ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

msingh2007 · ‎08-07-2013

I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.

Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):

ASA Version 8.2(1)

!

hostname fw

domain-name net.com

enable password eYKAfQL1.ZSbcTXZ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

description Primary Outside (Internet)

speed 10

duplex full

nameif outside

security-level 0

ip address 1.1.1.5 255.255.255.240

ospf cost 10

!

interface Ethernet0/1

description inside

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

description WLAN

nameif WLAN

security-level 100

ip address 192.168.108.240 255.255.255.0

ospf cost 10

!

interface Ethernet0/3

description Secondary Outside (Internet)

speed 100

duplex full

nameif WAN2

security-level 0

ip address 2.2.2.133 255.255.255.192

!

interface Management0/0

description LAN/STATE Failover Interface

!

time-range after_hours

periodic weekdays 7:00 to 23:00

!

boot system disk0:/asa821-k8.bin

no ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup WLAN

dns server-group DefaultDNS

retries 3

timeout 5

name-server 8.8.8.8

name-server 206.191.0.210

name-server 4.2.2.1

name-server 4.2.2.2

domain-name net.com

access-list WAN2_access_in extended permit icmp any any echo-reply

access-list WAN2_access_in extended permit icmp any any time-exceeded

access-list WAN2_access_in extended permit icmp any any source-quench

access-list WAN2_access_in extended permit icmp any any unreachable

access-list WLAN_access_in extended permit icmp any any echo-reply

access-list WLAN_access_in extended permit icmp any any time-exceeded

access-list WLAN_access_in extended permit icmp any any source-quench

access-list WLAN_access_in extended permit icmp any any unreachable

access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any

access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh

access-list WLAN_access_in extended permit ip any any

access-list time_based extended permit ip any any time-range after_hours

access-list split_tunnel standard permit host 206.191.0.210

access-list split_tunnel standard permit host 206.191.0.140

access-list split_tunnel standard permit host 207.181.101.4

access-list split_tunnel standard permit host 207.181.101.5

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh

pager lines 20

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu WLAN 1500

mtu WAN2 1500

ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface WAN2

failover

failover lan unit secondary

failover lan interface FO Management0/0

failover key *****

failover link FO Management0/0

failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any WLAN

icmp permit any WAN2

asdm image disk0:/asdm-621.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

global (WAN2) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (WLAN) 1 192.168.108.0 255.255.255.0

static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group WLAN_access_in in interface WLAN

access-group WAN2_access_in in interface WAN2

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254

route inside 192.168.1.100 255.255.255.255 192.168.1.0 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.108.0 255.255.255.0 WLAN

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.101 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 4.2.2.2 interface outside

num-packets 3

timeout 1000

frequency 3

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 123 reachability

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh scopy enable

ssh 2.2.2.132 255.255.255.255 outside

ssh 69.17.141.134 255.255.255.255 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.100 255.255.255.255 inside

ssh 192.168.108.0 255.255.255.0 WLAN

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.108.11-192.168.108.239 WLAN

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ntp server 128.100.100.128

ntp server 132.246.168.148

ntp server 128.100.56.135

tftp-server inside 192.168.1.100 /

webvpn

group-policy Wifi internal

group-policy Wifi attributes

wins-server none

dns-server value 206.191.0.210 206.191.0.140

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

tunnel-group Wifi type remote-access

tunnel-group Wifi general-attributes

address-pool DHCP

default-group-policy Wifi

tunnel-group Wifi ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae

: end

asdm image disk0:/asdm-621.bin

asdm location 192.168.1.245 255.255.255.255 inside

asdm location 192.168.1.252 255.255.255.255 inside

asdm history enable

Jouni Forss · ‎08-07-2013

Hi,

I can't see any problems right away in the configuration.

I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall

packet-tracer input outside tcp 1.1.1.1 12345 22

packet-tracer input outside icmp 1.1.1.1 8 0

Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)

Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.

Also, have you made sure that there is no old translations active on the ASA?

You can use this command to view those

show xlate local 192.168.1.100

You can clear the xlates with

clear xlate local 192.168.1.100

- Jouni