topic Thanks Akshay! in Network Security

ASA 5510 Stopped working when we moved to a new building

erickedstrom — Tue, 12 Mar 2019 06:58:25 GMT

Our ASA 5510 stopped working when we moved to a new building, we keep the same ISP and IP adresses. I can ping our router and ASA, but I cannot ping the ISP interface and gain access to the internet. We've tried several things attempting to get it to work, but no luck. Any suggestions would be greatly appreciated, please see our running config below:

ASA Version 8.0(2)
!
hostname eleasa
domain-name asa.eleinc.com

names
dns-guard
!
interface Ethernet0/0
description Public facing
nameif outside
security-level 0
ip address 67.63.146.126 255.255.255.240
!
interface Ethernet0/1
description Private network
nameif inside
security-level 100
ip address 172.16.30.254 255.255.255.0
!
interface Ethernet0/2
description Customer access sites
speed 100
duplex full
shutdown
nameif Extranet
security-level 25
ip address 172.16.100.1 255.255.255.0
!
interface Ethernet0/3
description DMZ
speed 100
duplex full
shutdown
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd N662WcFpuBxvdiwu encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name asa.eleinc.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit gre any host 67.63.146.131
access-list outside_access_in extended permit tcp any host 67.63.146.131 eq pptp

access-list outside_access_in extended permit tcp any host 67.63.146.132 eq www

access-list outside_access_in extended permit tcp host 24.214.206.254 host 67.63
.146.141 eq ssh
access-list outside_access_in extended permit tcp 69.73.20.64 255.255.255.192 ho
st 67.63.146.141 eq ssh
access-list outside_access_in extended permit tcp any host 67.63.146.132 eq http
s
access-list outside_access_in extended permit tcp any host 67.63.146.133 eq http
s
access-list outside_access_in extended permit tcp any host 67.63.146.134 eq http
s
access-list outside_access_in extended permit tcp any host 67.63.146.137 eq http
s
access-list outside_access_in extended permit tcp any host 67.63.146.138 eq http
s
access-list outside_access_in extended permit tcp any host 67.63.146.139 eq http
s
access-list outside_access_in extended permit tcp host 173.14.206.193 host 67.63
.146.141 eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Extranet 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp outside 67.63.146.125 0023.9ca8.8ff3
arp timeout 14400
global (outside) 1 interface
global (outside) 1 67.63.146.142
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 67.63.146.131 192.168.1.130 netmask 255.255.255.255
static (inside,outside) 67.63.146.132 192.168.1.132 netmask 255.255.255.255
static (inside,outside) 67.63.146.141 192.168.1.92 netmask 255.255.255.255
static (inside,outside) 67.63.146.133 192.168.1.172 netmask 255.255.255.255
static (inside,outside) 67.63.146.134 192.168.1.173 netmask 255.255.255.255
static (inside,outside) 67.63.146.137 192.168.1.197 netmask 255.255.255.255
static (inside,outside) 67.63.146.138 192.168.1.198 netmask 255.255.255.255
static (inside,outside) 67.63.146.139 192.168.1.199 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.63.146.125 1
route outside 67.63.146.128 255.255.255.240 67.63.146.129 1
route inside 192.168.1.0 255.255.255.0 172.16.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 172.16.30.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global

prompt hostname context
Cryptochecksum:885b35e9bd2d16949e923126ed3b3e09
: end
eleasa#

Hi Erick,

Akshay Rastogi — Wed, 02 Dec 2015 06:27:21 GMT

Hi Erick,

From the configuration, i could see that only 192.168.1.0 subnet is configured for Internet access :

global (outside) 1 interface
global (outside) 1 67.63.146.142
nat (inside) 1 192.168.1.0 255.255.255.0

if you have other internal subnet as you have moved to new building then add that same subnet under this nat command :

nat (inside) 1 <new subnet> <subnet-mask>

Are you able to ping 4.2.2.2 from ASA? asa)#ping 4.2.2.2

Could you please check the packet-tracer output :

"packet-tracer input inside tcp <source-ip> 12345 4.2.2.2 80 detail"

Check the output and see where it is dropping (if it is).

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Thanks Akshay!

erickedstrom — Wed, 02 Dec 2015 20:58:39 GMT

Thanks Akshay!

We don't have another internal subnet and I ran the packet tracer as suggested, please see results below:

I cannot ping the 4.2.2.2 address.

ciscoasa# packet-tracer input inside tcp 192.168.1.39 1234 4.2.2.2 80 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd516e090, priority=1, domain=permit, deny=false
        hits=359, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd51714e8, priority=0, domain=permit-ip-option, deny=true
        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (67.63.146.142)
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.39/1234 to 67.63.146.142/1024 using netmask 255.255.
255.255
Forward Flow based lookup yields rule:
in id=0xd5217ca8, priority=1, domain=nat, deny=false
        hits=0, user_data=0xd5217c08, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.1.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (67.63.146.142)
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd52180a0, priority=1, domain=host, deny=false
        hits=1, user_data=0xd5217c08, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.1.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd5145240, priority=0, domain=permit-ip-option, deny=true
        hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 67.63.146.125 using egress ifc outside
adjacency Active
next-hop mac address 0023.9ca8.8ff3 hits 15

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hi Erick,

Akshay Rastogi — Thu, 03 Dec 2015 00:59:04 GMT

Hi Erick,

Packet-tracer looks fine and it is hitting a required nat statement. However as you have mentioned that you are not able to ping 4.2.2.2 from ASA then it looks that the reachability might be not there.

Are you able to ping next-hop ip of outside interface(67.63.146.125) ?

Check the arp entry for this ip with 'show arp'. I

Also take the arp capture with 'capture arpcap ether arp interface outside' and ping 4.2.2.2 from ASA.

See the output with 'show cap arpcap | in <outside-interface-ip>'

Regards,

Akshay Rastogi

hi,

johnlloyd_13 — Thu, 03 Dec 2015 03:10:28 GMT

hi,

did you check/report with your ISP?

i suspect it could be their issue.

Hello Akshay!

erickedstrom — Thu, 03 Dec 2015 15:44:20 GMT

Hello Akshay!

I cannot ping 67.63.146.125 from the ASA and I do have it as an arp entry. I've cleared arp also.

Please see results below:

ciscoasa(config)# show cap arpcap
19 packets captured
   1: 04:39:23.642743 arp who-has 67.63.146.136 tell 67.63.146.129
   2: 04:39:24.422616 arp who-has 67.63.146.136 tell 67.63.146.129
   3: 04:39:25.322447 arp who-has 67.63.146.136 tell 67.63.146.129
   4: 04:39:25.922315 arp who-has 67.63.146.136 tell 67.63.146.129
   5: 04:39:26.522220 arp who-has 67.63.146.136 tell 67.63.146.129
   6: 04:41:07.271989 arp who-has 67.63.146.130 tell 67.63.146.129
   7: 04:41:08.201817 arp who-has 67.63.146.130 tell 67.63.146.129
   8: 04:41:09.101664 arp who-has 67.63.146.130 tell 67.63.146.129
   9: 04:41:09.901473 arp who-has 67.63.146.130 tell 67.63.146.129
10: 04:41:10.701333 arp who-has 67.63.146.130 tell 67.63.146.129
11: 04:41:13.260896 arp who-has 67.63.146.136 tell 67.63.146.129
12: 04:41:14.200734 arp who-has 67.63.146.136 tell 67.63.146.129
13: 04:41:14.800587 arp who-has 67.63.146.136 tell 67.63.146.129
14: 04:41:15.600463 arp who-has 67.63.146.136 tell 67.63.146.129
15: 04:41:16.500294 arp who-has 67.63.146.136 tell 67.63.146.129
16: 04:41:38.446311 arp who-has 67.63.146.132 tell 67.63.146.129
17: 04:41:38.446311 arp reply 67.63.146.132 is-at 0:24:14:d3:93:3a
18: 04:41:54.733345 arp who-has 67.63.146.142 tell 67.63.146.129
19: 04:41:54.733345 arp reply 67.63.146.142 is-at 0:24:14:d3:93:3a
19 packets shown

-------------------------------------------------------------------------------------

ciscoasa(config)# show cap arpcap | in 67.63.146.126
81: 04:50:18.478735 arp who-has 67.63.146.126 tell 67.63.146.125
82: 04:50:18.478735 arp reply 67.63.146.126 is-at 0:24:14:d3:93:3a

--------------------------------------------------------------------------------------

ciscoasa(config)# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 36941 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 30840 messages logged
rdown dynamic UDP translation from inside:192.168.1.201/60097 to outside:67.63.1
46.142/4750 duration 0:02:38
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.201/59140
to outside:67.63.146.142/4763 duration 0:02:33
%ASA-6-302016: Teardown UDP connection 10344 for outside:192.54.112.30/53 to ins
ide:192.168.1.200/59774 duration 0:02:01 bytes 35
%ASA-6-302016: Teardown UDP connection 10345 for outside:64.89.100.3/53 to insid
e:192.168.1.200/60117 duration 0:02:01 bytes 35
%ASA-6-302016: Teardown UDP connection 10346 for outside:64.89.100.3/53 to insid
e:192.168.1.200/59434 duration 0:02:01 bytes 45
%ASA-6-302016: Teardown UDP connection 10351 for outside:192.26.92.30/53 to insi
de:192.168.1.201/59566 duration 0:02:01 bytes 45
%ASA-6-302016: Teardown UDP connection 10352 for outside:156.154.65.10/53 to ins
ide:192.168.1.201/60633 duration 0:02:01 bytes 34
%ASA-6-302016: Teardown UDP connection 10353 for outside:156.154.65.10/53 to ins
ide:192.168.1.201/59190 duration 0:02:01 bytes 74
%ASA-6-302015: Built outbound UDP connection 11085 for outside:64.89.100.3/53 (6
4.89.100.3/53) to inside:192.168.1.200/59945 (67.63.146.142/5086)
%ASA-6-302014: Teardown TCP connection 10891 for outside:209.235.147.200/25 to i
nside:192.168.1.71/64509 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.58/50967 to o
utside:67.63.146.142/1616
%ASA-6-302013: Built outbound TCP connection 11086 for outside:209.208.227.184/4
43 (209.208.227.184/443) to inside:192.168.1.58/50967 (67.63.146.142/1616)
%Ifc:172.16.30.254
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.39/3 gaddr 172.
16.30.254/0 laddr 172.16.30.254/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.39/3 gaddr 172.16.30
.254/0 laddr 172.16.30.254/0
%ASA-7-609002: Teardown local-host NP Identity Ifc:172.16.30.254 duration 0:00:0
0
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.201/59093
to outside:67.63.146.142/4775 duration 0:02:34
%ASA-6-302015: Built outbound UDP connection 11119 for outside:64.89.100.3/53 (6
4.89.100.3/53) to inside:192.168.1.200/60792 (67.63.146.142/5100)
%ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.200/61058 to
outside:67.63.146.142/5109
%ASA-6-302015: Built outbound UDP connection 11120 for outside:64.89.100.2/53 (6
4.89.100.2/53) to inside:192.168.1.200/61058 (67.63.146.142/5109)
%ASA-6-302015: Built outbound UDP connection 11121 for outside:64.89.100.3/53 (6
4.89.100.3/53) to inside:192.168.1.200/59714 (67.63.146.142/5102)
ection 10906 for outside:209.208.227.184/443 to inside:192.168.1.58/50941 durati
on 0:00:30 bytes 0 SYN Timeout
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.58/50910 t
o outside:67.63.146.142/1564 duration 0:01:00
%ASA-7-609001: Built local-host NP Identity Ifc:172.16.30.254
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.39/3 gaddr 172.
16.30.254/0 laddr 172.16.30.254/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.39/3 gaddr 172.16.30
.254/0 laddr 172.16.30.254/0
%ASA-7-609002: Teardown local-host NP Identity Ifc:172.16.30.254 duration 0:00:0
0
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.201/61025
to outside:67.63.146.142/4774 duration 0:02:33
%ASA-7-609001: Built local-host outside:111.30.132.180
%ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.200/60926 to
outside:67.63.146.142/5107
%ASA-6-302015: Built outbound UDP connection 11112 for outside:111.30.132.180/53
(111.30.132.180/53) to inside:192.168.1.200/60926 (67.63.146.142/5107)
%ASA-7-609001: Built local-host outside:4.2.2.2
%ASA-6-302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr 67.63.14
6.142/1 laddr 192.168.1.39/3
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.200/61042
to outside:67.63.146.142/4785 duration 0:02:30
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.22/56564 t
o outside:67.63.146.142/4780 duration 0:02:31
%ASA-6-302016: Teardown UDP connection 10374 for outside:64.89.100.2/53 to insid
ciscoasa(config)#

Hello,

erickedstrom — Thu, 03 Dec 2015 15:50:50 GMT

Hello,

Yes we have and they said everything is fine on their end. We also built a temporary Linux firewall to verify their equipment and everything works behind that firewall.

Hi Erick,

Akshay Rastogi — Thu, 03 Dec 2015 19:46:05 GMT

Hi Erick,

I could see these two routes in your configuration :

route outside 0.0.0.0 0.0.0.0 67.63.146.125 1
route outside 67.63.146.128 255.255.255.240 67.63.146.129 1

Which one is your next hop on Outside interface for ISP (129 or 125)? I could see that 129 is sending a lot of ARP request. If 129 is the next hop then change the default route to .129 and see if internet traffic works.

If 125 is the next hop for ISP then call ISP and check if ISP is able to receive the traffic.

Hope it helps.

Regards,

Akshay Rastogi