topic Re: Weird behavior in ASA5510 in Network Security

Weird behavior in ASA5510

aerosml866 — Mon, 11 Mar 2019 18:15:41 GMT

Hello,

My company recently switched from PIX506E to ASA5510.

ASA5510 works good except the pc wich static IP cannot browse Internet and ping outside ip. (All fixed IP pc except Windows PDC 10.0.0.6)

PC with dynamic IP assigned by Windows Server is OK.

Could you take a look at the following config of ASA5510?

: Saved
:
ASA Version 8.2(2)
!
hostname xxxxx
domain-name xxxxxxxxxx
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
name 192.168.2.0 vpn-donhill description Igor place
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxxxxxxxxx 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.0.100 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name aerosml.com
access-list acl_outside extended permit tcp any host xxxxxxxx eq 3389
access-list acl_outside extended permit tcp any host xxxxxxxx eq smtp
access-list acl_outside extended permit tcp any host xxxxxxxx eq pop3
access-list acl_outside extended permit tcp any host xxxxxxxx eq https
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any host xxxxxxxx eq 3389
access-list acl_outside extended permit tcp any host xxxxxxxx eq www
access-list acl_outside extended permit tcp any host xxxxxxxx eq 2550
access-list acl_outside extended permit tcp any host xxxxxxxx eq 4550
access-list acl_outside extended permit tcp any host xxxxxxxx eq 5550
access-list acl_outside extended permit tcp any host xxxxxxxx eq 5552
access-list acl_outside extended permit tcp any host xxxxxxxx eq 6550
access-list acl_outside extended permit tcp any host xxxxxxxx eq 2250
access-list acl_outside extended permit ip any host xxxxxxxx
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 vpn-donhill 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.0.0.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 vpn-donhill 255.255.255.0
access-list split_tunnel_list standard permit 10.0.0.0 255.255.255.0
no pager
logging console debugging
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool RemoteClient 192.168.100.1-192.168.100.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) xxxxxxxx 10.0.0.101 netmask 255.255.255.255
static (inside,outside) xxxxxxxx 10.0.0.6 netmask 255.255.255.255
static (inside,outside) xxxxxxxx 10.0.0.220 netmask 255.255.255.255
static (inside,outside) xxxxxxxx 10.0.0.5 netmask 255.255.255.255
static (inside,outside) xxxxxxxx 10.0.0.8 netmask 255.255.255.255
static (inside,outside) xxxxxxxx 10.0.0.34 netmask 255.255.255.255
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol kerberos
aaa-server AD (inside) host 10.0.0.6
kerberos-realm xxxxxxxx
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 1 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xxxxxxxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxxxxxxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer xxxxxxxx
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer xxxxxxxx
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.0.6 source inside
webvpn
group-policy aeros internal
group-policy aeros attributes
dns-server value 10.0.0.6 4.2.2.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
default-domain value aerosml.local
tunnel-group aeros type remote-access
tunnel-group aeros general-attributes
address-pool RemoteClient
default-group-policy aeros
tunnel-group aeros ipsec-attributes
pre-shared-key *****
isakmp ikev1-user-authentication none
tunnel-group xxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *****
tunnel-group xxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *****
tunnel-group xxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *****
tunnel-group xxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1cb5688063c1db68a04379dae2491f55

Re: Weird behavior in ASA5510

Magnus Mortensen — Sat, 24 Jul 2010 00:59:08 GMT

Mike,

A couple of things worth checking to see what is really failing and then we can work our way up from there...

1) From that host can you resolve DNS?

- What is that host's DNS server

- Does 'nslookup google.com' work?

- Does 'nslookup google.com 4.2.2.2' work?

2) Do you see any SYSLOGS generated on the ASA related to that hosts IP address 10.0.0.6?

3) Does that host (10.0.0.6) have the right arp entry for 10.0.0.1?

- On the host issue 'arp -an' and compare the value (if any) for 10.0.0.1 to the interface MAC address seen on the ASA if you run the command 'show interface Ethernet0/1'

4) If this is a recent migration, the upstream router (your ISP) may have the wrong MAC address listed for the translated address of 10.0.0.6. You can try reloading the upstream router to clear this condition. (An enhance bug was filed to help prevent this issue in the future, it is not yet integrated into any code tho... CSCsy85614 ).

Let me know the results of the above points and if the above helps you track down the issue,please marked this question as 'resolved'.

-Magnus.

Re: Weird behavior in ASA5510

Panos Kampanakis — Sat, 24 Jul 2010 00:59:12 GMT

This could be a translation issue, you might be going out using nat exmption (nat 0).

What are the dhcp assigned ip addresses that don't work?

Re: Weird behavior in ASA5510

Nagaraja Thanthry — Sat, 24 Jul 2010 00:59:25 GMT

Hello,

The issue seems to be with your ISP router having wrong ARP entry for the public IP addresses that are mapped to the devices with static IP addresses on the inside. I would suggest you reboot the ISP router (or talk to ISP and have them flush the ARP Cache) and see if that fixes the issue.

Hope this helps.

Regards,

Re: Weird behavior in ASA5510

aerosml866 — Wed, 28 Jul 2010 00:43:45 GMT

Thank you for your reply.

After I talked with Telepacific, ISP, it looks like it's not corrupt arp.

Arp will eventully flushed out with TTL and no changes made for static ip pcs.

When I load ASDM, the Remote Desktop firewall rule to one of static IP pc shows hit count of 0.

It sounds more like translation issue.

I am not sure of my config cause I experienced there is always little different setup from version to version.

Your proposal of 1 and 3 all works fine.

Re: Weird behavior in ASA5510

aerosml866 — Wed, 28 Jul 2010 00:46:12 GMT

Yes it feels me it more like translation issue.

DHCP server is 10.0.0.6

One of the fixed IP pc is 10.0.0.34 which has public IP assigned to it with static command.

Remote RDP to it does not work and ASDM shows no hit!

Re: Weird behavior in ASA5510

Nagaraja Thanthry — Wed, 28 Jul 2010 05:41:28 GMT

Hello,

So, you are not seeing any hit counts for the access-lists corresponding to these public IP's? If that is the case, the firewall is not seeing any packets on the outside interface for those IP's. Can you try adding a generic rule for one of the IP's (access-list line 1 permit ip any host ) and try to ping that public IP from the outside world? If that works, we know for sure that the ISP is sending the packets towards your ISP. If you do not see any hit count increase even after adding the above line, that means the ISP is not forwarding anything for that host in which case, you might have to go back to the ISP and have them do some investigation.

Hope this helps.

Regards,