topic Please help ASA 8.6 version in Network Security

Please help ASA 8.6 version

Rohit Mangotra — Tue, 12 Mar 2019 02:42:28 GMT

Hi,

I am using ASA 5525 with 8.6 version, and I am trying to ping through different interfaces, However I am not able to do that. My test results are

- can PING between the outside interface and the next hop (same subnet)

- cannot PING between the inside interface and the next hop (same subnet)

- cannot PING between the DMZ interface and the next hop (same subnet)

Please see below configuration for firewall for reference.

--------------------------------------------------------------------------------

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 16.x.x.x 255.255.255.248

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

interface GigabitEthernet0/1.16

vlan 16

nameif inside

security-level 100

ip address 17.x.x.x 255.255.255.0

interface GigabitEthernet0/3

no nameif

security-level 0

no ip address

interface GigabitEthernet0/3.69

vlan 69

nameif dmz

security-level 50

ip address 18.x.x.x 255.255.255.0

2. access-list o_inside extended permit icmp any any

access-list o_inside extended permit icmp any any echo

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0

access-list o_dmz extended permit icmp any any

access-list outside extended permit icmp any any

access-list outside extended permit icmp any any echo-reply

icmp permit any outside

icmp permit any dmz

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

3. route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1

route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1

route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1

If possible could anyone please tell me what is wrong with the configuration, and what I need to add to achive the above desired result.

Thank You,

Kind Regards

Rohit Mangotra.

Please help ASA 8.6 version

Jouni Forss — Tue, 24 Sep 2013 07:34:27 GMT

Hi,

ASA should by default without any configurations accept ICMP on its interface to my understanding

Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.

- Jouni

Please help ASA 8.6 version

Rohit Mangotra — Tue, 24 Sep 2013 08:29:43 GMT

Hi Jouni,

I can not see any entry in ARP table on firewall. From ASA I can only ping outside interface and only that enrtry is there in firewall. Any ideas what I am doing wrong?

Thank You,

Kind Regards

Rohit Mangotra.

Please help ASA 8.6 version

Jouni Forss — Tue, 24 Sep 2013 13:03:54 GMT

Hi,

If you are saying that after you ping the internal gateway/nexthop IP address and there is no ARP for it with the "show arp" command on the ASA then it would seem you have a problem with the connection between the ASA and the nexthop device/router.

Even if nothing else worked you should see the nexthop IP address/MAC address in the ARP table of the ASA

- Jouni

Please help ASA 8.6 version

Rohit Mangotra — Tue, 01 Oct 2013 08:51:46 GMT

Hi Jouni,

Thanks a lot for all your help! I am a bit confused about the static nating for ASA 8.6. I will really appreciate, if you could please see how I can convert it into new ASA 5525 x version 8.6.

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

Thank You,

Kind Regards

Rohit Mangotra.

Please help ASA 8.6 version

Jouni Forss — Tue, 01 Oct 2013 09:03:47 GMT

Hi,

Were you able to solve the original problems that you posted about? Since it seemed there was some problems with the ASAs connectivity to the rest of the network?

The 4 "static" configurations you have above are pretty basic but 2 of them are Static Identity NAT configurations that you probably wont need in the new software

The below 2 configurations probably wont need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, I will use generic "object" names.

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

object network STATIC-1

host 192.168.1.56

nat (dmz,outside) static 200.190.70.87

object network STATIC-2

host 192.168.1.85

nat (dmz,outside) static 200.190.70.85

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Re: Please help ASA 8.6 version

Rohit Mangotra — Wed, 02 Oct 2013 03:40:44 GMT

Hi Jouni,

Thanks a lot for all your help. Yes, previous connection issue was resolved. Currently, we have an issue of accessing via web (http port 80) from inside network to dmz server, however I am able to do sucessful pings to dmz server.

If possible could you please have a look at my firewall code (NAT) which I changed according to your recomendation. Once again I am really thankful for all your help.

Re: Please help ASA 8.6 version

Rohit Mangotra — Wed, 02 Oct 2013 03:45:58 GMT

Hi Jouni,

One more question if its ok

How can we test outside network can access DMZ server in order to test NAT actually works?

Thank you,

Kind Regards

Rohit Mangotra.

Please help ASA 8.6 version

Jouni Forss — Wed, 02 Oct 2013 09:23:09 GMT

Hi,

On a quick glance it would seem to me that the converted configurations would be correct.

Its harder to say without really looking into the original configurations compared to for example situations where I know the environment beforehand

I guess your best bet to find possible problems with the ASA configurations is to use the "packet-tracer" command

This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT

For a connection coming from behind "outside" you can use this format of the command

packet-tracer input outside tcp 12345

To test anything else you naturally just switch the "input " to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.

Taking the output of the following commands should help you troubleshoot possible problems

You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.

- Jouni

Re: Please help ASA 8.6 version

Rohit Mangotra — Thu, 03 Oct 2013 01:51:18 GMT

Hi Jouni,

If possible could you please confirm that the following configuration is not needed to add into new ASA 8.6? Sorry for asking too much.

static (inside,dmz) 172.16.5.131 172.16.5.131 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

static (dmz,inside) 192.168.1.73 192.168.1.73 netmask 255.255.255.255

static (dmz,inside) 192.168.1.84 192.168.1.84 netmask 255.255.255.255

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (dmz,inside) 192.168.1.86 192.168.1.86 netmask 255.255.255.255

static (dmz,inside) 192.168.1.89 192.168.1.89 netmask 255.255.255.255

static (dmz,inside) 192.168.1.91 192.168.1.91 netmask 255.255.255.255

static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,inside) 192.168.1.140 192.168.1.140 netmask 255.255.255.255

static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0

static (vpn_public,inside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

static (vpn_public,outside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

--------------------------------------------------------------------------------------

nat (management) 0 0.0.0.0 0.0.0.0

Any suggestion with this one ???

Thank You,

Kind Regards

Rohit.

Please help ASA 8.6 version

Jouni Forss — Thu, 03 Oct 2013 07:33:51 GMT

Hi,

Well your original NAT configuration is not quite how I would configure the NAT to begin with so it might be that you would need some of the above configurations.

Mainly because you were doing Dynamic PAT from "inside" to "dmz"?

If this was true and you removed the above "static" commands that refer to "(inside,dmz)" then you wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why I never configure Dynamic PAT between local interfaces. It causes complexity for the NAT configurations when you have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT

For the "management" interface you probably need any new NAT configuration.

To be honest its a bit hard to say the exact configuration that are needed and which are not but I think the Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.

- Jouni

Re: Please help ASA 8.6 version

Rohit Mangotra — Thu, 03 Oct 2013 09:07:13 GMT

Hi Jouni,

Thanks for the reply. If we change the current static NAT (Version 7.1) to the new NAT(Version 8.6) will it work? Is there any potential problem in this new configuration. Could you please check the code for VPN at the end.

------ static (dmz,inside) 192.168.1.73 192.168.1.73 netmask 255.255.255.255

object network obj-192.168.1.73-dmz-inside

host 192.168.1.73

nat (dmz,inside) static 192.168.1.73

----- static (dmz,inside) 192.168.1.84 192.168.1.84 netmask 255.255.255.255

object network obj-192.168.1.84-dmz-inside

host 192.168.1.84

nat (dmz,inside) static 192.168.1.84

---- static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

object network obj-192.168.1.85-dmz-inside

host 192.168.1.85

nat (dmz,inside) static 192.168.1.85

---- static (dmz,inside) 192.168.1.86 192.168.1.86 netmask 255.255.255.255

object network obj-192.168.1.86-dmz-inside

host 192.168.1.86

nat (dmz,inside) static 192.168.1.86

static (dmz,inside) 192.168.1.89 192.168.1.89 netmask 255.255.255.255

object network obj-192.168.1.89-dmz-inside

host 192.168.1.89

nat (dmz,inside) static 192.168.1.89

---- static (dmz,inside) 192.168.1.91 192.168.1.91 netmask 255.255.255.255

object network obj-192.168.1.91-dmz-inside

host 192.168.1.91

nat (dmz,inside) static 192.168.1.91

--- static (dmz,inside) 192.168.1.140 192.168.1.140 netmask 255.255.255.255

object network obj-192.168.1.140-dmz-inside

host 192.168.1.140

nat (dmz,inside) static 192.168.1.140

--- static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

object network obj-172.16.0.0-inside-dmz

subnet 172.16.0.0 255.255.0.0

nat (inside,dmz) static 172.16.0.0

--- static (inside,dmz) 172.16.5.131 172.16.5.131 netmask 255.255.255.255

object network obj-172.16.5.131-inside-dmz

host 172.16.5.131

nat (inside,dmz) static 172.16.5.131

--- static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

object network obj-192.168.1.0-dmz-vpn-pri

subnet 192.168.1.0 255.255.255.0

nat (dmz,vpn_private) static 192.168.1.0

--- static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

object network obj-192.168.1.0-dmz-vpn-pub

subnet 192.168.1.0 255.255.255.0

nat (dmz,vpn_public) static 192.168.1.0

--- static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0

object network obj-172.31.0.0-vpn-pri-inside

subnet 172.31.0.0 255.255.0.0

nat (inside,vpn_private) static 172.31.0.0

--- static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

object network obj-172.16.0.0-inside-vpn-pri

subnet 172.16.0.0 255.255.0.0

nat (inside,vpn_private) static 172.16.0.0

--- static (vpn_public,outside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

object network obj-200.161.67.176-vpn-pub-outside

subnet 200.161.67.176 255.255.255.240

nat (vpn_public,outside) static 200.161.67.176

--- static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

object network obj-172.16.0.0-inside-vpn-pub

subnet 172.16.0.0 255.255.0.0

nat (inside,vpn_public) static 172.16.0.0

--- static (vpn_public,inside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

object network obj-200.161.67.176-vpn-pub-inside

subnet 203.161.67.176 255.255.255.240

nat (vpn_public,inside) static 200.161.67.176

Notes: VPN private subnet = 172.31.0.0/24

VPN public subnet = 200.161.67.176/28

inside subnet = 172.16.0.0/16

dmz subnet = 192.168.1.0/24

Thanks a lot for all your help

Kind Regards

Rohit.

Please help ASA 8.6 version

Jouni Forss — Thu, 03 Oct 2013 10:51:32 GMT

Hi,

I think you might be fine with any of those Static Identity NAT configurations if you wouldnt use this Dynamic PAT configuration between "inside" and "dmz" interfaces

nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global

Is there a particular reason that you want all traffic from "inside" to the "dmz" to be visible with an IP address beloging to "dmz"?

In general when I migrate 8.2 (or lower) firewall configurations to a newer platform and software I only have to migrate the Dynamic PAT, Static NAT, NAT0 and possible Policy NAT configurations while leaving all Static Identity NAT configurations off the new configurations.

As I have said before in this discussion. I think if you were to remove the Dynamic PAT from "inside" to "dmz" then you should be safe to remove all the Static Identity NAT configurations from the new configuration.

Even if you left the Dynamic PAT between "inside" and "dmz" then I think you could still leave out the Static Identity NAT configuration regarding other interfaces (Static Indentity NAT configurations that have interfaces OTHER THAN "inside" and "dmz" interfaces mentioned)

- Jouni

Re: Please help ASA 8.6 version

Rohit Mangotra — Mon, 07 Oct 2013 06:16:35 GMT

Thanks a lot Jouni. Really appraciate your help. The code is working fine now.

Please help ASA 8.6 version

Jouni Forss — Mon, 07 Oct 2013 06:45:00 GMT

Hi,

Glad to hear its working

Did you end up using all the converted configurations or did you leave out any of the old configurations?

- Jouni

Re: Please help ASA 8.6 version

Rohit Mangotra — Fri, 25 Oct 2013 05:38:00 GMT

Hi Jouni,

Sorry for late reply, actually was busy with the ongoing project.We converted the configuration as you recomended, and it is working except for 1 issue that we are facing. Please see attached file for more information.

•- Can PING from internal network to VPN concentrator Private interface
•- Can PING from DMZ network to VPN concentrator Private interface
•- Can PING from external network to VPN concentrator Public interface
•- Can PING from VPN concentrator to Internal network
•- Can PING from VPN concentrator to DMZ network
•- Can PING from VPN concentrator to Outside network

•- Cannot PING from internal network to VPN concentrator Public interface

(can see PING traffics hit the FW’s ACL when PINGING from internal network)

•- Cannot PING from DMZ network to VPN concentrator Public interface

(can see PING traffics hit the FW’s ACL when PINGING from DMZ network)

Thanks a lot in advance

Regards

Rohit.

Please help ASA 8.6 version

Jouni Forss — Fri, 25 Oct 2013 06:20:22 GMT

Hi,

Please provide "packet-tracer" output for the PING from INTERNAL to VPN CONCENTRATOR PUBLIC and from DMZ to VPN CONCENTRATOR PUBLIC

packet-tracer input inside icmp 8 0

packet-tracer input dmz icmp 8 0

This should tell us if the ASA configurations are fine

- Jouni

Re: Please help ASA 8.6 version

Rohit Mangotra — Fri, 25 Oct 2013 06:42:20 GMT

Hi Jouni,

Please see the attached file for Packet-Tracker as you asked.

Thank You,

Kind Regards

Rohit.

Please help ASA 8.6 version

Jouni Forss — Fri, 25 Oct 2013 07:01:01 GMT

Hi,

Seems to go through just fine.

Has this worked before change?

I was just thinking how you have setup routing on the VPN Concentrator. The default route on the concentrator should forward the ICMP Echo reply through its public interface UNLESS you have routed the INSIDE and DMZ network through the concentrators private interface.

- Jouni

Please help ASA 8.6 version

Rohit Mangotra — Fri, 25 Oct 2013 08:52:19 GMT

Hi Jouni,

Thanks a lot for all your help. I will have a look at the vpn concentrator and see what's going on.

Thanks

Kind Regards

Rohit.