cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
4
Helpful
2
Replies

ASA 5505 having issues connecting consistently

Kevin Ryan
Level 1
Level 1

I've got an ASA that seems to be a bit jumpy.  I think there is an ACL conflict that is keeping things from working right but I can't seem to find it.  Yes we have a need for this many ACLs. 

Pinging from inside the tunnel I can hit the outside address 100%.  The inside address about 40-60%. 

I’ve been seeing the inside interface becoming unreachable, while the outside is up.  In ASDM I’m seeing the following when the inside interface becomes unreachable.   It looks like the interface is denying packets from a local host on the inside to the 10. Subnet. 

I have the 10.17.51.0/24 and the 10.17.22.0/23 local subnets that have this error.

2

Oct   29 2013

12:39:18

106001

10.17.51.205

63885

10.100.0.50

17274

Inbound   TCP connection denied from 10.17.51.205/63885 to 10.100.0.50/17274 flags ACK   on interface inside

2

Oct   29 2013

12:39:18

106001

10.17.51.173

63582

10.100.0.50

17274

Inbound   TCP connection denied from 10.17.51.173/63582 to 10.100.0.50/17274 flags ACK   on interface inside

Any thoughts?

Kevin

Here's the config.

ASA Version 8.2(5)

!

hostname xxxxxxxxxxxxxxxxxx

domain-name xxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.17.227.17 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

ip address 67.xx.xx.xx 255.255.255.128

!

boot system disk0:/asa825-k8.bin

boot system disk0:/asa823-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxxxxxxx

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any unreachable

access-list 101 extended deny icmp any any echo

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit ip 66.xx.xx.xx 255.255.255.0 any

access-list 101 extended permit ip 208.xx.xx.xx 255.255.255.192 any

access-list 101 extended permit ip host 71.xx.xx.xx any

access-list 101 extended permit ip host 216.xx.xx.xx any

access-list 199 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0

access-list 199 extended permit ip 10.17.226.8 255.255.255.248 10.17.226.0 255.255.255.248

access-list 199 extended permit ip 10.17.226.8 255.255.255.248 10.17.225.16 255.255.255.248

access-list 102 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0

access-list 102 extended permit udp 10.17.22.0 255.255.254.0 any eq domain

access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq https

access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq ftp

access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq www

access-list 102 extended permit icmp 10.17.22.0 255.255.254.0 any echo

access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 any eq ssh

access-list 102 extended permit tcp 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0

access-list 102 extended permit udp 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0

access-list 180 extended permit ip 10.17.226.8 255.255.255.248 10.17.225.16 255.255.255.248

access-list 179 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0

access-list 179 extended permit ip 10.17.226.8 255.255.255.248 10.17.226.0 255.255.255.248

access-list 190 extended permit ip 10.17.22.0 255.255.254.0 any

access-list 190 extended permit ip 10.17.51.0 255.255.255.0 any

access-list 190 extended permit ip 10.17.227.16 255.255.255.248 any

access-list 103 extended permit ip 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list 103 extended permit udp 10.17.51.0 255.255.255.0 any eq domain

access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq https

access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq ftp

access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq www

access-list 103 extended permit icmp 10.17.51.0 255.255.255.0 any echo

access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 any eq ssh

access-list 103 extended permit tcp 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list 103 extended permit udp 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list 103 extended permit udp 10.17.51.0 255.255.255.0 10.0.0.0 255.0.0.0 eq dnsix

pager lines 48

logging enable

logging timestamp

logging buffered warnings

logging trap notifications

logging asdm informational

logging facility 23

mtu inside 1500

mtu outside 1492

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 199

nat (inside) 1 access-list 190

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 67.xx.xx.xx 1

route inside 10.0.0.0 255.0.0.0 10.17.227.18 1

route inside 10.17.22.0 255.255.254.0 10.17.227.18 1

route outside 10.17.225.16 255.255.255.248 67.xx.xx.xx 1

route outside 10.17.226.0 255.255.255.248 67.xx.xx.xx 1

route inside 10.17.226.8 255.255.255.248 10.17.227.18 1

timeout xlate 5:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 4:30:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.17.0.41

key *****

aaa-server RADIUS (inside) host 10.16.0.41

key *****

aaa-server RADIUS (inside) host 10.14.0.41

key *****

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

http 72.xx.xx.xx 255.255.255.248 outside

snmp-server host inside 10.14.0.2 poll community *****

snmp-server location xxxxxxxx

snmp-server contact xxxxxxxxxxxxxxxxxxxxxxxx

snmp-server community xxxxxxxxxxxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSEC 16 match address 180

crypto map IPSEC 16 set peer 72.xx.xx.xx

crypto map IPSEC 16 set transform-set 3DES_MD5

crypto map IPSEC 17 match address 179

crypto map IPSEC 17 set peer 69.xx.xx.xx

crypto map IPSEC 17 set transform-set 3DES_MD5

crypto map IPSEC interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 14

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 1

ssh 10.0.0.0 255.0.0.0 inside

ssh 67.xx.xx.xx 255.255.255.255 outside

ssh 67.xx.xx.xx 255.255.255.255 outside

ssh 66.xx.xx.xx 255.255.255.0 outside

ssh 208.xx.xx.xx 255.255.255.192 outside

ssh 71.xx.xx.xx 255.255.255.255 outside

ssh 67.xx.xx.xx 255.255.255.255 outside

ssh 72.xx.xx.xx 255.255.255.248 outside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.xx.xx.xx source outside prefer

ntp server 12.xx.xx.xx source outside

ntp server 10.16.0.41 source inside

webvpn

username xxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxxx encrypted

tunnel-group 72.xx.xx.xx type ipsec-l2l

tunnel-group 72.xx.xx.xxipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxxxxxxx

tunnel-group 69.xx.xx.xx type ipsec-l2l

tunnel-group 69.xx.xx.xx ipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxxxxxxx

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 4096

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect http

  inspect h323 h225

  inspect h323 ras

  inspect ils

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect tftp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

2 Replies 2

Kevin Ryan
Level 1
Level 1

For future reference -

I found the solution it seems.  I set up hairpinning inter and intra.

That solved the problem of routing the 51.x network so I could look at the acls. 

Here's the results and the commands I used.

Once I had an odea which acl was broken I removed it and we seem to be working???

Kevin

fw1(config)# packet-tracer input inside tcp 10.17.51.205 2055 10.100.0$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.0.0.0       inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

fw1(config)# same-security-traffic permit inter-interface

fw1(config)#

fw1(config)# same-security-traffic permit intra-interface

fw1# packet-tracer input inside tcp 10.17.51.205 2055 10.100.0.230 2055

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.0.0.0       inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 access-list 190

  match ip inside 10.17.51.0 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 176, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

The first thing that catches my eyes in the configuration is the fact that you have both routed the network 10.0.0.0/8 to the "inside" and also defined it as a destination network in a L2L VPN connection. I would suggest being more specific in the related configurations.

Are you having problems related to some of the L2L VPN connections? Or what is the "packet-tracer" supposed to test? If the test is supposed to match the L2L VPN connection then there is naturally a problem as the packet is routed towards "inside" and not "outside".

I noticed this L2L VPN has a very wide and overlapping destination network in the configurations and it might cause problems

access-list 179 extended permit ip 10.17.22.0 255.255.254.0 10.0.0.0 255.0.0.0

access-list 179 extended permit ip 10.17.226.8 255.255.255.248 10.17.226.0 255.255.255.248

crypto map IPSEC 17 match address 179

crypto map IPSEC 17 set peer 69.xx.xx.xx

crypto map IPSEC 17 set transform-set 3DES_MD5

which overlaps with one of the static routes also

route inside 10.0.0.0 255.0.0.0 10.17.227.18 1

I can't be sure if this causes problems but its a very likely source atleast and something I would try to change by specifying the actual separate 10-subnets in the L2L VPN ACL (which might require changes to the L2L VPN on the remote end too naturally)

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: