ASA 5510 Not Receiving Internally Inbound

vemlyon — Mon, 11 Mar 2019 17:24:20 GMT

ASA 5510 7.21 -- it's driving me crazy!

The device itself can ping and be pinged, so internet connectivity is good. The packet trace function says the inbound traffic *should* be permitted "RESULT - The packet is allowed." for any number of protocols I test, and the same with outbound traffic.

However, nothing gets through. Logging shows outbound connections get SYN timeouts, and inbound connections never reach the firewall itself.

It *seems* as if the firewall is not recognizing inbound requests for IP addresses it has NAT rules for.

There are multiple firewalls on the same internet routed segment, but the other firewalls all accept their inbound requests for the IPs that reside in their NAT lists without any problem.

I have enabled Proxy ARP on the external interface.

What am I missing? Thanks in advance!

names
name 64.15.112.86 VL description VLremote
name 69.220.176.251 comgmt description Monitoring Server
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 69.220.176.235 255.255.255.192
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.1.1.35 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.1.41
name-server 10.1.1.42
domain-name ilsasp.com
same-security-traffic permit intra-interface
object-group network CitrixServers
description Citrix Xen App Servers
network-object host 69.220.176.244
network-object host 69.220.176.245
network-object host 69.220.176.246
object-group network DBservers
description database servers
network-object host 10.1.1.43
network-object host 10.1.1.48
object-group network HostingLocs
description Locations involved in monitoring
network-object 66.77.28.128 255.255.255.224
network-object 69.220.176.192 255.255.255.192
network-object host 66.9.111.7
network-object host 66.9.111.8
object-group network ILSrhowell
description ILS db admin access
network-object host 206.27.25.14
network-object 210.157.151.0 255.255.255.0
network-object host 212.11.55.124
object-group network colocs
description co secure remote locations
network-object host 209.46.39.207
network-object host 209.46.39.208
object-group network WebServers
description Servers hosting web applications
network-object host 69.220.176.233
network-object host 69.220.176.243
network-object host comgmt
object-group service citrix-sr tcp
description SessionReliability
port-object range 2598 2598
object-group service citrix-xml tcp
description XML
port-object range 5321 5321
object-group service CitrixXenApp tcp
description All XenApp Services
port-object eq citrix-ica
group-object citrix-sr
group-object citrix-xml
object-group service DBmgmt tcp
description ftp and rdp for ils db server management
port-object eq ftp-data
port-object eq ftp
port-object range 3389 3389
object-group service cimweb tcp
description Insight Manager Web Access
port-object range 2301 2301
object-group service cim tcp
description Insight Manager
port-object range 280 280
group-object cimweb
object-group service coservices tcp
description Services allowed to secure co locations
group-object CitrixXenApp
port-object eq ftp-data
port-object eq ftp
port-object eq telnet
port-object range 3389 3389
port-object eq https
port-object eq echo
port-object eq www
group-object cim
object-group service coservicesudp udp
description UPD services permitted to secure co locations
port-object eq time
port-object eq echo
object-group service MonitoringTCP tcp
description TCP based monitoring services
port-object eq echo
group-object cim
object-group service MonitoringUDP udp
description Monitoring services via UDP
port-object eq snmp
port-object eq snmptrap
port-object eq echo
object-group service WebPorts tcp
description http and https
port-object eq https
port-object eq www
object-group network AllInternal
description All internal IPs permitted outbound
network-object 10.1.1.0 255.255.255.0
network-object 69.220.176.192 255.255.255.192
access-list outside_access_in remark Citrix PS aka XenApp
access-list outside_access_in extended permit tcp any object-group CitrixServers
object-group CitrixXenApp
access-list outside_access_in extended permit tcp object-group ILSrhowell object
-group DBservers object-group DBmgmt
access-list outside_access_in remark Permitted access from co secure locs via T
CP
access-list outside_access_in extended permit tcp object-group colocs any objec
t-group coservices
access-list outside_access_in remark Permitted access from co secure locs via U
DP
access-list outside_access_in extended permit udp object-group colocs any objec
t-group coservicesudp
access-list outside_access_in extended permit ip host VL any
access-list outside_access_in remark General web server access
access-list outside_access_in extended permit tcp any object-group WebServers ob
ject-group WebPorts
access-list outside_access_in remark Mail alerts from Brewer
access-list outside_access_in extended permit tcp host 69.220.176.225 host comgmt
eq smtp
access-list outside_access_in remark TCP monitoring
access-list outside_access_in extended permit tcp object-group HostingLocs host
comgmt object-group MonitoringTCP
access-list outside_access_in remark UDP monitoring
access-list outside_access_in extended permit udp object-group HostingLocs host
comgmt object-group MonitoringUDP
access-list outside_access_out extended permit ip object-group AllInternal any
access-list inside_access_in remark Permit all outbound.
access-list inside_access_in extended permit ip object-group AllInternal any
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 10.1.1.128 255.255.255.128
static (inside,outside) comgmt 10.1.1.51 netmask 255.255.255.255
static (inside,outside) 69.220.176.252 10.1.1.52 netmask 255.255.255.255
static (inside,outside) 69.220.176.233 10.1.1.33 netmask 255.255.255.255
static (inside,outside) 69.220.176.232 10.1.1.32 netmask 255.255.255.255
static (inside,outside) 69.220.176.234 10.1.1.34 netmask 255.255.255.255
static (inside,outside) 69.220.176.241 10.1.1.41 netmask 255.255.255.255
static (inside,outside) 69.220.176.242 10.1.1.42 netmask 255.255.255.255
static (inside,outside) 69.220.176.243 10.1.1.43 netmask 255.255.255.255
static (inside,outside) 69.220.176.244 10.1.1.44 netmask 255.255.255.255
static (inside,outside) 69.220.176.245 10.1.1.45 netmask 255.255.255.255
static (inside,outside) 69.220.176.246 10.1.1.46 netmask 255.255.255.255
static (inside,outside) 69.220.176.248 10.1.1.48 netmask 255.255.255.255
static (inside,outside) 69.220.176.236 10.1.1.36 netmask 255.255.255.255
static (inside,outside) 69.220.176.237 10.1.1.37 netmask 255.255.255.255
static (inside,outside) 69.220.176.238 10.1.1.38 netmask 255.255.255.255
static (inside,outside) 69.220.176.250 10.1.1.50 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.220.176.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
policy-map type inspect dns migrated_dns_map_1
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

Re: ASA 5510 Not Receiving Internally Inbound

Jennifer Halim — Mon, 22 Mar 2010 04:32:06 GMT

1) Is there any hitcount on your outside ACL for the traffic that you test? "show access-list outside_access_in"

2) Please turn on logging, and see if you have any error logs.

3) I would also try "clear xlate" just in case you have other type of xlate in the xlate table prior to the new configuration.

Re: ASA 5510 Not Receiving Internally Inbound

vemlyon — Mon, 22 Mar 2010 04:49:57 GMT

Hmm... I suspect you came close with the xlate -- after trying to figure this out all afternoon, I left it alone to do some other work while I waited to see if anybody would answer here, and when I went to look at the log... it was working! Something was cached somewhere that was causing problems. Not sure exactly what, as this is a new box (just configured today), possibly something in an ISP router.

Thank you!!

Re: ASA 5510 Not Receiving Internally Inbound

Jennifer Halim — Mon, 22 Mar 2010 04:53:40 GMT

Great to hear, thanks for your update.

topic Re: ASA 5510 Not Receiving Internally Inbound in Network Security

ASA 5510 Not Receiving Internally Inbound

Re: ASA 5510 Not Receiving Internally Inbound

Re: ASA 5510 Not Receiving Internally Inbound

Re: ASA 5510 Not Receiving Internally Inbound