topic Re: ASA5510 setup issues in Network Security

ASA5510 setup issues

heather.burke — Mon, 11 Mar 2019 18:50:00 GMT

We are configuring an ASA5510 for the first time. However, we seem to have hit a wall. There seems to be no communication between the interfaces at all. We have played with the static routes and access rules to no avail, it just seems like nothing can get in or out. At the moment, we have it opened up to pretty much anything, to try to get anything to work, but still nothing. (read: Any interface, any source any destination) Does anyone have any idea of what crucial step we might be missing? We are mostly using the ASDM, but have had to do a little with the CLI since that seems to be what everyone knows in any help docs.

Re: ASA5510 setup issues

Scott Nishimura — Mon, 04 Oct 2010 22:20:18 GMT

HI Heather,

I will assume the interfaces are set for different security levels. If that is true, then you will most likely need to have a static or nat statements.

Please see here:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

It sounds like you have the acls and the routing in place. Let me know what you have set up for the natting/static side.

regards,

scott

Re: ASA5510 setup issues

heather.burke — Tue, 05 Oct 2010 14:40:54 GMT

Hi Scott,

Well we've tried several different options. Right now just to try to get ANYTHING to work, we've created really open rules that would essentially allow anything in either direction. We've tried with and without NAT rules in place, but it doesn't seem to make a difference one way or another. I'm not sure if the "any interface, any source, any destination" type of NAT would do anything anyway. NAT control is no longer available in 8.3, so it seems that NAT is less likly to be holding us up, but we're so new to this that we couldn't be sure of that.

We've done the global ACL allows to open it up, and with our staic routes we've tried a myriad of ideas on how to communicate it's direction. It seems that the interfaces are just not passing information to one another. We have routes from 0.0.0.0 to the external interface, we've tried from the internal to external interfaces, and pretty much any combination you can think of, and to no effect.

Any ideas what to look at?

Re: ASA5510 setup issues

mirober2 — Tue, 05 Oct 2010 14:44:57 GMT

Hi Heather,

Can you post a running config for us to review? That will help determine the areas of the config that need to be focused on.

-Mike

Re: ASA5510 setup issues

Panos Kampanakis — Tue, 05 Oct 2010 15:08:31 GMT

Heather,

Is there a route back for internal ip addresses when they are hitting the outside since you are not natting?

Does your inside interface have higher security level than your outside?

If you are testing with pings, make sure you have icmp inspection enabled.

Let me know if they helped. And like mirober2 suggested, if not please provide your config.

Re: ASA5510 setup issues

heather.burke — Tue, 05 Oct 2010 15:37:44 GMT

here is our config file. It's a bit of a mess now because we've been trying so many different things (

none of which have worked)

:
ASA Version 8.3(2)
!

!
interface Ethernet0/0
description EXTERNAL
nameif OUTSIDE
security-level 0
ip address 10.0.204.65 255.255.255.0
!
interface Ethernet0/1
description INTERNAL INTERFACE
nameif INSIDE
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
description DMZ INTERFACE
shutdown
nameif DMZ
security-level 50
ip address STORAGECONTROLLERA 255.255.255.192
!
interface Ethernet0/3
description LAN/STATE Failover Interface
management-only
!
interface Management0/0
nameif management
security-level 99
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa823-k8.bin
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 8.8.8.8

access-list INSIDE_access_in extended permit tcp any any eq www
access-list OUTSIDE_access_in remark ALLOW SLO TESTERS TO COMMUNICATE WITH XWD.
access-list OUTSIDE_access_in extended permit object-group HTTPHTTPS 10.0.204.64 255.255.255.192 host 10.2.204.55
access-list INSIDE_nat0_outbound extended permit ip any 192.168.204.240 255.255.255.240
access-list global_access extended permit tcp any any eq www log errors
pager lines 24
logging enable
logging console emergencies
logging asdm informational
logging class auth console errors
logging class sys console errors
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPBNIPPOOL 192.168.204.240-192.168.204.250 mask 255.255.255.0

asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source static X_LAN X_LAN destination static mapped_public_pool mapped_public_pool
access-group INSIDE_access_in in interface INSIDE
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.204.65 1
route INSIDE 192.168.2.137 255.255.255.255 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-

SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface INSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 INSIDE
ssh 192.168.1.2 255.255.255.255 INSIDE
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bab91fe79432cd34bd138842c26c47c4
: end

Re: ASA5510 setup issues

heather.burke — Tue, 05 Oct 2010 16:13:57 GMT

Whoops I hadn't noticed that my co-worker deletedmost of the NAT and Route rules that were in place yesterday.

There would hve been a few "any, any, any" commands for the NAT and allow all services in the ACL

Re: ASA5510 setup issues

mirober2 — Tue, 05 Oct 2010 16:21:34 GMT

Hi Heather,

I would suggest taking on one issue at a time to make it easier to troubleshoot. Try removing your NAT rules and then configuring this:

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic interface

You may also need this if your DNS server is not in the 192.168.2.0 subnet:

access-list INSIDE_access_in extended permit udp any any eq 53

access-list global_access extended permit udp any any eq 53

Once those commands are configured, try to access the Internet from a host in the 192.168.2.0 subnet. If that works, let us know what other traffic is failing.

Hope that helps.

-Mike

Re: ASA5510 setup issues

heather.burke — Tue, 05 Oct 2010 17:38:34 GMT

Mike,

Thanks!! Your dynamic NAT statement is the key that we were looking for! As I understand it, it is the statement that allows the internal and external interfaces to communicate with one another, and that is the piece we were missing.

Now we need to start redoing our actual ACLs and see if they work.

Thanks again!

Re: ASA5510 setup issues

mirober2 — Tue, 05 Oct 2010 17:42:48 GMT

Hi Heather,

Glad that worked for you. Keep in mind that in 8.3 you need to use the real IP (i.e. before NAT takes place) when you setup your access-lists. This is a significant change from the way it was done in pre-8.3 configurations.

-Mike