINE_NETWORK_3
network-object host 10.3.201.164
network-object host 10.3.201.37
network-object host 10.3.201.38
access-list cap extended permit icmp 10.0.0.0 255.0.0.0 any
access-list private_access_in remark Automation Timecode
access-list private_access_in extended permit ip 192.168.1.0 255.255.255.0 any4
access-list private_access_in extended permit ip any any
access-list in_engineering extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging buffered warnings
logging asdm informational
mtu private 1500
mtu engineering 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any private
icmp permit any engineering
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group private_access_in in interface private
access-group in_engineering in interface engineering
route engineering 0.0.0.0 0.0.0.0 10.3.200.1 1
route engineering 192.168.9.0 255.255.255.0 10.3.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.1.1.17 source engineering prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect esmtp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c16a8714e9850302ee5a66536bac6edc
: end

ASA# sh activation-key

Running Permanent Activation Key: 0xc318c05a 0x58dc1d04 0x445265dc 0x83c83870 0x0b0822b4

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 25             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

Configuration looks good to

Ashish Jhaldiyal — Tue, 23 May 2017 15:53:48 GMT

Configuration looks good to me,

you are trying to ping 192.168.1.250 which is private interface IP, Did you try connecting a PC to any of the physical ports in VLAN 1 and then ping that IP? You will not be able to ping inside interface from WAN side, ASA architecture doesn't allow it.

Hi Ashish,

Chris Heighway — Tue, 23 May 2017 16:08:57 GMT

Hi Ashish,

Thank you for your response!! From the ASA and from another PC in the same subnet you can ping other IP's in the 192.168.1.x range yes. I think you may be mistaken "You will not be able to ping inside interface from WAN side, ASA architecture doesn't allow it." unless that is a caveat specific to the 5505. I have an ASA on the other side (5512) and is is allowing icmp from outside to inside. This command allows for traffic between interfaces if they are the same security level - same-security-traffic permit inter-interface. Also I have an ACL permitting all IP traffic. and the following:

icmp permit any private (inside)
icmp permit any engineering (outside)

ACLs and same security level

Ashish Jhaldiyal — Tue, 23 May 2017 16:47:27 GMT

ACLs and same security level - same-security-traffic permit inter-interface commands allow through the box traffic.

icmp permit any private (inside)

icmp permit any engineering (outside)

commands allow ping on the interface but ping request has to come from same interface, So if you want to ping LAN IP of ASA you have to ping it from LAN subnets or networks behind LAN interface. you can't ping WAN IP from LAN subnet.

Ah I see the confusion. I do

Chris Heighway — Tue, 23 May 2017 19:10:32 GMT

Ah I see the confusion. I do not need to ping the ASA LAN/inside interface, my apologies if my initial question eluded to that. I only need to connect to the devices behind the LAN interface. Like a router basically.

It may just be a typo but on

Jon Marshall — Tue, 23 May 2017 19:24:32 GMT

It may just be a typo but on the 4431 on the right hand side the next hop for the 192.168.1.0/24 subnet is the firewall but there is a L3 core device in between.

Shouldn't the next hop be 10.1.1.x ?

Jon

Nice catch Jon however that

Chris Heighway — Tue, 23 May 2017 19:40:48 GMT

Nice catch Jon however that did not do it. I can't even ping devices on the inside network from the L3 switch (Core on right in purple) that has the SVI for the ASA's default route.

Worth a try :)

Jon Marshall — Tue, 23 May 2017 19:46:31 GMT

Worth a try 🙂

Out of interest can you ping 10.3.200.31 from the core switch ?

Jon

Chris

Jon Marshall — Tue, 23 May 2017 19:49:22 GMT

Chris

Apologies, just looked at your schematic again and can see you can ping that IP from the other side.

Jon

Yes, the outside address is

Chris Heighway — Tue, 23 May 2017 19:55:34 GMT

Yes, the outside address is reachable all the way from the other ASA (5512).

5512(config)# ping 10.3.200.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.200.31, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms

5512(config)# traceroute 10.3.200.31

Type escape sequence to abort.
Tracing the route to 10.3.200.31

1 10.1.4.11 10 msec 0 msec 0 msec
2 192.168.101.1 10 msec 10 msec 20 msec
3 10.1.1.1 20 msec 20 msec 20 msec
4 * * *
5 * * *
6 * * *

Yeah everything points to

Chris Heighway — Tue, 23 May 2017 19:58:16 GMT

Yeah everything points to something in the ASA it seems. I just have no clue what that is...I have upgraded the code and see no bugs related. The config is just about replicated from the other ASA that is passing traffic...no clue at this point. Thank you for taking a stab at it.

Okay, don't want to insult

Jon Marshall — Tue, 23 May 2017 20:08:09 GMT

Okay, don't want to insult your intelligence but the obvious things ie. you say you can ping a 192.168.1.x client from the ASA. Are you trying to ping the same client through the firewall ie. just trying to make sure the clients are not blocking the pings.

Have you tried the packet tracer command to see if it should be allowed ie.

"packet-tracer input outside icmp 10.200.31.1 8 0 192.168.1.x"

and also you could try applying an acl outbound to the inside interface to see if traffic is actually going out to the 192.168.1.x client.

Apologies if you have done all this 🙂

Jon

Hey Jon,

Chris Heighway — Tue, 23 May 2017 20:29:15 GMT

Hey Jon,

No worries, I am here because I am out of ideas, no harm in double checking.

Yes same client with no firewall blocking ICMP. I have done the packet tracer and the ASA comes back saying all should pass:

5505(config)# packet-tracer input engineering icmp 192.168.9.12 0 0 192.168.1.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 private

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group in_engineering in interface engineering
access-list in_engineering extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcccedcf0, priority=13, domain=permit, deny=false
hits=4339, user_data=0xca2ce520, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbcaa5c8, priority=0, domain=nat-per-session, deny=true
hits=4398, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc3bbab0, priority=0, domain=inspect-ip-options, deny=true
hits=13221, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccc74e70, priority=70, domain=inspect-icmp, deny=false
hits=32, user_data=0xccc73798, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccc77ee8, priority=70, domain=inspect-icmp-error, deny=false
hits=32, user_data=0xccc76780, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13014, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: engineering
input-status: up
input-line-status: up
output-interface: private
output-status: up
output-line-status: up
Action: allow

I have not ran a capture. Good call I will try that now.

If the capture shows traffic

Jon Marshall — Tue, 23 May 2017 20:32:39 GMT

If the capture shows traffic passing the only other thing I can think of would be the IP settings on the clients ie. subnet mask and default gateway.

Jon

Yeah I have asked them 3

Chris Heighway — Tue, 23 May 2017 20:52:42 GMT

Yeah I have asked them 3 times to verify that..they ensure me that is all correct. Guess I will need to validate myself. The capture shows inbound but no outbound.

access-list cap line 1 extended permit ip any4 any4 (hitcnt=23914)

capture capin type raw-data access-list cap interface engineering

5505# sh cap capin | inc 10.1.4.41
3: 15:46:33.275040 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
73: 15:46:35.274994 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
145: 15:46:37.274994 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
208: 15:46:39.274949 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
258: 15:46:41.275010 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request

It is a bit of a puzzle this

Jon Marshall — Tue, 23 May 2017 21:04:17 GMT

It is a bit of a puzzle this one 🙂

Can't think of anything else at the moment. If the ASA can ping 192.168.1.x clients then it looks like the internal switch connectivity is fine.

If anything else comes to mind I'll post back.

Jon

I have another piece to the

Chris Heighway — Tue, 23 May 2017 21:07:58 GMT

I have another piece to the puzzle that only makes things even more confusing...

There is a subnet (who's SVI is on the same core switch) that can reach the 192.168.1.x network both ways. 10.3.201.x. I attached a couple screenshots they took.

This is as you say even more

Jon Marshall — Tue, 23 May 2017 21:29:50 GMT

This is as you say even more confusing now.

So the ASA can route traffic assuming it is simply not showing in the traceoute which it won't do by default as I understand it.

And looking at the screenshot the default gateway for that 192.168.1.x client is set correctly.

You said in an earlier post you could not ping the inside devices from the 10.3.200.1 IP on the core switch so can you try that ping to this specific client ie. 192.168.1.116 and see what happens ?

Jon

hi,

johnlloyd_13 — Wed, 24 May 2017 00:07:20 GMT

hi,

did you check if VLAN assignment (or allowed VLAN on trunk) is correct on the port on IDF-2 (puple side) which connects to 5505 eth0/0? it should be the same VLAN as the SVI for Core 10.3.200.1.

if theVLAN is correct, the 5505 should ping 10.3.200.1 (and vice-versa on Core-purple side)

Ok, so it looks like, of the

Chris Heighway — Wed, 24 May 2017 15:25:44 GMT

Ok, so it looks like, of the IP'd devices on the "inside" of the 5505 (192.168.1.x) may in fact have a mis-configuration though I was assured that all was well...

That address (1.116) is reachable through the whole path..it is the only one of mess..seen by the ASA..

Thanks for all the tips!!