topic ASA 5520 Update & Configuration in Network Security

ASA 5520 Update & Configuration

hfth — Mon, 11 Mar 2019 19:32:23 GMT

I have an ASA 5520 at a remote location. It was set up and configured by a contractor. Up until a few days ago it was working fine. The AnyConnect quit working. I thought I would just reload the .svc file Then I couldn't use ASDM, so I went to the remote location and did a console connection and realized I was on incompatable versions of ASA, ASDM & anyconnect (thank you contractor). The ASA has an outside interface configured and an inside interface that the clients connect to. I updated the ASA from 7.0(6) to 8.2(2). The ASDM from 5 ? to 6.3(1) and the anyconnect to 2.3.01. I didn't export my config or firewall rules and now my clients can't get out my inside interface to the internet or ping anything. The ASA says the packets are being blocked from getting to the outside by a implict rule on the inside interface to block all outgoing ip traffic. Right above that rule on the same interface I have a rule to allow all outgoing ip traffic. I din't understand why it's being blocked when I have set up a rule as an execption.

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 19:29:12 GMT

Hi,

Wow.... besides all the trouble, let's see why traffic is not getting out.

Do you have access to the CLI, to copy/paste the output of the following:

show run access-list NAME --> change NAME for the name of the ACL applied to the inside interface

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 19:44:13 GMT

Here's what I get when I show run access-list:

access-list outside_access_in extended permit tcp any eq 3389 any
access-list outside_access_in_1 extended deny ip 81.129.179.0 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp any host 66.128.51.78 eq https
access-list outside_access_in_1 extended permit tcp any host 66.128.51.78 eq www
access-list outside_access_in_1 extended permit tcp any host 66.128.51.78 eq 3389
access-list Block extended deny ip 81.129.179.0 255.255.255.0 any
access-list Block extended deny tcp host 81.129.179.245 any eq ssh
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list Split_tunnel remark Local Lan COLO
access-list Split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit ip any any

192.168.200.1 is the ip of my internal interface.

The ASA can ping ip's from the outside interface

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 19:53:37 GMT

Now,

For traffic to go to the internet through the ASA besides being permitted on the inside interface, it should have a NAT rule.

For example.

I want to allow network 10.0.0.0/24 to get out to the Internet through the ASA, this is what I need:

1. An ACL permitting this traffic applied to the inside interface in the inbound direction:

access-list inside permit ip 10.0.0.0 255.255.255.0 any

2. The ACL must be applied correctly:

access-group inside in interface inside

3. There should be a NAT rule:

nat (inside) 1 10.0.0.0 255.255.255.0

global (outside) 1 interface

You can use the packet tracer utility to emulate the connection and see what is reported by the ASA:

packet-tracer input tcp 10.0.0.1 1024 4.2.2.2 80 det

The above command, will allow the ASA to report if a connection from 10.0.0.1 to 4.2.2.2 (Internet) on TCP port 80 would be permitted to flow through it or not.

Hope it helps.

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 20:23:33 GMT

OK, now the test shows the packets go through to the outside, but before these last few config changes I could do the AnyConnect and remote on to one of the clients, even though they couldn't get on the internet. Now I'm going in through the AnyConnect to do an RDP and it's telling me it can't connect to the remote computer. Is there something else I need to to in the acces rule or NAT to make the remote desktop work?

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 20:34:12 GMT

You mean there's internet access now working from inside the ASA?

To be able to connect via AnyConnect to an external client you are required to allow TCP 443 on the same ACL.

Include:

access-list inside permit tcp 10.0.0.0 255.255.255.0 any eq 443

The above line should allow any computer on the local LAN (10.0.0.0/24) to connect to any remote AnyConnect server.

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 20:45:58 GMT

Maybe I didn't make it completely clear. Before I made the changes you suggested to get the internet working on the client computers, I hade updated the ASA, ASDM & anyconnect. I can connect via ASDM, any the anyconnect has been working. Prior to the changes I just made, I could connect via the anyconnect and remote onto a client machine via name or ip. Now after these changes, I can still connect via the anyconnect, but when I try the remote desktop connection, it tells me I can't connect. I was going to remote onto one to check the internet via the browser.

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 20:57:38 GMT

Scott,

I don't see how trying to give the internal users internet access will break the AnyConnect access in.

Obviously it was something we did while trying to fix this with the commands I gave you, so... why don't you share the running-config and we'll take a look at it.

I imagine that if you revert the changes I gave you, then you're able to access via RD the machine using AnyConnect, correct?

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 21:05:51 GMT

here is my running config attached. I'm going revert and test the remote onto one of the desktops.

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 21:14:14 GMT

While doing this let me know the IP address of the internal machine you're trying to RD to and if you can PING it while connected via AnyConnect.

If not, add this line:

access-list inside permit ip any any

And try again.

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 21:23:59 GMT

With the attached running config I can anyconnect and rd onto a client but the client cannot access the internet. I can ping the client when I'm connected via anyconnect as well.

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 21:27:41 GMT

To give Internet access to the 192.168.200.0/24 network you need to add this line:

nat (inside) 1 192.168.200.0 255.255.255.0

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 21:32:19 GMT

that looks like it got it!!

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 21:34:04 GMT

I'm glad that it worked 🙂

Please rate helpful posts!

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 21:36:49 GMT

Ok I spoke too soon. Yes, I was already RD on to a client and when I added the NAT rule it let me on the internet. But, when I closed out of everything and tried to anyconnect and then the rd, the rd didn't work.

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 21:44:21 GMT

So, the LAN has internet access now correct?

Also, you can connect via AnyConnect but not RD into the machine... so...

What's the IP of this computer and can you PING it from the AnyConnect client?

Federico.

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 21:49:08 GMT

Ok got it.

From the last config you post, this are the changes you need:

nat (inside) 1 192.168.200.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0

nat (inside) 0 access-list nonat

Those three commands should take care of the internet access and still allowing connectivity to the internal machines via AnyConnect.

However, the VPN pool is recommended to have it as a separate non-overlapping range.

Federico.

Re: ASA 5520 Update & Configuration

hfth — Sat, 08 Jan 2011 22:04:00 GMT

The exempt NAT rule allowed the RD, I'll have to seperate the ip ranges in the rules for the internal & VPN later. Thanks.

Re: ASA 5520 Update & Configuration

Federico Coto Fajardo — Sat, 08 Jan 2011 22:10:13 GMT

Glad I could help and thanks for the ratings 🙂

Federico.