topic Re: ASA 5520 translation problem in Network Security

ASA 5520 translation problem

hisham.khreisat — Mon, 11 Mar 2019 20:16:54 GMT

I have the following in my deployment:

Server --- ACE 4710 --- ASA 5520 -- Router

from the server I can ping the inside ASA.but can't ping outside ASA or inside Router.

from the ASA I can ping Outside Router, Server, and The Virual IP Address of ACE.

the following configuration for ASA 5520:

hostname MOI-Elec

domain-name default.domain.invalid

enable password qagxmUWZehLHpnt3 encrypted

passwd qagxmUWZehLHpnt3 encrypted

names

dns-guard

interface GigabitEthernet0/0

description --- To GW_1 ---

nameif outside1

security-level 0

ip address 172.20.1.240 255.255.255.0

interface GigabitEthernet0/1

description --- To GW_2 ---

nameif outside2

security-level 0

no ip address

interface GigabitEthernet0/2

description --- SERVER DMZ ---

nameif SERVER-DMZ

security-level 100

ip address 192.168.20.10 255.255.255.0

interface GigabitEthernet0/3

shutdown

nameif asd

security-level 100

no ip address

interface Management0/0

nameif mngmt-asdm

security-level 100

ip address 10.10.10.10 255.255.255.0

ftp mode passive

access-list temp extended permit icmp any any

access-list temp extended permit ip any any

access-list cap1 extended permit ip any host 172.20.1.240

access-list cap1 extended permit ip host 172.20.1.240 any

pager lines 24

logging enable

logging buffered errors

mtu outside1 1500

mtu outside2 1500

mtu SERVER-DMZ 1500

mtu asd 1500

mtu mngmt-asdm 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

static (SERVER-DMZ,outside1) 192.168.20.20 192.168.20.20 netmask 255.255.255.255

access-group temp in interface outside1

access-group temp in interface outside2

access-group temp in interface SERVER-DMZ

route outside1 0.0.0.0 0.0.0.0 172.20.1.251 1

route SERVER-DMZ 172.20.0.0 255.255.0.0 192.168.20.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password LLO/MKcU/To/3BlR encrypted

http server enable

http 0.0.0.0 0.0.0.0 SERVER-DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 15

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Cryptochecksum:ac69173ace9b8f69bfff97c28a9f35d5

: end

----------------------------------------------------------------

The following Configuration on ACE 4710:

Generating configuration....

resource-class rc1

limit-resource all minimum 10.00 maximum unlimited

limit-resource sticky minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A3_2_0.bin

peer hostname moi-lb

hostname moi-lb2

interface gigabitEthernet 1/1

description ace-outside to ASA G0/0

switchport access vlan 3

no shutdown

interface gigabitEthernet 1/2

description ace-inside to DMZ-SW G1/1

switchport access vlan 2

no shutdown

interface gigabitEthernet 1/3

switchport access vlan 1000

no shutdown

interface gigabitEthernet 1/4

ft-port vlan 10

no shutdown

clock timezone Jor 0 0

context Admin

member rc1

access-list all line 8 extended permit ip any any

access-list all line 16 extended permit icmp any any

probe tcp tcp-7777

port 7777

interval 15

passdetect interval 60

open 1

rserver host app-205

ip address 172.20.100.205

inservice

serverfarm host app-servers

predictor leastconns

probe tcp-7777

fail-on-all

rserver app-205

inservice

sticky ip-netmask 255.255.255.255 address source group1

timeout 15

replicate sticky

serverfarm app-servers

class-map type management match-any REMOTE_ACCESS

description Remote access traffic match 2

2 match protocol telnet any

3 match protocol ssh any

4 match protocol icmp any

5 match protocol https any

class-map match-all vip-app

2 match virtual-address 192.168.20.20 tcp eq 7777

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS

permit

policy-map type loadbalance first-match vip-lb

class class-default

sticky-serverfarm group1

policy-map multi-match lb-vip-policy

class vip-app

loadbalance vip inservice

loadbalance policy vip-lb

loadbalance vip icmp-reply

interface vlan 2

description ace-inside to DMZ-SW G1/1

ip address 172.20.0.251 255.255.0.0

no icmp-guard

access-group input all

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 3

description ace-outside to ASA G0/0

ip address 192.168.20.30 255.255.0.0

no icmp-guard

access-group input all

service-policy input lb-vip-policy

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 1000

description ---management vlan---

ip address 172.26.255.2 255.255.255.0

peer ip address 172.26.255.1 255.255.255.0

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

ft interface vlan 10

ip address 10.0.0.11 255.255.255.0

peer ip address 10.0.0.10 255.255.255.0

no shutdown

ft peer 1

heartbeat interval 100

heartbeat count 20

ft-interface vlan 10

ft group 1

peer 1

associate-context Admin

inservice

ft track interface track-vlan2

track-interface vlan 2

peer track-interface vlan 2

priority 25

peer priority 25

ft track interface track-vlan3

track-interface vlan 3

peer track-interface vlan 3

priority 30

peer priority 30

ip route 0.0.0.0 0.0.0.0 192.168.20.10

---------------------------------------------------------------------

anyone have any Idea about why the ASA 5520 doen't permit to go out side of my inside server network to outside.

please help

Re: ASA 5520 translation problem

Shrikant Sundaresh — Tue, 05 Apr 2011 11:38:51 GMT

Hi Hisham,

You cannot ping the ASA interfaces which are not directly facing your device.

So if you are on the inside, you can only ping the inside interface.

Now coming to the router, I see that there is no nat configured on the ASA. So unless you have a route configured on the router, with a route back to the server subnet, the router will not be able to reply to the icmp packet.

Run "debug icmp trace 1" command on the ASA, and check if you see icmp request going from the server to the router, but no replies coming back.

This would indicate an issue with the routing on the router.

Also, please check if nat-control is enabled (show run all | in nat-control)

IF it is enabled, then you need to disable it (no nat-control) or configure a nat rule for traffic going from inside to outside.

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

Re: ASA 5520 translation problem

hisham.khreisat — Tue, 05 Apr 2011 11:45:51 GMT

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.04.05 13:21:12 =~=~=~=~=~=~=~=~=~=~=~=

internal#sh run

Building configuration...

Current configuration : 1276 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname internal

boot-start-marker

boot-end-marker

!card type command needed for slot 1

card type e1 2

!card type command needed for slot 3

!card type command needed for slot 4

enable secret 5 $1$mV65$5mOlGHjWThTljxYFF2OUb/

no aaa new-model

resource policy

no network-clock-participate slot 2

ip cef

voice-card 0

no dspfarm

controller E1 2/0

framing NO-CRC4

channel-group 0 timeslots 1-31

controller E1 2/1

interface GigabitEthernet0/0

ip address 172.20.1.251 255.255.255.0

duplex auto

speed auto

media-type rj45

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

media-type rj45

interface Serial2/0:0

description E1 LINK TO MUHAFDA

ip address 172.19.8.249 255.255.255.252

ip route 0.0.0.0 0.0.0.0 Serial2/0:0

ip route 172.0.0.0 255.0.0.0 GigabitEthernet0/0

ip http server

no ip http secure-server

control-plane

line con 0

password cisco

line aux 0

line vty 0 4

password cisco

scheduler allocate 20000 1000

end

This is the router configuration

Re: ASA 5520 translation problem

Shrikant Sundaresh — Tue, 05 Apr 2011 11:54:30 GMT

Hi Hisham,

Could you also please attach the output of the following command on the ASA

packet-tracer input icmp 8 0 detail

This shows the packet flow of the icmp request through the ASA.

-Shrikant

Re: ASA 5520 translation problem

hisham.khreisat — Tue, 05 Apr 2011 18:41:54 GMT

Hello There,

I'll do what asked from me tomorrow morning, but I would like to mention that I have already did a capture, as the following

Server (172.20.100.205/16) ---- (Inside: 172.20.0.251/16) ACE (outside: 192.168.20.30/24) --- (inside:192.168.20.30/24)ASA(outside:172.20.1.240/24) ---- (172.20.1.251/24)Router.

I did the ping from the server to inside router (172.20.1.251)

access-list cap extended permit ip host 172.20.100.205 host 172.20.1.251

access-list cap extended permit ip host 172.20.1.251 host 172.20.100.205

capture test access-list cap interface inside-ASA

sh capture gave me

0 packets !!!! no results appear. !!!!

If you please any one can review the configuration carefully and tell me, If there is any wrong configuration ACE,ASA,Router.

I hope you can find any way to get out of this problem !!!!!

Thank you all,

Hisham Khreisat

Re: ASA 5520 translation problem

Shrikant Sundaresh — Tue, 05 Apr 2011 23:03:52 GMT

Hi Hisham,

I have never really worked with an ACE before, so I am not sure about its configs. Though trying to judge the config based on what i know about routers and ASA, it seems ok except for if you can apply "service policy" multiple policy's on an interface or not. You would need to verify that, but most probably it must be correct.

Secondly, an anomaly i see, is in the subnet mask of the outside interface of the ACE. You have given a /16 subnet mask, while a /24 subnet mask on the corresponding ASA interface. I am not sure if that would impact packet flow, but you could correct it and check again.

Lastly, and most importantly, if the capture showed no packets on the ASA, means it is a fault on the ACE because no packets reached the ASA.

Thus output of the packet-tracer command would be no use at all, since it shows the packet trace after the packet reaches the ASA.

So we need to concentrate on the link between ACE and ASA, and figure out why the ACE is not sending traffic to the ASA.

-Shrikant

P.S.: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks.