topic Re: ASA 5505 Static hosts cannot access outside in Network Security

ASA 5505 Static hosts cannot access outside

Matthew Ralston — Tue, 12 Mar 2019 00:58:39 GMT

I'm replacing an old PIX with a second hand ASA firewall.

I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet.

I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere.

Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet. If I've obscured something pertinent let me know.

Any advice would be greatly appreciated! Thanks.

: Saved

ASA Version 7.2(3)

hostname fw-1

domain-name XXXX

enable password XXXX encrypted

names

name 92.X.X.61 bb-office

name 92.X.X.128 gl-office

name 10.0.0.117 daviker-dialler_in

name 77.X.X.117 daviker-dialler_out

name 10.0.0.112 data-2_in

name 77.X.X.112 data-2_out

name 10.0.0.81 corp-1_in

name 77.X.X.81 corp-1_out

name 10.0.0.111 data-1_in

name 77.X.X.210 user_75

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 77.X.X.66 255.255.255.192

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd XXXX encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name XXXX

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 5900

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 4040

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 9876

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq sip

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq www

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq https

access-list inbound extended permit udp host bb-office host daviker-dialler_out eq sip

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 1433

access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-ns

access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-dgm

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq netbios-ssn

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 445

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 4040

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 9876

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq sip

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq www

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq https

access-list inbound extended permit udp host gl-office host daviker-dialler_out eq sip

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 1433

access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-ns

access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-dgm

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq netbios-ssn

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 445

access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 5900

access-list inbound extended permit tcp any host data-2_out eq ssh

access-list inbound extended permit tcp any host corp-1_out eq ssh

access-list inbound extended permit tcp any host corp-1_out eq www

access-list inbound extended permit tcp any host corp-1_out eq pop3

access-list inbound extended permit tcp any host corp-1_out eq imap4

access-list inbound extended permit tcp any host corp-1_out eq smtp

access-list inbound extended permit tcp any host corp-1_out eq 995

access-list inbound extended permit tcp any host corp-1_out eq 465

access-list inbound extended permit tcp any host corp-1_out eq 993

access-list inbound extended permit tcp any host corp-1_out eq 8008

access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ns

access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-dgm

access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ssn

access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq 445

access-list inbound extended permit udp any host 77.X.X.113 eq netbios-ns

access-list inbound extended permit udp any host 77.X.X.113 eq netbios-dgm

access-list inbound extended permit tcp any host 77.X.X.113 eq netbios-ssn

access-list inbound extended permit tcp any host 77.X.X.113 eq 445

access-list inbound extended permit tcp host bb-office host data-2_out eq 5901

access-list inbound extended permit tcp host bb-office host data-2_out eq 3690

access-list inbound extended permit tcp host bb-office host data-2_out eq www

access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 3389

access-list inbound extended permit tcp host 2.X.X.18 host data-2_out eq 3306

access-list inbound extended permit tcp any host data-2_out eq 3306

access-list inbound extended permit tcp host 212.X.X.7 host daviker-dialler_out eq 5900

access-list inbound extended permit tcp host bb-office host data-2_out eq 3306

access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 1433

access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 5900

access-list inbound extended permit tcp host user_75 host data-2_out eq 3690

access-list inbound extended permit tcp host user_75 host data-2_out eq www

access-list inbound extended permit tcp host user_75 host data-2_out eq 3306

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255

static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255

static (inside,outside) data-2_out data-2_in netmask 255.255.255.255

static (inside,outside) 77.X.X.113 data-1_in netmask 255.255.255.255

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 77.X.X.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 77.X.X.91 8.8.8.8

dhcpd domain cagltd.net

dhcpd auto_config outside

dhcpd address 10.0.0.20-10.0.0.40 inside

dhcpd enable inside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

username matt password XXXX encrypted

prompt hostname context

Cryptochecksum:00af76f23831b8c828fc6677c9069072

: end

Re: ASA 5505 Static hosts cannot access outside

Jouni Forss — Sun, 10 Feb 2013 22:01:25 GMT

Hi,

On a fast look through the configuration I cant see anything that would clearly block the Static NAT hosts from accessing the Internet

Some questions

What are you using to test Internet connectivity on the Static NATed hosts? ICMP? Web Site?
- If ICMP please add the "inspect icmp" configuration (Configuration below) (Will allow ICMP echo reply automatically through the firewall if Echo has been already allowed through)
- If Web site please double check the network settings on the servers
Do you have your own Internet router in front of the firewall or is the next L3 hop the ISP core or an ISP managed router?

Enabling ICMP inspection

policy-map global_policy

class inspection_default

inspect icmp

I would start with simulating the test connection with the ASAs own "packet-tracer" command

The format could be

packet-tracer input inside

And copy/paste the output here

I would also look what the ASA logs say when attempting connection from the LAN host/server

- Jouni

Re: ASA 5505 Static hosts cannot access outside

Matthew Ralston — Tue, 12 Feb 2013 21:57:59 GMT

Hi Jouni,

Thanks for the info.

I didn't have icmp traffic allowed, so I knew ping wouldn't be working. I was testing using http.

I have enabled icmp and dhcp clients can ping outside. Static nat clients can't ping outside. Static clients also cannot use outbound http.

As suggested, I have run some packet traces.

From a static nat client on the ASA:

fw-1# packet-tracer input inside tcp 10.0.0.81 80 173.203.209.67 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255

match ip inside host corp-1_in outside any

static translation to corp-1_out

translate_hits = 668, untranslate_hits = 2

Additional Information:

Static translate corp-1_in/0 to corp-1_out/0 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255

match ip inside host corp-1_in outside any

static translation to corp-1_out

translate_hits = 668, untranslate_hits = 2

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1759, packet dispatched to next module

Phase: 10

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 77.X.X.65 using egress ifc outside

adjacency Active

next-hop mac address 0017.0f13.5000 hits 1

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

This looks fine to me, but as I say, an outbound tcp port 80 connection from the actual machine on 10.0.0.81 fails.

Here is a similar trace from a dhcp client to the same destination:

fw-1# packet-tracer input inside tcp 10.0.0.20 80 173.203.209.67 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (77.74.111.66 [Interface PAT])

translate_hits = 990, untranslate_hits = 226

Additional Information:

Dynamic translate 10.0.0.20/80 to 77.74.111.66/1 using netmask 255.255.255.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1771, packet dispatched to next module

Phase: 9

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 77.X.X.65 using egress ifc outside

adjacency Active

next-hop mac address 0017.0f13.5000 hits 5

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

I can see the difference in the NAT translation section. A real outbound tcp port 80 connection from the actual machine on 10.0.0.20 works fine.

Finally, for the sake of comparison, I ran a similar packet trace using a static nat IP on the old PIX firewall:

old-fw-1# packet-tracer input inside tcp 10.0.0.117 80 173.203.209.67 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255

nat-control

match ip inside host daviker-dialler_in outside any

static translation to daviker-dialler_out

translate_hits = 17132, untranslate_hits = 1277850

Additional Information:

Static translate daviker-dialler_in/0 to daviker-dialler_out/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255

nat-control

match ip inside host daviker-dialler_in outside any

static translation to daviker-dialler_out

translate_hits = 17132, untranslate_hits = 1277850

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1006075, packet dispatched to next module

Phase: 10

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 78.X.X.69 using egress ifc outside

adjacency Active

next-hop mac address 0017.0f13.5000 hits 572133

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Outbound traffic from static nat hosts on the old PIX firewall works fine. One glaring difference is that the PIX is inspecting http traffic, but surely this is a red herring. Another difference is that the old and new firewalls have different gateways / default routes & different outside IP addresses. As the new ASA firewall (and its dhcp hosts) can talk to the outside world quite happily I don't think this is relevant.

I wondered whether it might be down to the difference in the inside (255.255.255.0) and outside (255.255.255.192) subnets. The set up is the same on the PIX, but I wondered whether some other line of config might be required on the ASA to handle it. I adjusted the subnet of the inside interface on the ASA to match the outside one (both 255.255.255.192) but it didn't make any difference.

So I'm puzzled!