topic Re: Allowing traffic from inside to outside ASA5505 7.2(3) in Network Security

Allowing traffic from inside to outside ASA5505 7.2(3)

scott.maron — Mon, 11 Mar 2019 23:08:05 GMT

Hello,

Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:

access-list 101 extended permit ip host xxx.xxx.xxx.124 any log

access-list 101 extended permit ip any any

access-group 101 out interface outside

When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.

Any help would be greatly appreciated. Thank you.

Allowing traffic from inside to outside ASA5505 7.2(3)

Kevin P Sheahan — Wed, 16 May 2012 19:12:30 GMT

Hi Scott,

Have you set up NAT for this outbound traffic? A quick setup that should resolve your issue is below.

If your code is PRE 8.3....

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

If your code is 8.3 or later....

object network ANY
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Please reply back on whether this resolves your issue.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Allowing traffic from inside to outside ASA5505 7.2(3)

scott.maron — Thu, 17 May 2012 20:27:27 GMT

Hi Kevin,

Thanks for the reply, I just heard from our staff person, and he has informed me it still doesn't work. I have looked at the requirements once more and I may have missed one thing. They are using DNS to resolve IP's. Currently we only have internal DNS servers listed. How can I add an external DNS without interfering with our internal? This is what I currently have for DNS:

dns domain-lookup inside

dns server-group DefaultDNS

name-server xxx.xxx.xxx.34

name-server xxx.xxx.xxx.5

domain-name .org

Thanks,

Scott

Allowing traffic from inside to outside ASA5505 7.2(3)

Kevin P Sheahan — Thu, 17 May 2012 23:21:05 GMT

Hi Scott,

That DNS configuration is for DNS lookups that originate from the ASA itself. The configuration on the ASA does not force hosts to use those DNS addresses.

Can you ping the outside world with the NAT statements executed? Ping 8.8.8.8?

If so, you can use 8.8.8.8 for public DNS just configure it manually on the host. If you cannot ping the outside world at all please post back the entire sanitized (potentially sensitive information masked) configuration and I will be able to further assist.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Allowing traffic from inside to outside ASA5505 7.2(3)

scott.maron — Fri, 18 May 2012 14:14:58 GMT

Hi Kevin,

I can ping the outside world from the ASA itself. Unfortunately, I cannot assign DNS manually, it only accepts DHCP. I have set up a PC there with the same access list for testing purposes. I assigned public DNS to the test PC and that is unable to get out. When i do a show conn, this is what i get:

UDP out 8.8.8.8:53 in x.x.x.113:64918 idle 0:00:14 flags -

UDP out 8.8.4.4:53 in x.x.x.113:64458 idle 0:00:29 flags -

UDP out 8.8.8.8:53 in x.x.x.113:64458 idle 0:00:29 flags -

Here is my scrubbed config.

ASA Version 7.2(3)

hostname

domain-name .org

names

dns-guard

interface Vlan1

nameif inside

security-level 100

ip address x.x.x.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address y.y.y.y

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

***Banner Removed***

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server x.x.x.34

name-server x.x.x.5

domain-name .org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ALLOWED_ICMP

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

icmp-object traceroute

icmp-object echo

icmp-object timestamp-reply

object-group icmp-type ALLOWED_ICMP_RESTRICTED

icmp-object echo-reply

access-list tempacl extended permit ip any any

access-list inside_out extended permit icmp any any object-group ALLOWED_ICMP

access-list inside_out extended permit ip any any

access-list outside_in extended permit icmp any any object-group ALLOWED_ICMP_RESTRICTED

access-list outside_in extended permit tcp any any eq ssh

access-list 101 extended permit ip host x.x.x.124 any log

access-list 101 extended permit ip host x.x.x.113 any log

access-list 101 extended permit ip any any

pager lines 40

logging enable

logging timestamp

logging buffer-size 256000

logging asdm-buffer-size 512

logging buffered notifications

logging trap errors

logging history informational

logging asdm errors

no logging message 400014

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip audit name attack action alarm

ip audit name info action alarm

ip audit interface inside

ip audit interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_out in interface inside

access-group outside_in in interface outside

access-group 101 out interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

***http, SNMP, SSH info removed***

management-access inside

dhcpd dns x.x.x.5 x.x.x.34

dhcpd ping_timeout 750

dhcpd domain .org

dhcpd auto_config outside

dhcpd update dns

dhcpd address x.x.x.100-x.x.x.227 inside

dhcpd enable inside

vpnclient server xy.xy.xy.xy xy.xy.xy.xy

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup password

vpnclient username password

vpnclient management clear

vpnclient enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Thanks for all your help!

Re: Allowing traffic from inside to outside ASA5505 7.2(3)

scott.maron — Fri, 18 May 2012 19:13:14 GMT

I thought if i add the requirements from the manufacterer it would help. This is from CapTel's customer service.

Thanks,

Setting up the CapTel 800i in an Office Environment

Office Internet connections can be more complex than home connections. The essential setup is still the same, but more detailed information may be needed in order to connect to an office network successfully.

The following information is a list of requirements that can be shared when IT personnel request extra detail to ensure that the CapTel 800i is able to access the network successfully:

The CapTel 800i obtains its IP address via DHCP only.
If you require a static IP for the CapTel 800i, we suggest you configure your DHCP server to map the phone’s MAC address to a specific IP. To obtain the MAC address of the phone and other information, with the handset hung up press 0474636 (0IPINFO).
The CapTel 800i uses DNS to resolve the IP Address for the Captioning Service Center. The domains resolved through DNS are hybridcaptel.com and hybridcaptel-otw.com.
hybridcaptel.com is used for captions and currently resolves to the following IP ranges:
- 69.8.140.208 - 69.8.140.223
- 69.11.243.160 - 69.11.243.191
- 71.87.12.177 - 71.87.12.190
- The phone will use outbound TCP ports 5007-7000 to connect to captions on these IP addresses.
hybridcaptel-otw.com is used to perform software updates and currently resolves to:
- 68.117.127.134
- The phone will use outbound TCP ports 5004, 5100-5130 to this IP.
These IP address ranges and ports are subject to change without notice.
If the phone is being used in a locked down environment, the network’s security settings may require adjustments to permit the necessary communication from the CapTel 800i to the Captioning Service.
The CapTel 800i uses only outbound connections over the public Internet. No incoming ports are required.
Our caption service is a proprietary protocol that runs over TCP.
Proxy servers are not supported.

Re: Allowing traffic from inside to outside ASA5505 7.2(3)

hobbe — Fri, 18 May 2012 19:45:43 GMT

The problem seems to be a special unit, the CapTel 800i am I right ?

are all the other units working ?

Have you tried to capture the traffic with fx wireshark ?

that will tell you alot.

What does the packet-tracer tell you ?

Is it NAT aware ? Is it even possible to use the unit behind a nat device ? does it need its own external ip address ?

And as usual when it comes down to live production environment I would like to recomend that you go and talk to a cisco rep about a good tech who can help you out.

good luck

HTH

Re: Allowing traffic from inside to outside ASA5505 7.2(3)

scott.maron — Mon, 21 May 2012 18:40:11 GMT

It's supposed to work with NAT from what I have been told, I have not been able to run wireshark, as this is across the country from me.

Re: Allowing traffic from inside to outside ASA5505 7.2(3)

scott.maron — Tue, 22 May 2012 20:03:05 GMT

Seeing that my ACL's hit counter increases and I can see the traffic when doing a 'sh conn' but by looking at the flags in the output I'm seeing that it's waiting for responses. Is it possible that there is an issue with NAT yet? Also I'm assuming possibly DNS? I cannot assign anything to the phone as it gets everything from DHCP, not able to statically set any of it.

Thanks,