topic Hi, One problem is that you in Network Security

how to allow a subnet for a number of hosts to surf internet and ping from inside and outside in ASA in GNS3?

martlee2 — Tue, 26 Mar 2019 00:54:29 GMT

after tried to setup access list, it return drop in packet tracer and can not ping outside router too

is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?

assume all works in GNS3, expect initial network setup too

inside outside
router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3

ASA version: 8.42

when i try the following command,

ASA

conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
no shut
end

conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 100
ip address 192.168.1.4 255.255.255.0
no shut
end

conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end

conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end

Router A

conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end

Router B

conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end

ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->

Hi, The first problem with

Jouni Forss — Mon, 12 Jan 2015 09:18:38 GMT

Hi,

The first problem with the above pasted configurations is that you are using the same subnet on 2 interfaces. This is probably some configuration that is not applied as a networking device should not even accept those commands. So start by configuring different subnets on the interfaces.

The "packet-tracer" fails because you are using an ASA interface IP address as the source. (Destination also seems to be an ASA interface IP address). This will never go through. If you are trying to simulate a user connection going through the ASA then you should use some other source IP address from the subnet 192.168.1.0/24 and also use some different destination IP address than the ASA interface IP address.

I would also like to note that the ASA has a built in limitation that prevents connections from behind an interface to the IP address of another interface. So for example user behind INSIDE can not connect to the interface IP address of OUTSIDE.

I would also suggest that you change your "security-level" value on the INSIDE interface to 100 and to 0 on the interface OUTSIDE. While this value does not matter when using interface ACLs its still more logical to use the mentioned values as INSIDE is more secure than OUTSIDE.

- Jouni

still can not ping between

martlee2 — Mon, 12 Jan 2015 14:00:56 GMT

still can not ping between router A and router B

and packet tracer failed

Router A#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/221/1024 ms

Router A#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Router B#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Router B#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.01.12 21:51:27 =~=~=~=~=~=~=~=~=~=~=~=
packet-tracer input inside tcp 192.168.1.2 1 192.168.1.3 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->

Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->

ASA-1#

inside outside
192.168.1.2 router ---switch--- 192.168.1.1 ASA 192.168.1.4 ---switch---- 192.168.1.3 router

ASA

conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
end

conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 0
ip address 192.168.1.4 255.255.255.0
no shut
end

Router A

conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end

Router B

conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end

conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end

conf t
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
end

ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.1.3 1

Hi, You CAN NOT have the same

Jouni Forss — Mon, 12 Jan 2015 14:09:00 GMT

Hi,

You CAN NOT have the same subnet 192.168.1.0/24 on 2 different interfaces. The traffic simply can not go through in this situation.

You will have to use different subnet on "inside" and "outside" to make this work. For example leave the subnet 192.168.1.0/24 on the "inside" and configure subnet 192.168.2.0/24 on the "outside".

As you can see from the output of the "packet-tracer" the ASA attempts to forward the traffic from "inside" to "inside". This is because you have configured the subnet 192.168.1.0/24. The mask /24 means that all addresses from 192.168.1.1 to 192.168.1.255 are found behind "inside" and therefore they can not be located behind "outside". I am not sure how the same subnet could even be configured on the ASA interfaces.

- Jouni

packet tracer allow allbut

martlee2 — Mon, 12 Jan 2015 15:30:07 GMT

packet tracer allow all

but real ping in Router A and Router B failed

what are missing?

inside outside
192.168.1.2 router ---switch--- 192.168.1.1 ASA 192.168.3.4 ---switch---- 192.168.3.3 router

ASA

conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
end

conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
no shut
end

Router A

conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end

Router B

conf t
int fastEthernet 0/0
ip address 192.168.3.3 255.255.255.0
no shut
end

conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end

packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1

ESW1#ping 192.168.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ESW2#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

inside outside
192.168.1.2 router ---switch--- 192.168.1.1 ASA 192.168.3.4 ---switch---- 192.168.3.3 router

ASA-1# ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/234/1110 ms

ASA-1# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/20 ms

ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group USERSLIST in interface inside
access-list USERSLIST extended permit ip 192.168.1.0 255.255.255.0 any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

<--- More --->

Phase: 4
<--- More --->

Type: NAT
<--- More --->

Subtype:
<--- More --->

Result: ALLOW
<--- More --->

Config:
<--- More --->

object network DYNAMIC-PAT
<--- More --->

nat (inside,outside) dynamic interface
<--- More --->

Additional Information:
<--- More --->

Dynamic translate 192.168.1.2/1 to 192.168.3.4/255
<--- More --->

<--- More --->

Phase: 5
<--- More --->

Type: IP-OPTIONS
<--- More --->

Subtype:
<--- More --->

Result: ALLOW
<--- More --->

Config:
<--- More --->

Additional Information:
<--- More --->

<--- More --->

Phase: 6
<--- More --->

Type: FLOW-CREATION
<--- More --->

Subtype:
<--- More --->

Result: ALLOW
<--- More --->

Config:
<--- More --->

Additional Information:
<--- More --->

New flow created with id 6, packet dispatched to next module
<--- More --->

<--- More --->

Result:
<--- More --->

input-interface: inside
<--- More --->

input-status: up
<--- More --->

input-line-status: up
<--- More --->

output-interface: outside
<--- More --->

output-status: up
<--- More --->

output-line-status: up
<--- More --->

Action: allow
<--- More --->

ASA-1#

current config can not ping,

martlee2 — Mon, 12 Jan 2015 17:45:46 GMT

current config can not ping, one of packet tracer allow all, another packet tracer drop

can not ping between Router A and Router B

ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network DYNAMIC-PAT
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
<--- More --->

<--- More --->

Phase: 4
<--- More --->

Type: IP-OPTIONS
<--- More --->

Subtype:
<--- More --->

Result: ALLOW
<--- More --->

Config:
<--- More --->

Additional Information:
<--- More --->

<--- More --->

Phase: 5
<--- More --->

Type: FLOW-CREATION
<--- More --->

Subtype:
<--- More --->

Result: ALLOW
<--- More --->

Config:
<--- More --->

Additional Information:
<--- More --->

New flow created with id 14, packet dispatched to next module
<--- More --->

ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->

Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->

ASA-1#

ASA-1# sh run |
: Saved
:
ASA Version 8.4(2)
!
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
<--- More --->

no ip address
<--- More --->

!
<--- More --->

ftp mode passive
<--- More --->

object network DYNAMIC-PAT
<--- More --->

subnet 192.168.1.0 255.255.255.0
<--- More --->

access-list 101 extended permit icmp any any echo-reply
<--- More --->

access-list 101 extended permit icmp any any source-quench
<--- More --->

access-list 101 extended permit icmp any any unreachable
<--- More --->

access-list 101 extended permit icmp any any time-exceeded
<--- More --->

access-list ACL-OUTSIDE extended permit icmp any any
<--- More --->

pager lines 24
<--- More --->

mtu inside 1500
<--- More --->

mtu outside 1500
<--- More --->

icmp unreachable rate-limit 1 burst-size 1
<--- More --->

no asdm history enable
<--- More --->

arp timeout 14400
<--- More --->

!
<--- More --->

object network DYNAMIC-PAT
<--- More --->

nat (inside,outside) dynamic interface
<--- More --->

access-group ACL-OUTSIDE in interface outside
<--- More --->

timeout xlate 3:00:00
<--- More --->

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->

timeout tcp-proxy-reassembly 0:01:00
<--- More --->

timeout floating-conn 0:00:00
<--- More --->

dynamic-access-policy-record DfltAccessPolicy
<--- More --->

user-identity default-domain LOCAL
<--- More --->

no snmp-server location
<--- More --->

no snmp-server contact
<--- More --->

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->

telnet timeout 5
<--- More --->

ssh timeout 5
<--- More --->

console timeout 0
<--- More --->

threat-detection basic-threat
<--- More --->

threat-detection statistics access-list
<--- More --->

no threat-detection statistics tcp-intercept
<--- More --->

!
<--- More --->

!
<--- More --->

prompt hostname context
<--- More --->

no call-home reporting anonymous
<--- More --->

call-home
<--- More --->

profile CiscoTAC-1
<--- More --->

no active
<--- More --->

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->

destination address email callhome@cisco.com
<--- More --->

destination transport-method http
<--- More --->

subscribe-to-alert-group diagnostic
<--- More --->

subscribe-to-alert-group environment
<--- More --->

subscribe-to-alert-group inventory periodic monthly
<--- More --->

subscribe-to-alert-group configuration periodic monthly
<--- More --->

subscribe-to-alert-group telemetry periodic daily
<--- More --->

crashinfo save disable
<--- More --->

Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
<--- More --->

: end

ASA-1#

Hi, One problem is that you

Jouni Forss — Tue, 13 Jan 2015 11:12:03 GMT

Hi,

One problem is that you have only allowed "icmp" in the ACL attached to "outside" interface. This is causes the "packet-tracer" to fail as you are simulating a TCP packet with source port of 1 and destination port of 1.

If you wanted that traffic to pass then you would need an ACL line (if you want to be really specific)

access-list ACL-OUTSIDE permit tcp 192.168.3.0 255.255.255.0eq 1 192.168.1.0 255.255.255.0 eq 1

Though I assume that you want to allow something else perhaps so allow the traffic you need on the ACL and test with those ports when using "packet-tracer" command.

Another problem is that you have Dynamic PAT configured from "inside" to "outside". This means that connections can only be initiated from "inside" to "outside". The connection attempt from "outside" to "inside" will initially not match any NAT but the reverse check that the ASA does will match the Dynamic PAT and will drop the connection.

If you want to avoid doing NAT between these subnets you can either remove all NAT configurations from the device. If you need the Dynamic PAT for something then you would need the following configurations

object network SUBNET-192.168.1.0-24
subnet 192.168.1.0 255.255.255.0

object network SUBNET-192.168.3.0-24
subnet 192.168.3.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static SUBNET-192.168.1.0-24 SUBNET-192.168.1.0-24 destination static SUBNET-192.168.3.0-24 SUBNET-192.168.3.0-24

This should prevent NAT from being done for traffic directly between these subnets.

If you are going to copy/paste some outputs from the device, can you please clean it up a little as its really hard to make sense of a text that is ridled with "<--- More --->" and unnecesary spaces in between.

- Jouni