topic ASA 5505 To Internet in Network Security

ASA 5505 To Internet

Joffroi85 — Mon, 11 Mar 2019 23:03:57 GMT

I first want to apologize for coming here with what I feel is a simple question. I'm a little embarrased on how rusty my Cisco knowledge has gotten. I'm trying to get a laptop connect to an ASA 5505 to be able to browse the web. I've tried following basic instructions on doing this through the console because I didn't get much luck with the ASDM.

My internet port that the firewall is connected to does have a static IP of 99.66.167.69 assigned to it with a gateway of 99.66.167.70. The port also has two DNS servers I'll call A.A.A.A and B.B.B.B if I need that information.

Below is what I currently have as my config. Any help on resolving this would be greatly appreciated.

====================================================

ASA Version 8.2(5)

hostname ciscoasas

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 99.66.167.69 255.255.255.248

ftp mode passive

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 99.66.167.70 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:225af90f110a58bbc8d98e50c545608d

: end

ASA 5505 To Internet

varrao — Tue, 08 May 2012 19:16:18 GMT

HI Joffroi,

Are you able to ping 4.2.2.2 from the ASA and the default gateway?? are you able to ping it from a host on the inside? Add icmp isnpection before pinging.

Thanks,
Varun Rao
Security Team,
Cisco TAC

ASA 5505 To Internet

craig bache — Tue, 08 May 2012 19:44:44 GMT

Hi Joffroi

Can you insure you have enabled all 4 interfaces (physical, virtual) and that you can ping the default gateway.

E.g

conf t

int eth 0/0

no shut

ping 99.x.x.x

Could you also make sure a host can ping 192.168.1.1

Regards Craig

ASA 5505 To Internet

Joffroi85 — Tue, 08 May 2012 20:10:09 GMT

From the ASA, I am able to ping 99.66.167.69 and 4.2.2.2.

From the computer I had plugged to the ASA, I was not able to ping 192.168.1.1. Unfortunately, I had to step away from the lap to check that laptop for now.

All the interfaces have had "no shutdown" applied.

Thanks

ASA 5505 To Internet

varrao — Tue, 08 May 2012 20:22:56 GMT

Hi,

Can you please apply these captures and ping again, just wanna check if ASA is forwarding the packets at all or not?

access-list cap permit ip any host 4.2.2.2

access-list cap permit ip host 4.2.2.2 any

capture capin access-list cap interface inside

capture capo access-list cap interface outside

also apply:

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

after that, try pinging 4.2.2.2 again, and collect the output of :

show cap capin

show cap capo

This would be very helpful in troubleshooting.

Thanks,
Varun Rao
Security Team,
Cisco TAC

ASA 5505 To Internet

Joffroi85 — Wed, 09 May 2012 22:06:53 GMT

Sorry for the delay.

Varun, I followed the commands you suggested. After apply the following settings....

access-list cap permit ip any host 4.2.2.2

access-list cap permit ip host 4.2.2.2 any

capture capin access-list cap interface inside

capture capo access-list cap interface outside

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

these are my results:

Ping 99.66.167.69 from computer hooked to console port.

ping 99.66.167.69

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 99.66.167.69, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Ping 192.168.1.1 from computer hooked to console port

100% success rate

Ping 4.2.2.2 from computer connected to console port.

ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Results of show cap capin

15 packets captured

1: 16:44:28.681468 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

2: 16:44:30.677973 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

3: 16:44:32.677928 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

4: 16:44:34.678004 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5: 16:44:36.677943 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

6: 16:45:15.972087 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

7: 16:45:17.967937 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

8: 16:45:19.967952 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

9: 16:45:21.967906 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

10: 16:45:23.967921 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

11: 16:48:15.667873 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

12: 16:48:17.657955 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

13: 16:48:19.657985 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

14: 16:48:21.657940 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

15: 16:48:23.657924 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

15 packets shown

Results show cap capo

5 packets captured

1: 16:48:15.667888 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

2: 16:48:17.657955 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

3: 16:48:19.657985 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

4: 16:48:21.657940 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5: 16:48:23.657924 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5 packets shown

Ping 99.66.167.69 from computer connected to ASA

Request Timed out 100% of time

Ping 4.2.2.2 from computer connected to ASA

100% success

Ping 192.168.1.1 from comptuer connected to ASA

Request Timed out

Unfortunately, I noticed I was still connected to a wireless network upon pinging. I turned that off and now get a response "192.168.43.75:Destination Unreachanble" when I ping any address.

Thanks

ASA 5505 To Internet

varrao — Wed, 09 May 2012 22:40:12 GMT

Hi Joffroi,

I am not sure about how you are connecting, because all you just need to test with is, connect the laptop directly to the inside interface of the ASA using an ethernet cable and then assign the laptop an ip 192.168.1.2, and then ping 4.2.2.2, is this how you exactly tested?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Re: ASA 5505 To Internet

Joffroi85 — Wed, 09 May 2012 22:48:31 GMT

I did assign 192.168.1.2 to my laptop.

When I ping 4.2.2.2 or 99.66.167.69 I get the Reply from 192.168.43.75: Destination unreachable error.

I can ping 192.168.1.1 though

Where is the 192.168.43.75 coming from?

Here is my latest config file just for the record

: Saved

ASA Version 8.2(5)

hostname UUFkcASA

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 99.66.167.69 255.255.255.248

ftp mode passive

access-list cap extended permit ip any host 4.2.2.2

access-list cap extended permit ip host 4.2.2.2 any

access-list outside_access_in extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 99.66.167.70 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e6d997e51654139d99b017e8f62f4cc7

: end

ASA 5505 To Internet

varrao — Wed, 09 May 2012 22:59:26 GMT

You would need to find it out on the laptop, check the ipconfig on the command promp, what all network adapters are activated.

Thanks,
Varun

Re: ASA 5505 To Internet

Joffroi85 — Thu, 10 May 2012 14:27:16 GMT

I went ahead and changed to a unix laptop. My other laptop may have corporte settings interfering.

Using DHCP, my laptop assignes itself a 169.254.83.145 IP address.

I went ahead and changed that to 192.168.1.2 as stated above. For 99.66.167.69 and 4.2.2.2 I still get a Host is down message. I am able to ping 192.168.1.1 from the laptop though.

Do DNS address play a role into any of this?

Thanks

Re: ASA 5505 To Internet

Julio Carvajal — Thu, 10 May 2012 17:42:04 GMT

Hello Joffroi,

DNS does not take a play role on this as you are not performing any Domain name resolution, you are just trying to access a host on the outside by its public ip address (4.2.2.2)

Here is what I want you to add:

policy-map global_policy

class inspection_default

inspect icmp

Then try to ping one more time if this does not work please do the following:

I want the Ifconfig or Ipconfig from the machine?

I want a packet-tracer.. On the ASA do packet-tracer input inside icmp 192.168.1.2 8 0 4.2.2.2 and provide me the output

FYI using an ASA you will not be able to ping a distant interface, what is that?

As an example from that PC 168.1.2 you can ping the inside interface but the outside or dmz or any other interface besides the inside will be a distant interface. This is a security meassure that the ASA uses!!!.

Regards,

Julio

DO Rate all the helpful posts

Re: ASA 5505 To Internet

Joffroi85 — Thu, 10 May 2012 18:21:16 GMT

99.66.167.69 is the static IP address assigned by the ISP for the port the ASA is connected to.

I followed your suggestions above but was unable to execute the inspect icmp command. I added the first two.

Below are the results for the packet-tracer. I'll track down a thumbdrive to transfer the output of the ifconfig if you still need it.

At this point, is it maybe easier for me to start over and try another set of instructions like this?http://www.youtube.com/watch?v=RYr3Vpm5uWA

Results

packet-tracer input inside icmp 192.168.1.2 8 0 4.2.2.2

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (99.66.167.69 [Interface PAT])

translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.1.2/0 to 99.66.167.69/59409 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 42, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Thanks for all the help thus far guys. It really is appreciated

Re: ASA 5505 To Internet

Julio Carvajal — Thu, 10 May 2012 18:37:26 GMT

Hello Joff,

Please add the following command:

-Fixup protocol ICMP

Give it a try,

The packet tracer shows that everything is fine.

Re: ASA 5505 To Internet

Joffroi85 — Thu, 10 May 2012 19:56:43 GMT

I entered that command and got this response:

(config)# fixup protocol ICMP

INFO: converting 'fixup protocol icmp ' to MPF commands

From my laptop where I assigned the 192.168.1.3 IP address, I am still unable to ping 4.2.2.2 or browse the web. Below is the ifconfig

ifconfig

lo0: flags=8049 mtu 16384

options=3

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

inet 127.0.0.1 netmask 0xff000000

inet6 ::1 prefixlen 128

gif0: flags=8010 mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863 mtu 1500

options=2b

ether 00:1f:f3:53:da:5f

inet6 fe80::21f:f3ff:fe53:da5f%en0 prefixlen 64 scopeid 0x4

inet 192.168.1.3 netmask 0xffff0000 broadcast 192.168.255.255

media: autoselect (100baseTX )

status: active

en1: flags=8823 mtu 1500

ether 00:1f:5b:c4:02:6a

media: autoselect ()

status: inactive

fw0: flags=8863 mtu 4078

lladdr 00:1f:f3:ff:fe:60:16:f2

media: autoselect

status: inactive

vboxnet0: flags=8842 mtu 1500

ether 00:76:62:00:00:00

Its pretty frustrating reading that everything looks fine. I was really hoping I missed 2-3 cruicial lines for a quick fix. Is it possible that it could be something with how my IT department set up the port?

I can get internet working on my laptop if I connect directly to the port and manually set the static IP, gateway, DNS1, DNS2 and subnet address so probably not.

Thanks

Re: ASA 5505 To Internet

Julio Carvajal — Thu, 10 May 2012 20:02:28 GMT

Hello Jofrroi,

What is connected between the ASA and the PC, and also from the ASA and the Internet (ISP router)

Also create the following capture:

capture asp type-asp all circular-buffer

Then do a clear :

clear cap capo

clear cap capin

clear cap asp

Please try to ping and provide the following:

cap asp | inc 4.2.2.2

cap capin

cap capo

Regards,

Re: ASA 5505 To Internet

Joffroi85 — Thu, 10 May 2012 20:14:26 GMT

I just have ethernet going from my laptop to the ASA and then the ASA connect via ethernet to the port on the wall which has the assigned 99.66.167.69 IP address.

Below are my results:

ASA5505(config)# capture asp type asp-drop all circular-buffer

ASA5505(config)# cap capin

ASA5505(config)# cap capo

ASA5505(config)# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA5505(config)# show capture asp

0 packet captured

0 packet shown

ASA5505(config)# show cap capin

5 packets captured

1: 15:07:49.326978 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

2: 15:07:51.326170 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

3: 15:07:53.326124 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

4: 15:07:55.326185 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5: 15:07:57.326155 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5 packets shown

ASA5505(config)# show cap capo

5 packets captured

1: 15:07:49.326978 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

2: 15:07:51.326170 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

3: 15:07:53.326124 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

4: 15:07:55.326185 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5: 15:07:57.326155 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5 packets shown

EDIT: I fixed my capture asp command, did a reping, and got the information below:

ASA5505(config)# show capture asp

1 packet captured

1: 15:12:37.516925 802.1Q vlan#2 P0 99.66.167.67.138 > 99.66.167.71.138: udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule

1 packet shown

Re: ASA 5505 To Internet

Joffroi85 — Mon, 14 May 2012 16:02:04 GMT

I redid everything this morning with no luck. I compiled a new post to have all my new information a little more outlined and organized here:

https://supportforums.cisco.com/thread/2148826

Thanks for all the time you put in to trying to help me.