10-30-2013 03:13 PM - edited 03-11-2019 07:58 PM
I've got an ASA that seems to be a bit jumpy. I think there is an ACL conflict that is keeping things from working right but I can't seem to find it. Yes we have a need for this many ACLs.
Pinging from inside the tunnel I can hit the outside address 100%. The inside address about 40-60%.
I’ve been seeing the inside interface becoming unreachable, while the outside is up. In ASDM I’m seeing the following when the inside interface becomes unreachable. It looks like the interface is denying packets from a local host on the inside to the 10. Subnet.
I have the 10.17.51.0/24 and the 10.17.22.0/23 local subnets that have this error.
2 | Oct 29 2013 | 12:39:18 | 106001 | 10.17.51.205 | 63885 | 10.100.0.50 | 17274 | Inbound TCP connection denied from 10.17.51.205/63885 to 10.100.0.50/17274 flags ACK on interface inside |
2 | Oct 29 2013 | 12:39:18 | 106001 | 10.17.51.173 | 63582 | 10.100.0.50 | 17274 | Inbound TCP connection denied from 10.17.51.173/63582 to 10.100.0.50/17274 flags ACK on interface inside |
Any thoughts?
Kevin
Here's the config.
ASA Version 8.2(5)
!
hostname xxxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.17.227.17 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 67.xx.xx.xx 255.255.255.128
!
boot system disk0:/asa825-k8.bin
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxx
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
access-list 101 extended deny icmp any any echo
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit ip 66.xx.xx.xx 255.255.255.0 any
access-list 101 extended permit ip 208.xx.xx.xx 255.255.255.192 any
access-list 101 extended permit ip host 71.xx.xx.xx any
access-list 101 extended permit ip host 216.xx.xx.xx any
access-list 199 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list 199 extended permit ip 10.17.226.8 255.255.255.248 10.17.226.0 255.255.255.248
access-list 199 extended permit ip 10.17.226.8 255.255.255.248 10.17.225.16 255.255.255.248
access-list 102 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list 102 extended permit udp 10.17.22.0 255.255.254.0 any eq domain
access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq https
access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq ftp
access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq www
access-list 102 extended permit icmp 10.17.22.0 255.255.254.0 any echo
access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq ssh
access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list 102 extended permit udp 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list 180 extended permit ip 10.17.226.8 255.255.255.248 10.17.225.16 255.255.255.248
access-list 179 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list 179 extended permit ip 10.17.226.8 255.255.255.248 10.17.226.0 255.255.255.248
access-list 190 extended permit ip 10.17.22.0 255.255.254.0 any
access-list 190 extended permit ip 10.17.51.0 255.255.255.0 any
access-list 190 extended permit ip 10.17.227.16 255.255.255.248 any
access-list 103 extended permit ip 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 103 extended permit udp 10.17.51.0 255.255.255.0 any eq domain
access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq https
access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq ftp
access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq www
access-list 103 extended permit icmp 10.17.51.0 255.255.255.0 any echo
access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq ssh
access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 103 extended permit udp 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 103 extended permit udp 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0 eq dnsix
pager lines 48
logging enable
logging timestamp
logging buffered warnings
logging trap notifications
logging asdm informational
logging facility 23
mtu inside 1500
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 199
nat (inside) 1 access-list 190
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 67.xx.xx.xx 1
route inside 10.0.0.0 255.0.0.0 10.17.227.18 1
route inside 10.17.22.0 255.255.254.0 10.17.227.18 1
route outside 10.17.225.16 255.255.255.248 67.xx.xx.xx 1
route outside 10.17.226.0 255.255.255.248 67.xx.xx.xx 1
route inside 10.17.226.8 255.255.255.248 10.17.227.18 1
timeout xlate 5:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 4:30:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.17.0.41
key *****
aaa-server RADIUS (inside) host 10.16.0.41
key *****
aaa-server RADIUS (inside) host 10.14.0.41
key *****
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
http 72.xx.xx.xx 255.255.255.248 outside
snmp-server host inside 10.14.0.2 poll community *****
snmp-server location xxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxxx
snmp-server community xxxxxxxxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSEC 16 match address 180
crypto map IPSEC 16 set peer 72.xx.xx.xx
crypto map IPSEC 16 set transform-set 3DES_MD5
crypto map IPSEC 17 match address 179
crypto map IPSEC 17 set peer 69.xx.xx.xx
crypto map IPSEC 17 set transform-set 3DES_MD5
crypto map IPSEC interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 14
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 1
ssh 10.0.0.0 255.0.0.0 inside
ssh 67.xx.xx.xx 255.255.255.255 outside
ssh 67.xx.xx.xx 255.255.255.255 outside
ssh 66.xx.xx.xx 255.255.255.0 outside
ssh 208.xx.xx.xx 255.255.255.192 outside
ssh 71.xx.xx.xx 255.255.255.255 outside
ssh 67.xx.xx.xx 255.255.255.255 outside
ssh 72.xx.xx.xx 255.255.255.248 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.xx.xx.xx source outside prefer
ntp server 12.xx.xx.xx source outside
ntp server 10.16.0.41 source inside
webvpn
username xxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxxx encrypted
tunnel-group 72.xx.xx.xx type ipsec-l2l
tunnel-group 72.xx.xx.xxipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxxxxxxx
tunnel-group 69.xx.xx.xx type ipsec-l2l
tunnel-group 69.xx.xx.xx ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect http
inspect h323 h225
inspect h323 ras
inspect ils
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
10-31-2013 07:44 AM
For future reference -
I found the solution it seems. I set up hairpinning inter and intra.
That solved the problem of routing the 51.x network so I could look at the acls.
Here's the results and the commands I used.
Once I had an odea which acl was broken I removed it and we seem to be working???
Kevin
fw1(config)# packet-tracer input inside tcp 10.17.51.205 2055 10.100.0$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
fw1(config)# same-security-traffic permit inter-interface
fw1(config)#
fw1(config)# same-security-traffic permit intra-interface
fw1# packet-tracer input inside tcp 10.17.51.205 2055 10.100.0.230 2055
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 access-list 190
match ip inside 10.17.51.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 176, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
10-31-2013 08:54 AM
Hi,
The first thing that catches my eyes in the configuration is the fact that you have both routed the network 10.0.0.0/8 to the "inside" and also defined it as a destination network in a L2L VPN connection. I would suggest being more specific in the related configurations.
Are you having problems related to some of the L2L VPN connections? Or what is the "packet-tracer" supposed to test? If the test is supposed to match the L2L VPN connection then there is naturally a problem as the packet is routed towards "inside" and not "outside".
I noticed this L2L VPN has a very wide and overlapping destination network in the configurations and it might cause problems
access-list 179 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list 179 extended permit ip 10.17.226.8 255.255.255.248 10.17.226.0 255.255.255.248
crypto map IPSEC 17 match address 179
crypto map IPSEC 17 set peer 69.xx.xx.xx
crypto map IPSEC 17 set transform-set 3DES_MD5
which overlaps with one of the static routes also
route inside 10.0.0.0 255.0.0.0 10.17.227.18 1
I can't be sure if this causes problems but its a very likely source atleast and something I would try to change by specifying the actual separate 10-subnets in the L2L VPN ACL (which might require changes to the L2L VPN on the remote end too naturally)
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: