cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3166
Views
0
Helpful
15
Replies

ASA 5516-X blocking all inward access

AirspanIT
Level 1
Level 1

Hi experts. I recently got a 5516-X as an upgrade over our existing ASA 5510. I have configured everything on the 5516-X as per the 5510 ie NATs, static routes, access list implemented on the outside interface for allowing access to servers on specific ports, andeverything else I can think of. The issue is that 5516-X still does not permit any inward access ie I cannot access our Exchange server from outside using browser. On the ASA 5510 it works perfectly with the same configuration. Is there any new hardened security on the 5516-X or do I need to add any additional configuration to make it work. Just banging my head really as I am out of ideas as to why it wont allow inward. Outwards access eg users browsing the Interent and all our VPN access both ways is working fine.

 

Many thanks for your input. 

1 Accepted Solution

Accepted Solutions

Have the upstream ISP devices cleared their ARP Cache at all. Was this put in next to the other and then just "switch" old ASA off? I have seen issues with static NATs when swapping out ASA like for like due to ARP entries needing cleared on ISP kit. I ended up rebooting their local device but only due to it being late at night..

View solution in original post

15 Replies 15

GRANT3779
Spotlight
Spotlight

Off the top of my head and just something to check. Is the Firewall sending traffic to a firepower module with default config?

What is output from

Sh run policy-map

 

Thanks GRANT3779. How would I know if the firewall is sending traffic to the Firepower module? It has the same route outside static route for default and route inside routes for our inside servers.

 

Here is the output from sh run policy-map 

 

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
class CM-HTTPS-TIMEOUT
set connection timeout half-closed 0:30:00
!

It is not there, so not that.

We'd really need to see the config and NATs etc. On the previous Firewall what version of Software was running as there was a big change in NAT format from 8.3 onwards. Also, the interface numbering may be different from the 5510 to the 5516 so I assume a copy and paste wasn't done and rather a detailed analysis of the config before applying to new firewall.

I'm sure we can point you in right direction if we can see more info.

GRANT3779: It is running ASA ver 9.8 and I was using 9.2 before so the NAT commands are the same. Interfaces yes I have changed accordingly and it wasnt a copy and paste job. 

 

I am copying some relevant information (changed some values) so hope that can give some insight. If you need any other particular configuration then please let me know. 

 

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 100.1.1.1  255.0.0.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.16.1.2 255.255.255.240
!

 

object network obj_any
nat (inside,outside) dynamic interface

 

object network EXG-SER
nat (inside,outside) static 100.1.1.15

 

access-list access_in extended permit tcp any4 object EXG-SER eq https
access-list access_in extended permit tcp any4 object EXG-SER eq 995
access-list access_in extended permit tcp any4 object EXG-SER eq 587
access-list access_in extended permit tcp any4 object EXG-SER eq pop3
access-list access_in extended permit tcp any4 object EXG-SER eq www

 

access-group access_in in interface outside

Have the upstream ISP devices cleared their ARP Cache at all. Was this put in next to the other and then just "switch" old ASA off? I have seen issues with static NATs when swapping out ASA like for like due to ARP entries needing cleared on ISP kit. I ended up rebooting their local device but only due to it being late at night..

Yes it was the matter of switching the old ASA off and put in the inside and outside cables in to the new one and switch it on. And boom no inwards access works. We have an ISP router at our premises to which the outside cable goes to but I don not have any admin acces to it. So do you think restarting it would clear the ARP cache and just make things work? 

As promised - updating on this issue. Yes it was indeed the ARP cache that needed clearing. I ended up power cycling the connecting switches and upstream ISP router and inward access and NAT started working. 👍😁😜

 

Thanks a lot GRANT3779 and bhargavdesai for your assistance. 

bhargavdesai
Spotlight
Spotlight

With lack of configuration details for NAT and Access-list I would say run "packet-tracer" to find out where the traffic is blocking.

 

 

HTH

Thanks bhargavdesai. I have run packet-tracer with source interface outside and a random public IP and destination IP as the public IP of our Natted server. That all turns out to be allowed. 

If Packet-Tracer is showing allowed so

 

  • As earlier mentioned ARP cache may be an issue hence clear ARP cache in adjacent devices. 
  • You should also check the NAT sequence as well by running "sh nat" command.
  • Run logging on the ASA to see that you are receiving request on the ASA for particular Server. and if that is successful, 
  • You can also check at the server as well that it is receiving request or not. 

 

HTH

 

Thanks. So the sequence of natting is 

 

At top I have the no-nat configurations for VPN tunnels. 

Then there is the PAT for all Internet traffic.

then there is the server specifin NAT.

 

This is how I had it configured previously as well. 

 

Eg 

nat (inside,outside) source static subnet1 subnet1 destination static subnet2 subnet2 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network EXG-SVR
nat (inside,outside) static 100.1.1.20

 

I need to schedule a downtime for restarting the ISP router to clear the ARP cache but just want to know if there is anything else that could be causing this. 

 

Thansk a lot 

 

 

You can also check that "sh nat" and "sh access-list" has any hit count or not.

Furthermore, Have checked that the traffic is reaching to the ASA by looking at logs? 

Even your server is receiving it and responding to it. 

 

I would go like this,

 

Am I getting request for my server on the ASA?

Does it hit the right access list?

Does it hit the right NAT rule?

Does it forward it to the server?

Does my server receive the request?

Does my server respond to the request?

 

HTH

Thanks. I will try these in the next scheduled downtime and update. 

I'm wondering if you can amend the 5516 Outside Interface to the NAT'd address temporarily , e.g 100.1.1.15 (or whatever the actual static NAT address is) so it will then send a Gratuitous Arp for its Outside Interface. Then amend it back to normal Outside address 100.1.1.1 and upstream devices should have ARP entries for the Static NAT IP.

You would need to do this while the 5510 is unplugged from Network so there is no conflict.

The issue you have is the ASA won't GratArp for addresses used for static NAT.

Just a thought and depends on how much disruption you are allowed to cause..
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: