topic ASA 5515 internet NAT problem in Network Security

ASA 5515 internet NAT problem

Wayne Sitton — Fri, 21 Feb 2020 16:00:03 GMT

Been a while since I configured an ASA. it's a

Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)

I got the outside configured ok. I can ping out. I can ping switches internal. I have anyconnect working and can get to internal switches. but I can not get to the internet from inside, it doesn't even ping outside from the internal interface. I'm sure I must have something wrong in the NAT rules, but I guess I'm missing it. below is what I think is relevant. attached is the full config. Any help would be appreciated.

access-list split-acl remark split tunnel for anyconnect
access-list split-acl standard permit 10.69.138.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list dmz_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any

!
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.69.10.0_25 NETWORK_OBJ_10.69.10.0_25 no-proxy-arp route-lookup
nat (any,any) source static any any inactive description default nat
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj_dmz
nat (dmz,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
router ospf 1
network 10.69.138.0 255.255.255.0 area 0
area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

Re: ASA 5515 internet NAT problem

Bogdan Nita — Tue, 24 Jul 2018 10:30:16 GMT

Config looks ok as far as I can tell.
Can you post the output from the following command ?
packet-tracer input inside icmp 10.69.138.10 8 0 8.8.8.8

HTH

Bogdan

Re: ASA 5515 internet NAT problem

Wayne Sitton — Tue, 24 Jul 2018 13:43:27 GMT

packet-tracer input inside icmp 10.69.138.10 8 0 8.8.8.8

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 205.251.151.225 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.69.138.10/0 to 205.251.151.226/33560

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 17291, packet dispatched to next module

Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.69.138.10/0 to 205.251.151.226/33560

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 205.251.151.225 using egress ifc outside

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 8875.563c.e8c0 hits 2 reference 2

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Re: ASA 5515 internet NAT problem

aaron.hackney — Tue, 24 Jul 2018 14:55:12 GMT

Can you turn on your buffered logging and then show log after attempting an outbound ping from an inside server?

show asp drop

might also reveal some answers for you.

Re: ASA 5515 internet NAT problem

Bogdan Nita — Tue, 24 Jul 2018 15:13:21 GMT

Based on the packet-tracer output ping it should work.
Are you testing from a host connected to inside ?

To confirm that the asa is actually sending out the packets you could also do a capture:
capture CAP interface outside match icmp host 205.251.151.226 host 8.8.8.8
ping 8.8.8.8 from inside host
sh capture CAP ! to view the packets
no capture CAP ! to disable the capture

Re: ASA 5515 internet NAT problem

Wayne Sitton — Wed, 25 Jul 2018 15:45:00 GMT

tcts-FW-01# sho asp drop

Frame drop:
NAT-T keepalive message (natt-keepalive) 50
Invalid TCP Length (invalid-tcp-hdr-length) 1
No route to host (no-route) 13483
Flow is denied by configured rule (acl-drop) 16427
No same-security-traffic configured (no-same-security-traffic) 108
First TCP packet not SYN (tcp-not-syn) 25269
TCP failed 3 way handshake (tcp-3whs-failed) 69
TCP RST/FIN out of order (tcp-rstfin-ooo) 122
TCP RST/SYN in window (tcp-rst-syn-in-win) 85
CTM returned error (ctm-error) 4
FP L2 rule drop (l2_acl) 5
Interface is down (interface-down) 3
Dropped pending packets in a closed socket (np-socket-closed) 8

Last clearing: Never

Flow drop:
NAT reverse path failed (nat-rpf-failed) 50
Inspection failure (inspect-fail) 98
SSL bad record detected (ssl-bad-record-detect) 53
SSL handshake failed (ssl-handshake-failed) 37

Last clearing: Never
tcts-FW-01#

Re: ASA 5515 internet NAT problem

Wayne Sitton — Tue, 31 Jul 2018 00:26:32 GMT

Okay, I was able to get to a host on the inside for testing.

I am able to get to the internet from the host, so I guess Nat is working.

So, I'm guessing my ping from the ASA inside is being blocked, although the rule to allow is there.

Re: ASA 5515 internet NAT problem

aaron.hackney — Wed, 01 Aug 2018 12:32:55 GMT

Glad to hear it Wayne,

I see the rules you posted are:

access-list outside_access_in extended permit icmp any any 
access-list dmz_access_in extended permit icmp any any

These rules affect ICMP packets going through the device but not to the device.

If you want to allow ICMP pings that terminate at the ASA interface, you would need to use the global command ICMP.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html

Hope that helps!

-A