Solved: ASA 5505 Issue, nat 8.31

1janwalli · ‎02-04-2011

ASA 5505 problem
Here I have a ASA 5505 and try it for a small network to configure.
I have used for ASDM, start with wizard.
I use ASA 8.31.
I can ping from inside to outside.
but I can not have Internet access.

I constantly get the following error message in asdm log :

3 Feb 03 2011 06:58:46 106014 194.25.0.70 192.168.5.100 Deny inbound icmp src outside:194.25.0.70 dst inside:192.168.5.100 (type 3, code 3).

when I type the following command:

asa-jpdwe(config)# packet-tracer input inside icmp 192.168.5.100 3 3 194.25.0.70 detailed

I get this error message

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group Group-JPD-Wetter an
y
object-group network Group-JPD-Wetter
description: Alle Netzwerkobjekte in Wetter
network-object object Network-Wetter
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9c587a8, priority=13, domain=permit, deny=false
        hits=5, user_data=0xc7d9e8e0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=0
        src ip/id=192.168.5.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9fbb178, priority=0, domain=inspect-ip-options, deny=true
        hits=348, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca6773b8, priority=70, domain=inspect-icmp, deny=false
        hits=7, user_data=0xc6fa8088, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9acbd40, priority=70, domain=inspect-icmp-error, deny=false
        hits=7, user_data=0xc9dedfd8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
object network Network-Wetter
nat (inside,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca57fc70, priority=6, domain=nat, deny=false
        hits=34, user_data=0xca63eb90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.5.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I post here my configuration.
I am grateful for any help.

Yours sincerely

Jan

PAUL GILBERT ARIAS · ‎02-07-2011

I am glad to hear things worked out now.

If possible please mark the question as answered, by yourself, hehe

View solution in original post

PAUL GILBERT ARIAS · ‎02-04-2011

Can you post your nat config? Check if you have a default gateway configured

Sent from Cisco Technical Support iPhone App

manish arora · ‎02-04-2011

Hi Jan ,

The logs indicate that you are getting the ICMP replys back on the interface, just create an access list :-

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

as far as deafult route is concerned , i think set route takes care of it and you Dyanmic Nat look good to me , unless 8.3 has some surprice for me too.

Manish

PAUL GILBERT ARIAS · ‎02-04-2011

I just saw the config. NAT seems fine and yes the setroute should assign you the default gateway.

Packet tracer mentions the traffic is getting drop under the NAT section.

Please try this packet tracer:

packet-tracer input inside icmp 192.168.5.100 8 0 194.25.0.70 detailed

The inspect icmp should take care of the ICMP echo replies so the ACL allowing ICMPis not necessary.

1janwalli · ‎02-07-2011

Hi Paul
Many thanks for your help
Here you have the result for packet-tracer.
The problem was DNS server at German Telekom, there were all 4 servers out of service.
After changing the DNS server everything works.

Best regards

Jan

asa-jpdwe# packet-tracer input inside icmp 192.168.5.100 8 0 194.25.0.70 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group Group-JPD-Wetter an
y
object-group network Group-JPD-Wetter
description: Alle Netzwerkobjekte in Wetter
network-object object Network-Wetter
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcad1bc68, priority=13, domain=permit, deny=false
        hits=1388, user_data=0xc8ef9c20, cs_id=0x0, use_real_addr, flags=0x0, pr
otocol=0
        src ip/id=192.168.5.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac5b780, priority=0, domain=inspect-ip-options, deny=true
        hits=1539, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb312608, priority=70, domain=inspect-icmp, deny=false
        hits=8, user_data=0xcb312400, cs_id=0x0, use_real_addr, flags=0x0, proto
col=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3144a0, priority=70, domain=inspect-icmp-error, deny=false
        hits=8, user_data=0xcb314298, cs_id=0x0, use_real_addr, flags=0x0, proto
col=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Network-Wetter
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.5.100/0 to 87.139.210.214/52020
Forward Flow based lookup yields rule:
in id=0xcad19478, priority=6, domain=nat, deny=false
        hits=1389, user_data=0xcad19270, cs_id=0x0, use_real_addr, flags=0x0, pr
otocol=0
        src ip/id=192.168.5.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcacc78f0, priority=0, domain=inspect-ip-options, deny=true
        hits=1391, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1545, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

asa-jpdwe#

PAUL GILBERT ARIAS · ‎02-07-2011

I am glad to hear things worked out now.

If possible please mark the question as answered, by yourself, hehe