Solved: ASA 5520 Flow is Denied by Configured Rule "INSIDE to OUSDIE"

dvargas@nwfcu.org · ‎01-02-2018

I purchased a 5520 with an SSM20. Since day one the configuration "Default" has been blocking traffic from INSIDE to OUTSIDE>. After doing some reasearch i thought that i was getting blocked by the SSM20 but that has been cleared and HW-module module 1 shutdown. So technically nothing should be block the traffic.

For now i have a verizon router with a static route to point the INSIDE Network off of the outside IP address within the ASA. However, I can see that traffic is flowing and being reset but cant figure out what is blocking the traffic.

Can sombody give me a hand... I've been on this for a month now and yet learned a lot with this troublesome ASA.

**Config***

ASAPower# sho run
: Saved
:
: Serial Number: JMX1432L1MR
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)11
!
hostname ASAPower
domain-name lsvrgs.us
enable password hFn6Jz3JWey3cK1i encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description out to verizon
nameif OUTSIDE
security-level 0
ip address 192.168.101.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif MGMT
security-level 100
ip address 192.168.201.1 255.255.255.0
!
banner login ***********************************************
banner login ***********************************************
banner login ***********************************************
banner login *** Authorized users only. Otherwise go away!! ***
banner login ***********************************************
banner login ***********************************************
banner login ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm *** Authorized users only. Otherwise go away!! ***
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
boot system disk0:/asa917-11-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name lsvrgs.us
same-security-traffic permit inter-interface
object network User_Segment_192.168.200.0
subnet 192.168.200.0 255.255.255.0
description User_Segment_192.168.200.0
object network Verizon_Network
subnet 192.168.1.0 255.255.255.0
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended permit ip 192.168.200.0 255.255.255.0 any inactive
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MGMT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.101.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.100 255.255.255.255 INSIDE
http 192.168.201.100 255.255.255.255 MGMT
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.200.100 255.255.255.255 INSIDE
ssh 192.168.201.100 255.255.255.255 MGMT
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access MGMT
dhcp-client update dns server both
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username dihegov password hKOfIhD0/o1ygjAI encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2dea02eaf9833fe05f0025f7670eb80e
: end
ASAPower#

**END***

Marvin Rhoads · ‎01-03-2018

It could be that the Verizon router is not configured to do any NAT for your inside subnets.

That would explain that it replies to ping from the inside subnet natively - the ASA and the static route all working as intended.

If traffic from the inside subnet to the Internet is coming from a network that the Verizon router isn't NATting, it will hit the public Internet with its native RFC 1918 address and not be forwarded.

View solution in original post

Marvin Rhoads · ‎01-03-2018

Ha - Jon you posted that while I was writing the same thing!

View solution in original post

Marvin Rhoads · ‎01-02-2018

What is the source and destination of traffic you are testing with?

Have you tried running packet-tracer? e.g.:

packet-tracer input OUTSIDE tcp 8.8.8.8 1025 192.168.200.2 80

(addresses and source/destination ports shown are examples - adjust to suit).

Also your ACL "access-list INSIDE_access_in"and associated access-group command aren't necessary.

dvargas@nwfcu.org · ‎01-03-2018

Yes, and it appears that the flow is accepted. I'm wondering if the static route i have in the Verizon router is not being granted.

Verizon static route: 192.168.200.0 255.255.255.0 192.168.101.101

From Pc:
C:\Users\dgo>ping 192.168.101.1 -S 192.168.200.100

Pinging 192.168.101.1 from 192.168.200.100 with 32 bytes of data:
Reply from 192.168.101.1: bytes=32 time=1ms TTL=64
Reply from 192.168.101.1: bytes=32 time<1ms TTL=64
Reply from 192.168.101.1: bytes=32 time<1ms TTL=64
Reply from 192.168.101.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.101.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Users\dgo>ping 8.8.8.8 -S 192.168.200.100

Pinging 8.8.8.8 from 192.168.200.100 with 32 bytes of data:
Request timed out.

Ping statistics for 8.8.8.8:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C

From ASA:
Packet-tracer provided does go through all Phases and being allowed.
What i dont understand is that why may i being able to ping from the host to the gateway but not the internet. Again i'm wondering if the verizon router is not playing nice w/ routing the traffic back but if ping works then it does.

the ssm 20 is powered down and dont have any service policy rules in place either...

Jon Marshall · ‎01-03-2018

Without wishing to state the obvious the router is setup to NAT the source IPs isn't it ?

Jon

Marvin Rhoads · ‎01-03-2018

Ha - Jon you posted that while I was writing the same thing!

Jon Marshall · ‎01-03-2018

Hi Marvin

No problem, glad we said same thing :)

Jon

Marvin Rhoads · ‎01-03-2018

It could be that the Verizon router is not configured to do any NAT for your inside subnets.

That would explain that it replies to ping from the inside subnet natively - the ASA and the static route all working as intended.

If traffic from the inside subnet to the Internet is coming from a network that the Verizon router isn't NATting, it will hit the public Internet with its native RFC 1918 address and not be forwarded.

dvargas@nwfcu.org · ‎01-03-2018

Marvin & John.

Thank you for your solution but well... not with this particular Verizon router but i have done this setup in the past and has worked as it is. I'm not an expert with NAT but wouldnt/shouldn't that traffic be NAT'ed as well?

Are you suggesting that I should run NAT from the ASA on my OUTISDE interface?

dvargas@nwfcu.org · ‎01-03-2018

Yes, it appears that my old Verizon router is not properly NATing my traffic from the INSIDE network. After doing dynamic "PAT" NATing on the ASA i was successfully able to reach the internet.

Which is a good reason why i got the ASA... to learn it is def' a different beast than the SRX