topic Traffic for inside network not going through firewall in Network Security

Traffic for inside network not going through firewall

jomar050485 — Mon, 11 Mar 2019 20:59:30 GMT

I don't know what's going on. I can't ping or access any internal host with the IP 10.1.1.X. If I ping from the inside interface, it works. If i ping from the outside interface, it doesn't work. What's the deal? That network works anywhere internally but not past the asa.

10.15.81.1 10.15.81.10 10.10.81.9 10.10.81.1 10.10.81.254

EXternal router--------------------ASA-----------------------Internal Router----Remote Router---10.1.1.1

ciscoasa# ping inside 10.1.1.1

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ping outside 10.1.1.1

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa#

ciscoasa# show run

: Saved

ASA Version 7.0(8)

hostname ciscoasa

domain-name default.domain.invalid

names

dns-guard

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.15.81.10 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.81.9 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 10.13.81.198 255.255.255.0

management-only

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 10.10.81.127 eq https

access-list outside_access_in extended permit tcp 10.10.2.0 255.255.255.0 any

access-list outside_access_in extended permit tcp 10.10.1.0 255.255.255.0 host 10.10.81.1

access-list outside_access_in extended permit ip host 10.10.1.29 host 10.10.106.2

access-list outside_access_in extended permit ip host 10.10.1.29 any

access-list outside_access_in extended permit ip host 10.10.1.27 host 10.10.81.115

access-list outside_access_in extended permit tcp any host 10.10.81.15 eq 3389

access-list outside_access_in extended permit ip any host 10.10.81.141

access-list outside_access_in extended permit ip 10.10.1.0 255.255.255.0 host 10.10.81.118

access-list outside_access_in extended permit ip 10.81.15.0 255.255.255.0 any

access-list gesupport extended permit ip 192.168.190.8 255.255.255.252 193.37.92.240 255.255.255.252

access-list natge1 extended permit ip host 10.10.81.99 193.37.92.240 255.255.255.252

access-list natge2 extended permit ip host 10.10.81.109 193.37.92.240 255.255.255.252

access-list inside_nat0_outbound extended permit ip 10.10.81.0 255.255.255.0 10.10.106.0 255.255.255.0

access-list outside_cryptomap_120 extended permit ip 10.10.81.0 255.255.255.0 10.10.106.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,outside) 10.10.81.127 10.10.81.127 netmask 255.255.255.255

static (inside,outside) 10.10.81.144 10.10.81.144 netmask 255.255.255.255

static (inside,outside) 10.10.81.118 10.10.81.118 netmask 255.255.255.255

static (inside,outside) 10.10.81.1 10.10.81.1 netmask 255.255.255.255

static (inside,outside) 10.10.81.149 10.10.81.149 netmask 255.255.255.255

static (inside,outside) 10.10.81.152 10.10.81.152 netmask 255.255.255.255

static (inside,outside) 10.10.81.195 10.10.81.195 netmask 255.255.255.255

static (inside,outside) 192.168.190.9 access-list natge1

static (inside,outside) 192.168.190.10 access-list natge2

static (inside,outside) 10.10.106.2 10.10.106.2 netmask 255.255.255.255

static (inside,outside) 10.10.106.103 10.10.106.103 netmask 255.255.255.255

static (inside,outside) 10.10.81.15 10.10.81.15 netmask 255.255.255.255

static (inside,outside) 10.10.81.99 10.10.81.99 netmask 255.255.255.255

static (inside,outside) 10.10.81.115 10.10.81.115 netmask 255.255.255.255

static (inside,outside) 10.10.81.141 10.10.81.141 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.15.81.1 1

route inside 10.81.0.0 255.255.0.0 10.10.81.1 1

route inside 10.10.107.0 255.255.255.0 10.10.81.1 1

route inside 10.10.106.0 255.255.255.0 10.10.81.1 1

route inside 10.10.79.0 255.255.255.0 10.10.81.1 1

route inside 10.10.78.0 255.255.255.0 10.10.81.1 1

route inside 10.1.1.0 255.255.255.0 10.10.81.1 1

route management 0.0.0.0 0.0.0.0 10.13.81.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.10.81.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Cryptochecksum:0f976dddf4ec25a6ad927e9a0cbc0b48

: end

ciscoasa#

Traffic for inside network not going through firewall

jomar050485 — Fri, 15 Jul 2011 13:09:51 GMT

EXTERNALROUTER#traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

EXTERNALROUTER#show ip route 10.1.1.1

Routing entry for 10.1.1.0/24

Known via "static", distance 1, metric 0

Redistributing via bgp 65001

Advertised by bgp 65001

Routing Descriptor Blocks:

* 10.15.81.10

Route metric is 0, traffic share count is 1

EXTERNALROUTER#

Traffic for inside network not going through firewall

varrao — Fri, 15 Jul 2011 13:21:13 GMT

Hi Jomar,

That is teh default behavior of firewall, it will not ping from remote interface, only from the interface to which the client machine is connected to. If the 10.1.1.1 machine is statically mapped to then from outside interafce you can ping the public ip For eg:

ping outside 1.1.1.1

so don't worry everything is fine.

Thanks,

Varun

Traffic for inside network not going through firewall

jomar050485 — Fri, 15 Jul 2011 13:25:55 GMT

I have a ICMP permit any any. The network isn't accessible from anywhere past the asa. Pings to all other networks work.

I've even added an" access-list outside_access_in extended permit ip permit any 10.1.1.0 255.255.255.0" and it doesn't work

Traffic for inside network not going through firewall

varrao — Fri, 15 Jul 2011 13:33:04 GMT

Hi jomar,

If you are doing " ping outside 10.1.1.1" it would not work.

But if you are pinging from the router, then make sure you have a nat translation for the traffic on the firewall if nat-control is enabled.

The access-list is good.

Thanks,

Varun

Traffic for inside network not going through firewall

jomar050485 — Fri, 15 Jul 2011 13:42:47 GMT

Thanks Varun.

I can't ping it from routers past the asa. Tracert dies when it passes through the ASA. There is not NAT being used..I tried opening the network to everyone..

One thing we notcied is that the ASA had:

route inside 10.1.1.0 255.255.255.0 10.10.81.1 1

We changed it to:

route inside 10.1.1.0 255.255.255.0 10.10.81.254 1

but still not not working. Also, I can't ping past the ASA from 10.1.1.1, ASA is being mean to me.

Traffic for inside network not going through firewall

varrao — Fri, 15 Jul 2011 13:49:13 GMT

Could you chcek if you have nat control enabled, do "show run nat-control"

Varun

Traffic for inside network not going through firewall

jomar050485 — Fri, 15 Jul 2011 13:51:34 GMT

ciscoasa# show run nat-control

no nat-control

ciscoasa#

any other ideas?

Traffic for inside network not going through firewall

varrao — Fri, 15 Jul 2011 14:03:00 GMT

Take captures on the ASA and identify why the packets are getting dropped:

https://supportforums.cisco.com/docs/DOC-17345

Varun

Traffic for inside network not going through firewall

jomar050485 — Fri, 15 Jul 2011 14:17:25 GMT

Thank you.

I just tried something. I added:

static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255

and it started to ping and I can telnet now.

How can I do this for all the IPs without doing a statement for every host?

Traffic for inside network not going through firewall

varrao — Fri, 15 Jul 2011 14:22:32 GMT

Hi Jomar,

For the whole network, you can add :

static (inside,outside) 10.1.1.0 10.1.1.0 255.255.255.0

it shoudl work after this.

Thanks,

Varun

Traffic for inside network not going through firewall

varrao — Fri, 15 Jul 2011 14:36:39 GMT

sorry there is a netmask keyword as well.

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

Traffic for inside network not going through firewall

jomar050485 — Fri, 15 Jul 2011 14:52:22 GMT

Thanks. I think that might have fixed it. I'm trying to get confirmation. Using the capture you provided, I noticed they are using nat. That's why some statements didn't work as well. I'm trying to get them to work on it.

Traffic for inside network not going through firewall

varrao — Fri, 15 Jul 2011 17:01:45 GMT

Hey thats good...let me know if you face any issues...

Thanks,

Varun