03-27-2013 08:04 PM - edited 03-11-2019 06:20 PM
Hi Jouni,
I attached the complete config. The earlier discussion, I cannot select reply. Looks like ACL is denying it. But I am not sure which one or how to permit it.
sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 10.10.10.3 255.255.255.0
!
interface Ethernet0/1
nameif LAN1
security-level 100
ip address 172.16.23.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WAN-IN extended permit ip any any
access-list WAN-IN extended permit tcp any any
access-list WAN-IN extended permit icmp any any
access-list ACL_LAN1 extended permit ip any any
access-list ACL_LAN1 extended permit tcp any any
access-list ACL_LAN1 extended permit icmp any any
access-list INSIDE-NAT0 remark NO NAT Configurations
access-list INSIDE-NAT0 extended permit ip any any
pager lines 24
logging asdm informational
mtu management 1500
mtu WAN 1500
mtu LAN1 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (WAN) 0 access-list INSIDE-NAT0
access-group WAN-IN in interface WAN
access-group WAN-IN out interface WAN
access-group ACL_LAN1 in interface LAN1
access-group ACL_LAN1 out interface LAN1
route WAN 0.0.0.0 0.0.0.0 10.10.10.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8e8781e0aba27339b4594c9e792d1659
: end
ciscoasa(config)#
ciscoasa(config)# packet-tracer input LAN1 tcp 172.168.23.8 12345 10.10.10.3 80 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.3 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
<--- More --->
in id=0xa75dc160, priority=0, domain=permit, deny=true
<--- More --->
hits=470, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: LAN1
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)#
ciscoasa(config)# packet-tracer input WAN tcp 172.16.23.8 12345 10.10.10.3 80 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.3 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa706cdf8, priority=0, domain=permit, deny=true
hits=1, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)#
Solved! Go to Solution.
03-28-2013 12:14 AM
Hi Surya,
I guess you made a new thread about the same issue.
It seems to me that you issue the NAT0 configurations to the wrong interface. They should be in the local LAN interface, not the WAN.
Also you have changed the INSIDE-NAT0 ACL to something totally different. I suggest to keep it the way it was. Though your change in the LAN network means that changes are needed for this ACL also.
access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0
no access-list INSIDE-NAT0 extended permit ip any any
no nat (WAN) 0 access-list INSIDE-NAT0
nat (LAN1) 0 access-list INSIDE-NAT0
I would also avoid using ACLs on each interface for both in/out direction. Usually attaching the ACLs to "in" direction is enough and keeps the setup clear.
no access-group WAN-IN out interface WAN
no access-group ACL_LAN1 out interface LAN1
Why has you local LAN network changed? Has the other end done the needed changes to routing and possible access rules and NAT so that this can even work?
Your "packet-tracer" commands are targeting your ASA WAN interface IP address. Use the remote network server IP address as the destination instead since that will be the host that your server needs to connect to and for this traffic you need to make sure that the ASAs rules are correct.
Using the ASA interface IP as the destination wil result in the output you see.
If your case the correct configuration to test your ASAs rules would be for example
packet-tracer input LAN1 tcp 172.16.23.8 12345 172.16.106.8 80
- Jouni
03-27-2013 10:52 PM
Hello,
You are trying to go to the outside interface Ip address of the ASA from another interface
By desing you will not be able to acomplish that.. No matter what.. You cannot reach a far-end or distant interface.
What is a far-end/distant interface?
Let's say you are on the Internet... You will be able to reach the outside interface of the ASA because that is the closest interface to you but you will not be able to reach the Inside interface IP address of the ASA because it is a far-end interface.
Same thing happens here. If you try the packet tracer with another host 4.2.2.2 or any other internet host you should not get this Identity drop
Hope that I was clear
03-27-2013 11:23 PM
Hi,
In that case, how will my PC in LAN1 network communicate with another server outside the WAN network without me doing NAT? Is that possible. I attached the network diagram.
Is that possible.
The left side is my network. The IP has changed to 172.16.23.0 .
Message was edited by: Surya Shiva
03-28-2013 12:02 AM
Hello,
It is possible but you will need to have nat-control disabled,
Then from in to out you will be able to access it as you are going from a higher to a lower security level interface
Regards
03-28-2013 12:14 AM
Hi Surya,
I guess you made a new thread about the same issue.
It seems to me that you issue the NAT0 configurations to the wrong interface. They should be in the local LAN interface, not the WAN.
Also you have changed the INSIDE-NAT0 ACL to something totally different. I suggest to keep it the way it was. Though your change in the LAN network means that changes are needed for this ACL also.
access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0
no access-list INSIDE-NAT0 extended permit ip any any
no nat (WAN) 0 access-list INSIDE-NAT0
nat (LAN1) 0 access-list INSIDE-NAT0
I would also avoid using ACLs on each interface for both in/out direction. Usually attaching the ACLs to "in" direction is enough and keeps the setup clear.
no access-group WAN-IN out interface WAN
no access-group ACL_LAN1 out interface LAN1
Why has you local LAN network changed? Has the other end done the needed changes to routing and possible access rules and NAT so that this can even work?
Your "packet-tracer" commands are targeting your ASA WAN interface IP address. Use the remote network server IP address as the destination instead since that will be the host that your server needs to connect to and for this traffic you need to make sure that the ASAs rules are correct.
Using the ASA interface IP as the destination wil result in the output you see.
If your case the correct configuration to test your ASAs rules would be for example
packet-tracer input LAN1 tcp 172.16.23.8 12345 172.16.106.8 80
- Jouni
03-28-2013 01:47 AM
Hi,
I added as adviced. Packet tracer looks ok but I still cannot ping my gateway 10.10.10.4 or the 172.16.106.8.
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 10.10.10.3 255.255.255.0
!
interface Ethernet0/1
nameif LAN1
security-level 100
ip address 172.16.23.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WAN-IN extended permit ip any any
access-list WAN-IN extended permit tcp any any
access-list WAN-IN extended permit icmp any any
access-list ACL_LAN1 extended permit ip any any
access-list ACL_LAN1 extended permit tcp any any
access-list ACL_LAN1 extended permit icmp any any
access-list INSIDE-NAT0 remark NO NAT Configurations
access-list INSIDE-NAT0 extended permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list INSIDE-NAT0 extended permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0
pager lines 24
mtu WAN 1500
mtu LAN1 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
icmp permit any LAN1
no asdm history enable
arp timeout 14400
nat (LAN1) 0 access-list INSIDE-NAT0
access-group WAN-IN in interface WAN
access-group ACL_LAN1 in interface LAN1
route WAN 0.0.0.0 0.0.0.0 10.10.10.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a12bf488cbab1958ed52078adea3da2f
: end
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.10.10.4 to network 0.0.0.0
C 172.16.23.0 255.255.255.0 is directly connected, LAN1
C 10.10.10.0 255.255.255.0 is directly connected, WAN
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.10.4, WAN
ciscoasa# sh access l -list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list WAN-IN; 3 elements
access-list WAN-IN line 1 extended permit ip any any (hitcnt=0) 0x66737b8e
access-list WAN-IN line 2 extended permit tcp any any (hitcnt=0) 0x6f485738
access-list WAN-IN line 3 extended permit icmp any any (hitcnt=0) 0x735af4a6
access-list ACL_LAN1; 3 elements
access-list ACL_LAN1 line 1 extended permit ip any any (hitcnt=1) 0xf6a83f42
access-list ACL_LAN1 line 2 extended permit tcp any any (hitcnt=0) 0x60ba9316
access-list ACL_LAN1 line 3 extended permit icmp any any (hitcnt=0) 0x77c6cc01
access-list INSIDE-NAT0; 2 elements
access-list INSIDE-NAT0 line 1 remark NO NAT Configurations
access-list INSIDE-NAT0 line 2 extended permit ip 172.16.23.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0xfe9fb45e
access-list INSIDE-NAT0 line 3 extended permit ip 172.16.23.0 255.255.255.0 172.16.106.0 255.255.255.0 (hitcnt=0) 0xcc3bf40e
ciscoasa# sh access-list sh route sh run packet-tracer input LAN1 tcp 172.16.23.8 12345 172.16.106.8 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL_LAN1 in interface LAN1
access-list ACL_LAN1 extended permit ip any any
Additional Information:
<--- More --->
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip LAN1 172.16.23.0 255.255.255.0 WAN 172.16.106.0 255.255.255.0
NAT exempt
translate_hits = 2, untranslate_hits = 0
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
<--- More --->
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 129, packet dispatched to next module
Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.4 using egress ifc WAN
adjacency Active
next-hop mac address 0009.0f44.4f4d hits 72
Result:
input-interface: LAN1
input-status: up
input-line-status: up
output-interface: WAN
<--- More --->
output-status: up
output-line-status: up
Action: allow
03-28-2013 01:49 AM
I use new thread. The old one cannot update.
Also the our people need the 172.16.22.0 segment back. So I created another for test 172.16.23.0.
03-28-2013 03:00 AM
Hi Jouni,
Good news finally. It works. The configuration change that you gave works.
I had problem to ping because my notebook need to add a route.
Now is works great.
Thanks a lot for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide