topic "access-group 101 out in Network Security

Cannot Ping from inside to outside - Config Attached

Scott — Tue, 12 Mar 2019 08:53:36 GMT

I have attempted to create ACL's that would allow me to simply ping from any inside interfaces to desktops outside.... but nothing is working. Any help would be greatly appreciated by looking at the below config and telling me if you see anything wrong.

: : Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
: Written by enable_15 at 11:56:04.710 GMT Mon Feb 6 2017
!
ASA Version 9.2(2)4
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.2.100 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif test
security-level 100
ip address 192.168.3.100 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list permit_ping extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Deltav 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
access-group 101 in interface outside
access-group 101 out interface outside
access-group permit_ping in interface Deltav
access-group 101 out interface Deltav
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 test
http 192.168.2.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:418d5164334ce212560896d947090533
: end

"access-group 101 out

Rahul Govindan — Mon, 06 Feb 2017 18:05:00 GMT

"access-group 101 out interface outside"

This allows traffic defined in ACL 101 in the outbound direction on the outside interface. The ACL does not seem to have an entry for echo-request, only reply. Try adding echo-request also to allow that to flow outbound from the ASA.

Also, are you sourcing the ping from behind the inside or test interface? The inside interface seems to be shutdown.

Rahul,

Scott — Mon, 06 Feb 2017 18:32:53 GMT

Rahul,

I added the "access-group 101 out interface outside" without success. I am pinging from a desktop on the test interface. I can ping the 192.168.3.100 interface fine.... tracert also... however, when I choose the 192.168.2.100 (outside interface or 192.168.2.50 (desktop on the outside interface) I get "Request timed out" and when I tracert to 192.168.3.X I get no hops . not even the 192.168.2.100... that I ping. Maybe a route issue?

Please see example diagram

Thanks for ur reply.. I have been working on this for days....

Ok, much more clearer. Thanks

Rahul Govindan — Mon, 06 Feb 2017 19:16:16 GMT

Ok, much more clearer. Thanks for the diagram. remove the "access-group 101 out interface outside" statement. If you need to filter outbound requests from the ASA, then add icmp echo-request to list of allowed icmp types. As of now, you have only the following:

access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench 
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded

You wont be able to ping the outside interface of the ASA when sourced from test interface (by design). But you should try pinging the desktop on the outside interface. Run an ASA packet-tracer command to see how the ASA processed your ping request:

packet-tracer input test icmp 192.168.3.50 8 0 192.168.2.50 detailed

Also, apply a packet capture on the ASA test and outside interfaces so that you can see where the packet gets dropped in the flow.

Not related to your problem .

Karsten Iwen — Mon, 06 Feb 2017 19:30:04 GMT

Not related to your problem ...

access-list 101 extended permit icmp any any source-quench

Don't allow source-quench. It's usage is deprecated since nearly five years.

Rahul,

Scott — Mon, 06 Feb 2017 19:44:57 GMT

Rahul,

Below is the output of the packet-tracer... I also added the latest config ....FYI.. I changed the interface name from test to deltav.

again.. THANK YOU for ur continued help!!!

ciscoasa# packet-tracer input deltav icmp 192.168.3.50 8 0 192.168.2.50 detail$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in 192.168.2.0 255.255.255.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff33096db0, priority=11, domain=permit, deny=true

hits=74, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=Deltav, output_ifc=any

Result:

input-interface: Deltav

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa# sho run

: Saved

: : Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)

ASA Version 9.2(2)4

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.2.100 255.255.255.0

interface GigabitEthernet0/1

shutdown

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/2

nameif Deltav

security-level 100

ip address 192.168.3.100 255.255.255.0

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

interface Management0/0

management-only

no nameif

no security-level

no ip address

ftp mode passive

clock timezone GMT 0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit icmp any any traceroute

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu Deltav 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network obj_any

nat (any,outside) dynamic interface

access-group 101 in interface outside

access-group 101 in interface Deltav

access-group 101 out interface Deltav

router rip

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.3.0 255.255.255.0 Deltav

http 192.168.2.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 192.168.3.0 255.255.255.0 Deltav

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e1a4b1505fa28ddcc94ebf345033982e

: end

Looks like your inbound ACL

Rahul Govindan — Mon, 06 Feb 2017 20:01:10 GMT

Looks like your inbound ACL on Deltav interface is blocking it:

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule

access-group 101 in interface outside

access-group 101 in interface Deltav

access-group 101 out interface Deltav

Since your first packet is going to be an echo-request, it should be added into the ACL 101 if you want to allow that traffic inbound on Deltav

That worked! Thank You!

Scott — Mon, 06 Feb 2017 20:17:58 GMT

That worked! Thank You!