Solved: ASA 5510 - Routing Between Interface

suryashiva · ‎03-27-2013

Hi Jouni,

I attached the complete config. The earlier discussion, I cannot select reply. Looks like ACL is denying it. But I am not sure which one or how to permit it.

sh run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address 10.10.10.3 255.255.255.0

!

interface Ethernet0/1

nameif LAN1

security-level 100

ip address 172.16.23.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list WAN-IN extended permit ip any any

access-list WAN-IN extended permit tcp any any

access-list WAN-IN extended permit icmp any any

access-list ACL_LAN1 extended permit ip any any

access-list ACL_LAN1 extended permit tcp any any

access-list ACL_LAN1 extended permit icmp any any

access-list INSIDE-NAT0 remark NO NAT Configurations

access-list INSIDE-NAT0 extended permit ip any any

pager lines 24

logging asdm informational

mtu management 1500

mtu WAN 1500

mtu LAN1 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (WAN) 0 access-list INSIDE-NAT0

access-group WAN-IN in interface WAN

access-group WAN-IN out interface WAN

access-group ACL_LAN1 in interface LAN1

access-group ACL_LAN1 out interface LAN1

route WAN 0.0.0.0 0.0.0.0 10.10.10.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8e8781e0aba27339b4594c9e792d1659

: end

ciscoasa(config)#

ciscoasa(config)# packet-tracer input LAN1 tcp 172.168.23.8 12345 10.10.10.3 80 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.10.3 255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

<--- More --->

in id=0xa75dc160, priority=0, domain=permit, deny=true

<--- More --->

hits=470, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: LAN1

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

ciscoasa(config)# packet-tracer input WAN tcp 172.16.23.8 12345 10.10.10.3 80 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.10.3 255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xa706cdf8, priority=0, domain=permit, deny=true

hits=1, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: WAN

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

Jouni Forss · ‎03-28-2013

Hi Surya,

I guess you made a new thread about the same issue.

It seems to me that you issue the NAT0 configurations to the wrong interface. They should be in the local LAN interface, not the WAN.

Also you have changed the INSIDE-NAT0 ACL to something totally different. I suggest to keep it the way it was. Though your change in the LAN network means that changes are needed for this ACL also.

access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0

no access-list INSIDE-NAT0 extended permit ip any any

no nat (WAN) 0 access-list INSIDE-NAT0

nat (LAN1) 0 access-list INSIDE-NAT0

I would also avoid using ACLs on each interface for both in/out direction. Usually attaching the ACLs to "in" direction is enough and keeps the setup clear.

no access-group WAN-IN out interface WAN

no access-group ACL_LAN1 out interface LAN1

Why has you local LAN network changed? Has the other end done the needed changes to routing and possible access rules and NAT so that this can even work?

Your "packet-tracer" commands are targeting your ASA WAN interface IP address. Use the remote network server IP address as the destination instead since that will be the host that your server needs to connect to and for this traffic you need to make sure that the ASAs rules are correct.

Using the ASA interface IP as the destination wil result in the output you see.

If your case the correct configuration to test your ASAs rules would be for example

packet-tracer input LAN1 tcp 172.16.23.8 12345 172.16.106.8 80

- Jouni

View solution in original post

Julio Carvajal · ‎03-27-2013

Hello,

You are trying to go to the outside interface Ip address of the ASA from another interface

By desing you will not be able to acomplish that.. No matter what.. You cannot reach a far-end or distant interface.

What is a far-end/distant interface?

Let's say you are on the Internet... You will be able to reach the outside interface of the ASA because that is the closest interface to you but you will not be able to reach the Inside interface IP address of the ASA because it is a far-end interface.

Same thing happens here. If you try the packet tracer with another host 4.2.2.2 or any other internet host you should not get this Identity drop

Hope that I was clear

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

suryashiva · ‎03-27-2013

Hi,

In that case, how will my PC in LAN1 network communicate with another server outside the WAN network without me doing NAT? Is that possible. I attached the network diagram.

Is that possible.

The left side is my network. The IP has changed to 172.16.23.0 .

Message was edited by: Surya Shiva

Julio Carvajal · ‎03-28-2013

Hello,

It is possible but you will need to have nat-control disabled,

Then from in to out you will be able to access it as you are going from a higher to a lower security level interface

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎03-28-2013

Hi Surya,

I guess you made a new thread about the same issue.

It seems to me that you issue the NAT0 configurations to the wrong interface. They should be in the local LAN interface, not the WAN.

Also you have changed the INSIDE-NAT0 ACL to something totally different. I suggest to keep it the way it was. Though your change in the LAN network means that changes are needed for this ACL also.

access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0

no access-list INSIDE-NAT0 extended permit ip any any

no nat (WAN) 0 access-list INSIDE-NAT0

nat (LAN1) 0 access-list INSIDE-NAT0

I would also avoid using ACLs on each interface for both in/out direction. Usually attaching the ACLs to "in" direction is enough and keeps the setup clear.

no access-group WAN-IN out interface WAN

no access-group ACL_LAN1 out interface LAN1

Why has you local LAN network changed? Has the other end done the needed changes to routing and possible access rules and NAT so that this can even work?

Your "packet-tracer" commands are targeting your ASA WAN interface IP address. Use the remote network server IP address as the destination instead since that will be the host that your server needs to connect to and for this traffic you need to make sure that the ASAs rules are correct.

Using the ASA interface IP as the destination wil result in the output you see.

If your case the correct configuration to test your ASAs rules would be for example

packet-tracer input LAN1 tcp 172.16.23.8 12345 172.16.106.8 80

- Jouni

suryashiva · ‎03-28-2013

Hi,

I added as adviced. Packet tracer looks ok but I still cannot ping my gateway 10.10.10.4 or the 172.16.106.8.

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address 10.10.10.3 255.255.255.0

!

interface Ethernet0/1

nameif LAN1

security-level 100

ip address 172.16.23.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

<--- More --->

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list WAN-IN extended permit ip any any

access-list WAN-IN extended permit tcp any any

access-list WAN-IN extended permit icmp any any

access-list ACL_LAN1 extended permit ip any any

access-list ACL_LAN1 extended permit tcp any any

access-list ACL_LAN1 extended permit icmp any any

access-list INSIDE-NAT0 remark NO NAT Configurations

access-list INSIDE-NAT0 extended permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list INSIDE-NAT0 extended permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0

pager lines 24

mtu WAN 1500

mtu LAN1 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any WAN

icmp permit any LAN1

no asdm history enable

arp timeout 14400

nat (LAN1) 0 access-list INSIDE-NAT0

access-group WAN-IN in interface WAN

access-group ACL_LAN1 in interface LAN1

route WAN 0.0.0.0 0.0.0.0 10.10.10.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

<--- More --->

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a12bf488cbab1958ed52078adea3da2f

: end

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 10.10.10.4 to network 0.0.0.0

C 172.16.23.0 255.255.255.0 is directly connected, LAN1

C 10.10.10.0 255.255.255.0 is directly connected, WAN

S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.10.4, WAN

ciscoasa# sh access l -list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list WAN-IN; 3 elements

access-list WAN-IN line 1 extended permit ip any any (hitcnt=0) 0x66737b8e

access-list WAN-IN line 2 extended permit tcp any any (hitcnt=0) 0x6f485738

access-list WAN-IN line 3 extended permit icmp any any (hitcnt=0) 0x735af4a6

access-list ACL_LAN1; 3 elements

access-list ACL_LAN1 line 1 extended permit ip any any (hitcnt=1) 0xf6a83f42

access-list ACL_LAN1 line 2 extended permit tcp any any (hitcnt=0) 0x60ba9316

access-list ACL_LAN1 line 3 extended permit icmp any any (hitcnt=0) 0x77c6cc01

access-list INSIDE-NAT0; 2 elements

access-list INSIDE-NAT0 line 1 remark NO NAT Configurations

access-list INSIDE-NAT0 line 2 extended permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0xfe9fb45e

access-list INSIDE-NAT0 line 3 extended permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0 (hitcnt=0) 0xcc3bf40e

ciscoasa# sh access-list sh route sh run packet-tracer input LAN1 tcp 172.16.23.8 12345 172.16.106.8 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 WAN

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL_LAN1 in interface LAN1

access-list ACL_LAN1 extended permit ip any any

Additional Information:

<--- More --->

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip LAN1 172.16.23.0 255.255.255.0 WAN 172.16.106.0 255.255.255.0

NAT exempt

translate_hits = 2, untranslate_hits = 0

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

<--- More --->

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 129, packet dispatched to next module

Phase: 8

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.10.4 using egress ifc WAN

adjacency Active

next-hop mac address 0009.0f44.4f4d hits 72

Result:

input-interface: LAN1

input-status: up

input-line-status: up

output-interface: WAN

<--- More --->

output-status: up

output-line-status: up

Action: allow

suryashiva · ‎03-28-2013

I use new thread. The old one cannot update.

Also the our people need the 172.16.22.0 segment back. So I created another for test 172.16.23.0.

suryashiva · ‎03-28-2013

Hi Jouni,

Good news finally. It works. The configuration change that you gave works.

I had problem to ping because my notebook need to add a route.

Now is works great.

Thanks a lot for your help.