ASA 5512x - interface routing

Sean Haynes — Tue, 12 Mar 2019 08:03:21 GMT

Evening people - looking for some help with an ASA that no longer wants to pass traffic over interfaces, or more specifically to the outside interface.

Background.

I work in a school, not ASA savvy - our ISP was the local authority, the ASA was setup some times ago and we used dynamic PAT to forward traffic onto the County WAN. All has worked lovely until recently.

We have changed our ISP using a 100Mb connection over a 1Gb bearer. We are now behind their firewall which provides NATing. Bear with me....when we migrated to the new ISP some 4 weeks ago I did not remove the Dynamic PAT on our end with a view to doing it later as I want to reconfigure the internal IP schemes.

2 days ago as some of you may know BT was hit with a Data Centre outage which had ramifications for many ISPs, ours included so we lost connectivity.

By the end of the day the ISP claimed our link was up as they could remote into their router and ping the outside interface of our firewall - however, even after a reboot we were no longer able to access the internet. No changes have been made to the ASA so I am completely lost.

Where as before I was able from a LAN PC to ping the firewall interfaces and the ISPs router I am no longer able to. If I run packet traces from within the ASDM software it shows no errors or blocks.

Data seems not to be able to travers the firewall between the interfaces anymore and I can't figure out what it is.

To ensure the ISP router was working I plugged my laptop directly into the interface and was able to access the net without issues so it's definitely not their end.

I would really appreciate one of you guru's help - please remember I'm not ASA savvy!! Many thanks

Running Config:

ASA5512-X# sho run
: Saved
:
ASA Version 8.6(1)2
!
hostname ASA5512-X

names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.19.53.54 255.255.255.252
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif Inside
security-level 90
ip address 10.5.107.134 255.255.255.248
!
interface GigabitEthernet0/2
speed 1000
duplex full
nameif Apple_Network
security-level 40
ip address 192.168.201.254 255.255.255.0
!
interface GigabitEthernet0/3
speed 1000
duplex full
nameif Wireless
security-level 40
ip address 172.20.255.254 255.255.0.0
!
interface GigabitEthernet0/4
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.105 255.255.255.0
management-only
!
!
time-range Presto_Wireless_Access_Times
periodic daily 6:00 to 20:00
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup Apple_Network
dns domain-lookup Wireless
dns server-group DefaultDNS
domain-name Sch4455.somerset.gov.uk
dns server-group Preston_School_DNS_Servers
name-server 10.5.107.253
name-server 10.5.107.250
dns-group Preston_School_DNS_Servers
same-security-traffic permit intra-interface
object network 10.80.11.110
host 10.80.11.110
object network 10.80.11.111
host 10.80.11.111
object network 10.80.11.112
host 10.80.11.112
object network 10.80.11.113
host 10.80.11.113
object network 10.80.11.114
host 10.80.11.114
object network 10.80.11.115
host 10.80.11.115
object network Capita_VPN
host 213.129.90.233
object network VLE_Server
host 10.5.107.248
description Moodle Server
object network SQL4455
host 10.5.107.252
description SIMS Server
object network Terminal_Server
host 10.5.107.245
description Terminal server for remote services
object network Print_Server
host 10.5.107.244
description Print Server
object network NAP_Server_SDC
host 10.5.107.250
description Microsoft Network Access Protection Server
object network Dynamic_PAT_Pool
host 10.5.107.129
description Port Address Translation IP
object network Inside_Wired_Network
subnet 10.5.107.128 255.255.255.248
description ASA Inside Interface Network
object network Wireless_NAT
subnet 172.20.0.0 255.255.0.0
description Wireless NAT to Outside Interface
object network Apple_NAT
subnet 192.168.201.0 255.255.255.0
description Apple NAT to Outside Interface
object network RDC4455
host 10.5.107.253
description Primary DNS
object network SDC4455
host 10.5.107.250
description Secondary DNS
object network NETWORK_OBJ_10.5.107.136_29
subnet 10.5.107.136 255.255.255.248
object network WLC_1
host 172.20.255.201
description Primary Wireless LAN Controller
object network WLC_2
host 172.20.255.202
description Secondary Wireless LAN Controller
object network WLC_to_RADIUS
host 172.20.255.201
object network RDC_NAP_Server
host 10.5.107.253
description RDC
object network SDC_NAP_Server
host 10.5.107.250
description SDC
object service GC
service tcp destination eq 3268
description Global Catalogue
object service Kpassword
service tcp destination eq 464
object network Server_VLAN
range 10.5.107.195 10.5.107.240
object network Tech_PC_01
fqdn v4 Tech01.sch4455.somerset.gov.uk
object network Tech_PC_02
fqdn v4 Tech02.sch4455.somerset.gov.uk
object network Apple_Server
host 192.168.201.253
object network Imaging_Network
subnet 192.168.160.0 255.255.255.0
object network Imaging_VLAN_Internet
subnet 192.168.160.0 255.255.255.0
description Internet Access
object service Apple_Keberos_Port
service udp destination eq 88
description Apple Keberos Port
object service Apple_Keberos_Port_TCP
service tcp destination eq 88
description Apple Keberos Port TCP
object service kPassword_UDP
service udp destination eq 464
description kPassowrd UDP
object-group network County_SLG_Access
description Allow SLG update requests from the local SIMS server
network-object object 10.80.11.110
network-object object 10.80.11.111
network-object object 10.80.11.112
network-object object 10.80.11.113
network-object object 10.80.11.114
network-object object 10.80.11.115
object-group service Capita udp
description Capita VPN Circuit
port-object eq 1194
object-group service Remote_Desktop tcp
port-object eq 3389
object-group service Somerset_Learning_Gateway tcp
description SLG Update Service
port-object eq 120
port-object eq 121
port-object eq 1435
port-object eq 3829
port-object eq 90
object-group service NAP_Access udp
port-object eq 1812
port-object eq 1813
port-object eq radius
port-object eq radius-acct
port-object eq 32768
object-group network Apple_Network_Group
network-object 192.168.201.0 255.255.255.0
object-group network DNS_Servers
network-object object RDC4455
network-object object SDC4455
object-group service Exchange tcp
description Exchange Listening Port
port-object eq 993
object-group service Apple_Push_Notification_service tcp
description Apple Push notification service
port-object eq 5223
object-group service SSL_SMTP tcp
description SSL SMTP
port-object eq 465
object-group service Apple_Facetime udp
description Apple Facetime Port Group
port-object eq 16384
port-object eq 16385
port-object eq 16386
object-group service Proxy_Settings tcp
description Proxy Port
port-object eq 8080
port-object eq 9443
object-group service Android_Market tcp
description Android Market Place
port-object eq 5228
object-group service Print_Server_Ports tcp
description Print Server Ports
port-object eq www
port-object eq 48111
port-object eq https
object-group network RADIUS_Servers
network-object object RDC4455
network-object object SDC4455
object-group network WLAN_Controllers
description Wireless LAN Controllers
network-object object WLC_1
network-object object WLC_2
object-group network NAP_Servers1
description Allow RADIUS authentication traffic from wireless clients
network-object object RDC_NAP_Server
network-object object SDC_NAP_Server
object-group service MirrorOpTCP tcp
port-object eq 3268
port-object eq ldap
object-group network Domain_Controllers
description SCH4455 Controllers
network-object object RDC4455
network-object object SDC4455
object-group service Kebros
description authentication Ports
service-object tcp destination eq kerberos
service-object udp destination eq kerberos
service-object object GC
service-object object Kpassword
service-object tcp destination eq ldap
object-group network Server_and_Tech_VLAN
network-object object Server_VLAN
network-object object Tech_PC_01
network-object object Tech_PC_02
object-group service VNC_Viewer tcp
port-object eq 6900
port-object eq 6901
port-object eq 6902
port-object eq 6903
port-object eq 6904
port-object eq 6905
port-object eq 6906
port-object eq 6907
port-object eq 6908
port-object eq 6909
object-group service Apple_Bind
description Ports to allow
service-object object GC
service-object object Kpassword
service-object tcp-udp destination eq kerberos
service-object tcp destination eq kerberos
service-object tcp destination eq ldap
service-object object Apple_Keberos_Port
service-object object Apple_Keberos_Port_TCP
service-object object kPassword_UDP
access-list Wireless_access_in remark Deny traffic to the Moodle Server via HTTPS only.
access-list Wireless_access_in extended deny tcp 172.20.0.0 255.255.0.0 object VLE_Server eq https inactive
access-list Wireless_access_in extended permit tcp any object Inside_Wired_Network object-group MirrorOpTCP inactive
access-list Wireless_access_in extended permit tcp any any object-group Proxy_Settings
access-list Wireless_access_in remark Permit the sending of data to be printed.
access-list Wireless_access_in extended permit tcp any object Print_Server object-group Print_Server_Ports
access-list Wireless_access_in remark Allow RADIUS authentication traffic from wirless clients to the NAP RADIUS Server
access-list Wireless_access_in extended permit udp any object-group NAP_Servers1 object-group NAP_Access
access-list Wireless_access_in extended permit udp any object NAP_Server_SDC object-group NAP_Access inactive
access-list Wireless_access_in extended permit tcp any any eq www
access-list Wireless_access_in extended permit udp any any eq domain
access-list Wireless_access_in extended permit tcp any any eq https
access-list Wireless_access_in extended permit tcp any any object-group Exchange
access-list Wireless_access_in extended permit tcp any any object-group Apple_Push_Notification_service
access-list Wireless_access_in extended permit udp any any object-group Apple_Facetime
access-list Wireless_access_in extended permit tcp any any object-group SSL_SMTP
access-list Wireless_access_in extended permit tcp any any object-group Android_Market
access-list Wireless_access_in remark NetBIOS Naming Serivce
access-list Wireless_access_in extended permit udp any any eq netbios-ns
access-list Wireless_access_in remark Network time Protocol Port
access-list Wireless_access_in extended permit udp any any eq ntp
access-list Wireless_access_in extended permit udp any any eq bootps
access-list Wireless_access_in extended deny icmp any any
access-list Wireless_access_in extended deny ip any any
access-list Outside_access_in extended permit ip any any inactive
access-list Outside_access_in remark Permit Internet access to the Moodle Server via HTTPS only.
access-list Outside_access_in extended permit tcp any object VLE_Server eq https
access-list Outside_access_in extended permit tcp any object Terminal_Server eq 3389
access-list Outside_access_in remark County Access to the SQL Server for SLG synch and updates
access-list Outside_access_in extended permit tcp object-group County_SLG_Access object SQL4455 object-group Somerset_Learning_Gateway
access-list Outside_access_in extended permit udp object Capita_VPN object SQL4455 object-group Capita
access-list Outside_access_in extended permit icmp any any
access-list Apple_Network_access_in remark Kebbros Authentication - Apple to AD
access-list Apple_Network_access_in extended permit object-group Apple_Bind 192.168.201.0 255.255.255.0 object-group Domain_Controllers inactive
access-list Apple_Network_access_in extended permit tcp any any eq telnet inactive
access-list Apple_Network_access_in remark Permit traffic to the Moodle Server via HTTPS only.
access-list Apple_Network_access_in extended permit tcp 192.168.201.0 255.255.255.0 object VLE_Server eq https
access-list Apple_Network_access_in extended permit udp any any eq domain
access-list Apple_Network_access_in extended permit tcp any any eq domain inactive
access-list Apple_Network_access_in extended permit tcp any any object-group Proxy_Settings
access-list Apple_Network_access_in extended permit tcp any any eq https
access-list Apple_Network_access_in extended permit udp any any eq ntp
access-list Apple_Network_access_in extended permit tcp any any eq www
access-list Apple_Network_access_in extended permit tcp object-group Server_and_Tech_VLAN object Apple_Server object-group VNC_Viewer
access-list Apple_Network_access_in extended deny icmp any any
access-list Apple_Network_access_in extended deny ip any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit tcp any any
access-list global_access extended permit ip any any
access-list global_access extended permit tcp any any
access-list global_access extended permit icmp any any
access-list Inside_mpc remark Allow HTTPs traffice to the VLE.
access-list Inside_mpc extended permit tcp 172.20.0.0 255.255.0.0 object VLE_Server eq https
access-list Inside_mpc extended permit tcp 172.20.0.0 255.255.0.0 object Print_Server object-group Print_Server_Ports
access-list Inside_mpc extended permit udp object-group WLAN_Controllers object-group RADIUS_Servers object-group NAP_Access inactive
access-list Apple_Network_access_out extended permit icmp any any
access-list Apple_Network_access_out extended permit tcp object-group Server_and_Tech_VLAN object-group VNC_Viewer object Apple_Server object-group VNC_Viewer
access-list Apple_Network_access_out extended permit ip object-group Server_and_Tech_VLAN object Apple_Server
access-list Apple_Network_access_out extended deny ip any any
access-list Test_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
logging host management 192.168.1.200
mtu Outside 1500
mtu Inside 1500
mtu Apple_Network 1500
mtu Wireless 1500
mtu management 1500
ip local pool Staff_VPN_DHCP_Pool 10.5.107.137-10.5.107.141 mask 255.255.255.248
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static Inside_Wired_Network Inside_Wired_Network destination static NETWORK_OBJ_10.5.107.136_29 NETWORK_OBJ_10.5.107.136_29 no-proxy-arp route-lookup
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group Apple_Network_access_in in interface Apple_Network
access-group Apple_Network_access_out out interface Apple_Network
access-group Wireless_access_in in interface Wireless
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 172.19.53.54 1
route Inside 10.5.104.0 255.255.252.0 10.5.107.131 1
route Inside 192.168.160.0 255.255.255.0 10.5.107.131 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NPS protocol radius
aaa-server NPS (Inside) host 10.5.107.250
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server location Server Room
no snmp-server contact
snmp-server community *****

lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
dhcpd dns 10.80.11.235
!
dhcprelay server 10.5.107.253 Inside
dhcprelay enable Wireless
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.5.107.253 source Inside prefer
tftp-server management 192.168.1.200 /
ssl encryption aes128-sha1 3des-sha1
webvpn
group-policy StaffVPN internal
group-policy StaffVPN attributes
dns-server value 10.5.107.253 10.5.107.250
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value Sch4455.somerset.gov.uk
username sysadmin password S6VzqkQ7Jv+nx3sv5VbFXg== nt-encrypted privilege 15
tunnel-group StaffVPN type remote-access
tunnel-group StaffVPN general-attributes
address-pool Staff_VPN_DHCP_Pool
authentication-server-group NPS
default-group-policy StaffVPN
tunnel-group StaffVPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map Inside-class
match access-list Inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map Inside-policy
description Allow Access through the firewall to the RADIUS Servers
class Inside-class
set connection advanced-options tcp-state-bypass
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
policy-map type inspect http Wireless_to_Printserver
description HTTP inspection
parameters
protocol-violation action drop-connection
!
service-policy global_policy global
service-policy Inside-policy interface Inside
prompt hostname context
no call-home reporting anonymous
hpm topN enable

Is your outside interface

Philip D'Ath — Fri, 22 Jul 2016 19:54:09 GMT

Is your outside interface plugged into your new ISP? Are you meant to be using the IP address 172.19.53.54 (or are you meant to be using DHCP)?

Also your default route is pointing to your own IP address. This needs to be removed and pointed to whatever IP address your ISP has on their router.

route Outside 0.0.0.0 0.0.0.0 172.19.53.54 1

I can't see anything to NAT

Philip D'Ath — Fri, 22 Jul 2016 19:59:24 GMT

I can't see anything to NAT traffic to your Outside IP address. You'll need something like:

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_any
 nat (any,Outside) dynamic interface

How is it that your default

jaysoo — Sat, 23 Jul 2016 00:23:53 GMT

How is it that your default route points to your outside interface IP?

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.19.53.54 255.255.255.252

route Outside 0.0.0.0 0.0.0.0 172.19.53.54 1

Normally the ASA wouldn't allow you to do that. Maybe you sanitized the config and made a typo? The default route should be the next hop, the ISPs router probably.

OK I'll check that when I'm

Sean Haynes — Sat, 23 Jul 2016 05:37:24 GMT

OK I'll check that when I'm back in work - but from memory I'm sure that is actually where it's pointing.

Thank you, yes the outside

Sean Haynes — Sat, 23 Jul 2016 05:39:24 GMT