topic Re: ASA 5506-X, Under default settings, how to set outside Gateway in Network Security

ASA 5506-X, Under default settings, how to set outside Gateway

JamesNewton — Fri, 21 Feb 2020 16:23:59 GMT

ASA 5506-X, Under default settings, how to set outside Gateway

THE GOAL:
Trying to get this to work in the most basic possible setup. Reset to defaults, then set fixed PUBLIC OUTSIDE IP address on "outside" Interface to ...50 (not showing the first three octets since you don't need to know them) as directed by my ISP which is our correct public IP address. KEY POINT: My ISP has the gateway at ...49. NOT ...48. With the netmask set to 255.255.255.240, as directed by ISP, a network object called "outside-network" appears with an ip address of ...48. I started wondering: Maybe that's the gateway address that the router will use for traffic going to the outside interface, which connects to the modem, but that can't be right.. Anyway, I tried to add a direct static, see below.

If I try to edit that to ...49, I get and error "The IP Address ...49 does not match with the Network 255.255.255.240. - To specify a network use ...48/255.255.255.240. - To specify a host use ...49/255.255.255.255." I did try the latter, but it didn't /appear/ to work. 50 other things could have gotten in the way.

I'm assuming you have to setup the gateway by adding a route. So I add a direct route from "inside" network 192.168.1.0/24 to the gateway ip address, (...49).

THE SYMPTOMS:
In all cases, using the Tool / Ping menu, I get responses from the .50 and .49 when it is set to come from "outside" but not when it's coming from the "inside"

Also, the route from outside to the server for HTTP, SMTP, etc... isn't working. Logs say it being blocked by the ACL. But I have access-list entries for the server for those services.

Any idea what I'm doing wrong?

THE (anonymized) SETUP:

!
hostname ciscoasa
enable password $sha512$...
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address ...50 255.255.255.240
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.10 inside
name-server 208.67.220.220 outside
name-server 68.105.28.16 outside
name-server 8.8.8.8 outside
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network server
host 192.168.1.10
description Server
object network me
host 123.123.123.51
object network myself
host 221.412.333.221
object network I
host 111.222.333.230
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp-udp
description Remote Desktop Protocal
port-object eq 3389
object-group network us
network-object object me
network-object object nyself
network-object object I
access-list outside_access_in remark HTTP Server
access-list outside_access_in extended permit tcp interface any object server object-group DM_INLINE_TCP_1
access-list outside_access_in remark SMTP Server
access-list outside_access_in extended permit tcp interface any object server eq smtp
access-list outside_access_in remark VPN Server
access-list outside_access_in extended permit tcp object-group us object server eq pptp
access-list outside_access_in remark RDP Server
access-list outside_access_in extended permit object-group TCPUDP object-group us object server object-group rdp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.20 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username myself password $sha512$5000$... pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command more
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command eigrp
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum: ...
: end

Re: ASA 5506-X, Under default settings, how to set outside Gateway

Alex Pfeil — Fri, 26 Oct 2018 03:46:41 GMT

It seems that .49 would be part of the 255.255.255.240 network.
Example:
Route outside 0.0.0.0 0.0.0.0 x.x.x.49

Please mark helpful posts.

Re: ASA 5506-X, Under default settings, how to set outside Gateway

JamesNewton — Fri, 26 Oct 2018 20:55:18 GMT

Yep, thanks Alex, that's /exactly/ what I did try. Still doesn't work, (no ping to .49 from inside) but at least now I feel like I wasn't totally stupid. Any idea how to troubleshoot that not working?

I'm realizing I may not have been clear: OUR PUBLIC OUTSIDE IP address on "outside" Interface is ...50 (not showing the first three octets since you don't need to know them). KEY POINT: My ISP has the gateway at ...49. NOT ...48.

So why doesn't the ASA send traffic from inside to the outside gateway at ...49?

Re: ASA 5506-X, Under default settings, how to set outside Gateway

JamesNewton — Mon, 29 Oct 2018 03:11:47 GMT

Please? Anyone? I really need some help here understanding how to troubleshoot this.

Re: ASA 5506-X, Under default settings, how to set outside Gateway

Marvin Rhoads — Mon, 29 Oct 2018 05:13:03 GMT

Please confirm that you currently have the command:

route outside 0.0.0.0 0.0.0.0 x.x.x.50

...as there wasn't any route command in your initial posted configuration.

You can't ping an outside address from the ASA inside interface address.

Instead source the traffic from an IP address on the inside subnet. You also need to add "inspect icmp" for the ASA to track icmp requests and allow the echo replies.

class inspection_default
inspect icmp

Also, your incoming traffic won't work properly with the ACL you have since you are only using dynamic NAT. You will need some static NAT entries to tell the ASA which address to translate the incoming traffic to when it is destined for the defined services (HTTP, SMTP, VPN, RDP)

Re: ASA 5506-X, Under default settings, how to set outside Gateway

JamesNewton — Mon, 29 Oct 2018 22:27:11 GMT

THANK YOU MARVIN! I had no idea that icmp command was needed. It turns out the routing WAS working inside to outside (with the route command, which I had added) but I didn't realize it because I was looking for pings. As soon as I tried hitting a web page, it worked just fine.

I'm debating adding the icmp commands since I shouldn't need them once this is setup.

You are right, however, the incoming traffic does NOT work. When I try to add a static route, I get this:

[OK]  object network server-www
      object network server-www
[OK] host 192.168.1.10
[ERROR] nat (inside,outside) static /0 service tcp 80 80
	
nat (inside,outside) static /0 service tcp 80 80
           ^
ERROR: % Invalid input detected at '^' marker.

I'm trying to read the manual to figure out what is wrong with that comma... The examples in
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/nat-basics.html#ID-2090-0000083f

all show that same syntax ("nat (inside,outside) ... "), so I'm really confused. Any help appreciated.

The current show run is: (anonymized of course)

ASA Version 9.8(2) 
!
hostname ciscoasa
enable password asdfsadf
names

!
interface GigabitEthernet1/1
 mac-address 1234.ffff.4321
 nameif outside
 security-level 0
 ip address ...50 255.255.255.240 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0 
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.10 inside
 name-server 208.67.220.220 outside
 name-server 8.8.8.8 outside
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network server
 host 192.168.1.10
 description Server
object network server-www
 host 192.168.1.10
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service rdp tcp-udp
 description Remote Desktop Protocal
 port-object eq 3389
access-list outside_access_in remark HTTP Server
access-list outside_access_in extended permit tcp any object server object-group DM_INLINE_TCP_1 
access-list outside_access_in remark SMTP Server
access-list outside_access_in extended permit tcp any object server eq smtp 
access-list outside_access_in remark VPN Server
access-list outside_access_in extended permit tcp any object server eq pptp 
access-list outside_access_in remark RDP Server
access-list outside_access_in extended permit object-group TCPUDP any object server object-group rdp 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ...49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authorization command LOCAL 
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.20 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username my_user password $asdfasdfsadf privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command more
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command eigrp
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:a16e705418fb86508ee03963c6944ad1
: end

Re: ASA 5506-X, Under default settings, how to set outside Gateway

Marvin Rhoads — Tue, 30 Oct 2018 07:53:14 GMT

You're welcome.

Your new NAT statement needs to reference one of the nameifs assigned to the specific physical interfaces (inside_1, 2, etc) vs. the generic "inside" nameif used by the BVI.