topic ASA Basics: v8.6 not passing traffic in Network Security

ASA Basics: v8.6 not passing traffic

S.Srivas_2 — Tue, 12 Mar 2019 01:31:38 GMT

Access-list ALL IP any any

Access-list all ICMP any any

access-group ALL applied to all interfaces, in and out

traffic not passing through

from ASA ping external IPs work via some interfaces and not other

Need your help to get the traffic through the ASA.

Any instrctions required?

ASA Basics: v8.6 not passing traffic

Jouni Forss — Fri, 19 Apr 2013 12:26:41 GMT

Hi,

Are you sure you have configured NAT for all users?

Can you share the ASA configuraitons?

- Jouni

ASA Basics: v8.6 not passing traffic

S.Srivas_2 — Fri, 19 Apr 2013 12:59:35 GMT

Please find listed is the config below

ciscoasa# sh runn
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password /Omn2PFOBnGlk6iW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 10
ip address XXX.44.38.44 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif OUTSIDE_notyet
security-level 99
no ip address
!
interface GigabitEthernet0/2
nameif INSIDE_SIT
security-level 0
ip address 10.112.64.1 255.255.248.0
!
<--- More --->

interface GigabitEthernet0/3
shutdown
nameif INSIDE_UAT_notyet
security-level 1
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif NetMGT
security-level 50
ip address 192.168.1.1 255.255.255.0
management-only
!
<--- More --->

boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
object network obj-Switch-10.98.74.2
host 10.98.74.2
object network obj-HMC-1-10.74.132.22
host 10.74.132.22
object network obj-CSM-10.74.132.21
host 10.74.132.21
access-list ALL extended permit ip any any
access-list ALL extended permit icmp any any
access-list ALL extended permit tcp any any
access-list ALL extended permit udp any any
access-list ALL extended permit icmp any any echo
access-list ALL extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu OUTSIDE_notyet 1500
mtu INSIDE_SIT 1500
mtu INSIDE_UAT_notyet 1500
mtu NetMGT 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
<--- More --->

arp timeout 14400
!
object network obj-Switch-10.98.74.2
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.8
object network obj-HMC-1-10.74.132.22
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.9
object network obj-CSM-10.74.132.21
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.10
access-group ALL in interface OUTSIDE
access-group ALL out interface OUTSIDE
access-group ALL in interface INSIDE_SIT
access-group ALL out interface INSIDE_SIT
access-group ALL in interface NetMGT
access-group ALL out interface NetMGT
route OUTSIDE 0.0.0.0 0.0.0.0 XXX.44.38.41 1
route INSIDE_SIT 10.74.132.0 255.255.255.0 10.112.64.222 1
route INSIDE_SIT YYY.111.27.0 255.255.255.248 10.112.64.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 NetMGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 NetMGT
dhcpd enable NetMGT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
<--- More --->

parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
<--- More --->

Cryptochecksum:b1ec95bb23b2a7fbc3177b8774527f15
: end

ciscoasa#

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 7 mins 35 secs

Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
ASA: 2048 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0014
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0014
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0    : address is b0fa.eb97.fc1e, irq 11
1: Ext: GigabitEthernet0/0 : address is b0fa.eb97.fc22, irq 10
<--- More --->

2: Ext: GigabitEthernet0/1 : address is b0fa.eb97.fc1f, irq 10
3: Ext: GigabitEthernet0/2 : address is b0fa.eb97.fc23, irq 5
4: Ext: GigabitEthernet0/3 : address is b0fa.eb97.fc20, irq 5
5: Ext: GigabitEthernet0/4 : address is b0fa.eb97.fc24, irq 10
6: Ext: GigabitEthernet0/5 : address is b0fa.eb97.fc21, irq 10
7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is b0fa.eb97.fc1e, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
<--- More --->

AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has a Base license.

Serial Number: FCH1705J532
Running Permanent Activation Key: 0x3705fa5d 0xa8b89a15 0xa5a1f9dc 0xede83004 0x8137d49b
Configuration register is 0x1
Configuration has not been modified since last system restart.

ciscoasa#

Re: ASA Basics: v8.6 not passing traffic

Jouni Forss — Fri, 19 Apr 2013 13:21:05 GMT

Hi,

The are some oddities/problems with the configurations.

First I would suggest changing the "security-level" values to something more basic

interface GigabitEthernet0/0

security-level 0

interface GigabitEthernet0/2

security-level 100

Also it seems to me that you are lacking some NAT configurations.

For example the Dynamic PAT for basic Internet access for the LAN networks

object-group network DEFAULT-PAT-SOURCE

network-object 10.74.132.0 255.255.255.0

network-object 10.112.64.0 255.255.248.0

nat (INSIDE_SIT,OUTSIDE) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Also you have some "object" and "nat" configurations for a local address that I dont see in your "route" commands or interface network ranges. Specifically this one

object network obj-Switch-10.98.74.2

host 10.98.74.2

nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.8

I can't see a network including the address 10.98.72.2 anywhere on the above ASA configurations? There is no route for it and there is no interface configured which has that address space.

Also even though you have opened all traffic I would suggest the following configuration

fixup protocol icmp

I would also recomend removing these ACL. Partly because they are not needed, partly because they pose a security risk.

no access-group ALL in interface OUTSIDE

no access-group ALL out interface OUTSIDE

no access-group ALL out interface INSIDE_SIT

- Jouni

ASA Basics: v8.6 not passing traffic

S.Srivas_2 — Fri, 19 Apr 2013 14:05:45 GMT

Thank you for the above.

I changed the security levels. For now I am interested in passing traffic through and will look at the static NAT later.

The problem I have at the moment, if I ping from outside PC (gatewway) via interface inside-sit local link to router 10.112.64.222, it does not work, telnet does not work too.

PC(xxx.44.38.41)-----(outside XXX.44.38.44)------>ASA------(inside_SIT 10.112.64.1)---------->router (10.112.64.222)

Strangely, I can ping from the outside pc (.41) to outside interface (.44) but ASA cannot ping the outside PC (.41)!

The new config listing is given below. Appreciate your help on this.

sh runn
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password /Omn2PFOBnGlk6iW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address XXX.44.38.44 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif OUTSIDE_notyet
security-level 5
no ip address
!
interface GigabitEthernet0/2
nameif INSIDE_SIT
security-level 100
ip address 10.112.64.1 255.255.248.0
!
<--- More --->

interface GigabitEthernet0/3
shutdown
nameif INSIDE_UAT_notyet
security-level 95
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
security-level 90
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif NetMGT
security-level 50
ip address 192.168.1.1 255.255.255.0
management-only
!
<--- More --->

boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
object network obj-Switch-10.98.74.2
host 10.98.74.2
object network obj-HMC-1-10.74.132.22
host 10.74.132.22
object network obj-CSM-10.74.132.21
host 10.74.132.21
object-group network DEFAULT-PAT-SOURCE
network-object 10.74.132.0 255.255.255.0
network-object 10.112.64.0 255.255.248.0
access-list ALL extended permit ip any any
access-list ALL extended permit icmp any any
access-list ALL extended permit tcp any any
access-list ALL extended permit udp any any
access-list ALL extended permit icmp any any echo
access-list ALL extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu OUTSIDE_notyet 1500
mtu INSIDE_SIT 1500
mtu INSIDE_UAT_notyet 1500
mtu NetMGT 1500
<--- More --->

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
!
object network obj-Switch-10.98.74.2
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.8
object network obj-HMC-1-10.74.132.22
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.9
object network obj-CSM-10.74.132.21
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.10
!
nat (INSIDE_SIT,OUTSIDE) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ALL in interface OUTSIDE
access-group ALL out interface OUTSIDE
access-group ALL in interface INSIDE_SIT
access-group ALL out interface INSIDE_SIT
access-group ALL in interface NetMGT
access-group ALL out interface NetMGT
route OUTSIDE 0.0.0.0 0.0.0.0 XXX.44.38.41 1
route INSIDE_SIT 10.74.132.0 255.255.255.0 10.112.64.222 1
route INSIDE_SIT 10.98.74.0 255.255.255.0 10.112.64.222 1
route INSIDE_SIT YYY.111.27.0 255.255.255.248 10.112.64.222 1
timeout xlate 3:00:00
<--- More --->

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 NetMGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 NetMGT
dhcpd enable NetMGT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
<--- More --->

username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->

inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e5787db25a923493187605b7393efe70
: end

ciscoasa#

ASA Basics: v8.6 not passing traffic

Jouni Forss — Fri, 19 Apr 2013 14:13:33 GMT

Hi,

Try to configure this

icmp permit xxx.44.38.44 255.255.255.248 OUTSIDE

Naturaly replace the "x" with the actual public network address. After this try the ICMP from the ASA to the outside PC.

To be able to ICMP/PING the Router behind the ASA from the Public network you would need a Static NAT for the Router.

Provided you have a public IP address to spare for this you could configure

object network STATIC-ROUTER

host 10.112.64.222

nat (INSIDE_SIT,OUTSIDE) static

- Jouni

ASA Basics: v8.6 not passing traffic

S.Srivas_2 — Fri, 19 Apr 2013 14:39:52 GMT

Hi Jouni,

We have just tried that, but still not working.

Any other suggestion?

ASA Basics: v8.6 not passing traffic

Jouni Forss — Fri, 19 Apr 2013 17:15:28 GMT

Can you specify what is not working as there was multiple things that were not working.

If the ASA outside and the PC on outside are in the same subnet they should be able to see eachother directly. Are you sure the PC itself isnt preventing the ICMP? It wouldnt be anything uncommon if the PC has firewall settings preventing this.

On the ASA you can naturally use the "show arp" command which should list all the host that the ASA sees in directly connected network. If you dont see some host directly connected you can always ping those IP addresses and then re-issue the command "show arp".

If you mean that also the connection to the router behind that ASA doesnt work then can you share the NAT configuration you made for it?

Also seems you have not added the ICMP inspection

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

ASA Basics: v8.6 not passing traffic

S.Srivas_2 — Mon, 22 Apr 2013 19:49:01 GMT

It works.

The config was OK. The end stations (Laptop and Switch/Router) routing was not accurate. It is now fied.

Thank you Jouni Foress for all the help..