topic Re: ASA GNS3 project working in Network Security

ASA GNS3 project working

Antonio Simoes — Tue, 12 Mar 2019 02:33:17 GMT

Hi,

Does anyone have a ASA GNS3 working project?

I configured one, but i´m not having very sucess in making things work. I´m following Cisco matterials, but very strangly, simple things dont work.

So I need to know what the problem is, my instalation of asa, my installation of gns3 or my skills.

Kind Regards,

António

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 17:25:07 GMT

Hi,

I don't really know much about GNS3 as I have not really used it.

However I am not sure if your problem is something related to installing the actual software and the devices in that software OR is the problem more with the actual device configuration?

I can't really help with the GNS3 software related problems but could have a look at actual ASA configurations if those are the actual problem.

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 17:30:24 GMT

Hi,

My first post whas this one.

https://supportforums.cisco.com/thread/2237390

-AS

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 17:36:15 GMT

Hi,

So is there some problem with traffic passing through the ASA?

If there is some problem with traffic passing through the ASA then provide the current configuration of the ASA and description on what is not working.

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 17:42:27 GMT

Hi,

The configuration is on this post:

https://supportforums.cisco.com/thread/2237390

And a simple ping from the inside to outside interface doesn´t work.

I configured :

The interfaces
The NAT. Dynamic nat in the outside interface
And the policy map to inspect icmp and the default traffic

So, after this configs the ping form inside [SecLevel 100] to Outside [SecLevel 0] sould pass?

-AS

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 18:13:30 GMT

Hi,

The ICMP working depends on the what the destination IP addres is. I dont what you are using in the tests

It also has a strange configuration related to the network 10.0.0.0/24

The mentioned network is both directly configured on an ASA "management" interface and there is also a static route for the network pointing towards the "outside" interface. If the "management" interface is up then it means that traffic destined for network 10.0.0.0/24 is forwarded through the "management" interface and the static route configured for the network is useless as connected router always overrides a static route.

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 18:20:16 GMT

Hi,

To test ping, I try to ping from R1(192.168.200.1) to IPS_R1(62.28.190.65).

About that route. I allready removed it and doesnt work the ping traffic.

Tell me:

Interfaces are ok?

NAT is ok?

Policy map is ok?

It must be something else man...

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 18:24:32 GMT

Hi,

How are you using the source address 192.168.200.1?

If you simply type "ping x.x.x.x" then the ASA will use the "outside" interface IP address as the source. If you specify the "inside" interface as the source in the extended ping then the traffic will go through WIHTOUT NAT.

NAT will not be applied from the ASA itself to my understanding.

So you should use some host/device behind the "inside" interface to test ICMP / PING.

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 18:29:16 GMT

Hi,

When I ping from the ASA I ping every device. No problems with that.

But when I try to ping from the router. that is in the inside interface lan I just can make it pass through.

So no problem with routing.

More: From R1 I even cant ping asa public IP 62.28.190.66.

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 18:34:14 GMT

Hi,

You can only ping the interface IP address of ASA behind which the host is.

So hosts/networks behind "inside" can ping "inside" interface. Hosts/networks behind "outside" can ping the "outside" interface IP address. Hosts behind "inside" CANT ping the "outside" interface IP address.

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 18:41:02 GMT

Hi,

So I can´t ping google(ouside) from the inside network of my company. Is that what you are saying?

I´m sorry this just have to be a miss understude.

Imagine ISP_R1 is Vodafone router, my ISP. And ASA is between that router and R1(my company 2911). You are saying that I cant ping google through my ISP? Huumm.

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 18:48:52 GMT

Hi,

You mentioned that you were trying to ping the ASA "outside" interface IP address from R1 192.168.200.1 which is behind "inside" interface. This is not possible and is expected behaviour.

The only place where you can ping "outside" interface is from networks/hosts that are behind "outside" interface according to the ASAs routing table.

So you should be able to ping the ISP-R1 from the R1 but not the ASA "outside" interface.

If this was an actual ASA in live environment then you would naturally need a default route pointing towards the ISP-R1 on the ASA. Otherwise the ASA wouldnt know where to forward traffic destined to remote network.

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 18:53:50 GMT

Hi,

But in the case of the ISP_R1, the ASA is directly conected to that route. It needs a route any way?

-AS

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 18:59:03 GMT

Hi,

No, I mean in a live network it would require a default route to actually route traffic to remote network that are not directly connected to it.

I am not sure what the problem at the moment is. So far if I understood correctly, the problem was that you couldnt ping the ASA "outside" interface from the R1. And as stated this is something that can be expected as the ASA doesnt allow that in any situation.

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 19:01:35 GMT

Hi,

I meant to say:

From R1 I want to ping ISP_R1. This let me know if the traffic icmp reaches the ISP and the inspect is working.

But its not working with that config.

-AS

Re: ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 19:05:35 GMT

Ok,

Lets try "packet-tracer" command to simulate a ICMP Echo arriving from R1 to ISP-R1

Insert the following command on the ASA CLI and copy/paste the output here

packet-tracer input inside icmp 192.168.200.1 8 0 62.28.190.65

- Jouni

Re: ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 19:08:26 GMT

Also just to confirm,

Seems to me that the R1 is mentioned to having IP 192.168.200.1 though it also seems that the ASA is configured with the same IP address of 192.168.200.1?

Are these the actual configurations as this naturally wouldnt work.

What are the interface IP address of R1 and ASA "inside" interface at the moment?

Does the R1 have a default route poiting towards the ASA "inside" interface IP address so R1 knows where to send traffic destined to other networks?

- Jouni

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 19:13:33 GMT

Hi,

If you see in the config R1 is 192.168.200.1 and ASA is .254.

Yes the R1 have the route to the 62.28.190.64 network through interface f0/0.

Does have to be through the next hope?

In a minute ill have the output. Initiating the VM

Re: ASA GNS3 project working

Antonio Simoes — Mon, 02 Sep 2013 19:24:03 GMT

Hi.

Here are the screen shots:

HI,

The firewall lets pass it. So its very strange man. The routing in r1 and ISP_R1 and fine. Correct?

-AS

ASA GNS3 project working

Jouni Forss — Mon, 02 Sep 2013 19:38:32 GMT

Hi,

Both Router routing tables list the 62.28.190.64/30 network as directly connected? Also the network 192.168.200.0/24 is mentioned on both routers? Those dont really make sense.

The R1 should have a Static Route

ip route 62.28.190.64 255.255.255.252 192.168.200.254

Or typically it would probably have a default route if the router doesnt have any other way out of the network.

ip route 0.0.0.0 0.0.0.0 192.168.200.254

Also the other discussion you linked says that the ASA "inside" is configured with IP address 192.168.200.1

interface GigabitEthernet4

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

- Jouni