ASA 5512 Does no Packet Capture on an Inside VLAN interface definitely mean the packet has not gone?

ian_frank1 — Tue, 12 Mar 2019 04:00:38 GMT

LAN traffic is going through the ASA5512 fine, onto a single switch and then to servers.

We are trying to NAT some internet IPs to VLANs, and the connections are timing out. The connection is built as below but the only packets captured on the vlan-100 interface are from the Packet Tracer (which states packet allowed).

Built TCP state-bypass connection 7121 from outside:x.x.x.x/56120 (x.x.x.x/56120) to vlan-100:172.16.100.10/3389 (5.x.x.166 /3389)

We are unsure if the problem is with the ASA or the Switch (a Cisco SG300-20, at L2 just mapping the VLAN to specific ports). The VLAN is up on the switch, but I have not yet figured out a way to verify if the traffic is getting there.

I can find no relevant asp drops fpr the VLAN connection on the ASA, so I was wondering whether there were any circumstances where the traffic could be going from the ASA to the switch, but not showing on a packet capture?

Can you ping the Server from

Julio Carvajal — Mon, 31 Mar 2014 01:33:58 GMT

Can you ping the Server from the ASA?

Why are u running TCP state bypass?

Can u provide show run?

Thanks for your response.No,

ian_frank1 — Mon, 31 Mar 2014 09:20:37 GMT

Thanks for your response.

No, I can't ping the server from the ASA, though I can ping the vlan-100 interface.

We are running TCP State Bypass as there will ultimately two ASAs from two separate internet feeds in a datacentre and we think response traffic could come via either ASA (Servers will be connected to both via separate switches).

show run below (complete but a bit anonymised).. I tried making the 5-Internet interface a VLAN, but I had the same problem with that (i.e could not get through, with no packet capture traffic on the VLAN interface). 5-Internet is working fine as a physical interface going through the same switch.

: Saved
:
ASA Version 9.1(1)
!
hostname xxx-xxx-00004
enable password e3TOrE7HjNBQm75. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif 5-Internet
security-level 100
ip address 5.x.x.161 255.255.255.240
!
interface GigabitEthernet0/0.100
vlan 100
nameif vlan-100
security-level 100
ip address 172.16.100.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 213.x.x.220 255.255.255.248
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 5-Subnet
subnet 5.x.x.160 255.255.255.240
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 5-subnet
object network 213-DefaultGateway
host 213.x.x.217
object service mcgsql
service tcp source eq 1167 destination eq 1167
object service drac-console
service tcp destination eq 5900
object network 172-16-100-10-host
host 172.16.100.10
object network 172-16-100-Subnet
subnet 172.16.100.0 255.255.255.0
object network 5-102-189-166-host
host 5.x.x.166
object network blocked-85-195-114-0-24
subnet 85.195.114.0 255.255.255.0
description Lot of traffic 28/03/2014
object network blocked-85-195-109-0-24
subnet 85.195.109.0 255.255.255.0
description Lot of traffic 28/03/2014
object network blocked-193-8-246-25
host 193.8.246.25
description Lot of traffic 28/03/2014
object network blocked-192-168-1-0-24
subnet 192.168.1.0 255.255.255.0
description Traffic 28/03/2014
object network blocked-77-68-44-42
host 77.68.44.42
description Traffic to 3389 on 28/03/2014
object network blocked-98-158-100-0-24
subnet 98.158.100.0 255.255.255.0
object network 213-133-135-221-host
host 213.x.x.221
object-group service rdp tcp
description Remote Desktop
port-object eq 3389
object-group network blocked
description Blocked IP Addresses
network-object object blocked-85-195-109-0-24
network-object object blocked-193-8-246-25
network-object object blocked-192-168-1-0-24
network-object object blocked-77-68-44-42
network-object object blocked-85-195-114-0-24
network-object object blocked-98-158-100-0-24
access-list ACCESS-IN extended permit ip any any
access-list ACCESS-5 extended deny ip object-group blocked any4 log disable
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 eq https
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 eq www
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 eq ftp
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 object-group rdp
access-list ACCESS-5 extended permit object drac-console any4 5.x.x.160 255.255.255.240
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 echo-reply
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 source-quench
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 unreachable
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 time-exceeded
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 eq https
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 eq www
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 eq ftp
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 object-group rdp
access-list ACCESS-5 extended permit object drac-console any4 172.16.100.0 255.255.255.0
access-list ACCESS-5 extended permit ip 5.x.x.160 255.255.255.240 any4
access-list ACCESS-5 extended permit ip 172.16.100.0 255.255.255.0 any4
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 213.x.x.222 / gds-00004 *****
mtu 5-Internet 1500
mtu vlan-100 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
!
object network 172-16-100-10-host
nat (vlan-100,outside) static 5-102-189-166-host
!
nat (outside,5-Internet) after-auto source static any any destination static 5-Subnet 5-Subnet no-proxy-arp
access-group ACCESS-5 in interface 5-Internet
access-group ACCESS-5 in interface vlan-100
access-group ACCESS-5 in interface outside
route outside 0.0.0.0 0.0.0.0 213.x.x.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
http 213.x.x.180 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp 5-Internet
sysopt noproxyarp vlan-100
sysopt noproxyarp outside
sysopt noproxyarp management
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 213.x.x.180 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.29 source outside prefer
webvpn
anyconnect-essentials
username xxxxxxxxx password yQYwRFnycPq37kzA encrypted
!
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
match access-list ACCESS-5
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map 5-policy
class tcp_bypass
set connection timeout idle 0:15:00
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy 5-policy interface 5-Internet
service-policy 5-policy interface vlan-100
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:69aa7a13a6048cccb567f65f0fc785f2
: end
asdm image disk0:/asdm-711.bin
no asdm history enable

object network 172-16-100-10

JY109 — Wed, 02 Apr 2014 09:45:51 GMT

object network 172-16-100-10-host
nat (vlan-100,outside) static 5-102-189-166-host

The nat to the outside

ian_frank1 — Thu, 03 Apr 2014 15:31:49 GMT

The nat to the outside interface is correct. We want to use some 5.x.x.x addresses directly, in which case 5-Internet is used, but when the VLAN is in use, we want to NAT the 5.x.x.x address directly to the 172.16.100.x address, which it seems to be doing, except the traffic is never getting there.

I figured this out in the end

ian_frank1 — Thu, 03 Apr 2014 16:47:04 GMT

I figured this out in the end. The ASA was OK, it was the switch that was wrong. I had not included the port that the ASA was connected to in VLAN 100.