07-15-2011 04:59 AM - edited 03-11-2019 01:59 PM
Hi, I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail.
First problem I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config.
Secondly, the server I have on there ("Sar") can't connect out to the internet.
I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on.
Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
Cheers,
Solved! Go to Solution.
07-17-2011 05:41 AM
I've added in the route and still not getting anything from the outside packet capture. The router on xxx.xxx.9.129 responds to ping from the firewall, so in theory I should be able to ping it from the server too?
Here is the current config:
bt# sho run
: Saved
:
ASA Version 8.4(1)
!
hostname bt
domain-name mcserv.co.uk
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.9.130 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name mcserv.co.uk
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Sar
host 10.20.3.151
object network Sar_Outside
host xxx.xxx.9.151
object-group network WebServers
network-object object Sar_Outside
object-group service WebsiteTraffic
description Website required services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list outside_access_in extended permit tcp any object Sar_Outside eq 3389
access-list outside_access_in extended permit object-group WebsiteTraffic any object-group WebServers
access-list cap extended permit ip host 10.20.3.151 host 4.2.2.2
access-list cap extended permit ip host 4.2.2.2 host 10.20.3.151
access-list cap extended permit ip host 4.2.2.2 host xxx.xxx.9.151
access-list cap extended permit ip host xxx.xxx.9.151 host 4.2.2.2
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network Sar
nat (inside,outside) static Sar_Outside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.9.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.20.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns dns-map
parameters
message-length maximum client 512
message-length maximum 512
policy-map global-policy
class global-class
inspect dns dns-map
inspect ftp
inspect icmp
inspect icmp error
inspect http
inspect rtsp
inspect rsh
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f36d6cfcf9791d95e642ae7c4289ed05
: end
07-17-2011 06:27 AM
Hi Wez,
Now that we have the route in place, can you take the captures again, to see if the packets are getting to the outside interface, unlike earlier.
and also plz provide the complete output of :
packet-tracer input inside tcp 10.20.3.151 2345 1.1.1.1 80 detailed.
Thanks,
Varun
07-17-2011 10:42 AM
Ok, we have progress!
I can now access the internet (www.google.com) from the server, however I can't seem to RDP to it or connect to any of the websites. I'm guessing these are access control issues?
Btw, Here is the output of the packet-tacer and capture:
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca88f500, priority=13, domain=capture, deny=false
hits=1779, user_data=0xca88f400, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcabe35b8, priority=1, domain=permit, deny=false
hits=1631, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcabe5db0, priority=0, domain=inspect-ip-options, deny=true
hits=60, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect http
service-policy global-policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb225d98, priority=70, domain=inspect-http, deny=false
hits=2, user_data=0xcb225b90, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Sar
nat (inside,outside) static Sar_Outside
Additional Information:
Static translate 10.20.3.151/2345 to xxx.xxx.9.151/2345
Forward Flow based lookup yields rule:
in id=0xcabc7510, priority=6, domain=nat, deny=false
hits=53, user_data=0xcabc8c40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.20.3.151, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcac54358, priority=0, domain=inspect-ip-options, deny=true
hits=58, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 66, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
---------------
bt(config)# sho cap capo
8 packets captured
1: 05:27:07.728493 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
2: 05:27:12.494252 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
3: 05:28:08.333967 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
4: 05:28:13.226382 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
5: 10:24:25.168204 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
6: 10:24:30.242358 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
7: 10:24:34.874359 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
8: 10:24:39.506443 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request
8 packets shown
07-17-2011 10:51 AM
Great!!!! , yes it is an access-list issue.
we need to have the following access-list:
access-list outside_access_in extended permit tcp any object Sar eq 3389
we would need to use the real ip of the server and not public ip, in version 8.3 or above.
This shoudl definitely resolve the issue for you.
Hope this helps,
Thanks,
Varun
07-17-2011 10:54 AM
Awesome, that's got me into RDP now. I'm guessing I need to do the same thing to allow port 80 traffic in too?
Edit, got it, just changed the port number after eq.
Thanks for everything, you've been a godsend. If you're ever in town, beers are on me!
07-17-2011 10:58 AM
Absolutely, happy it resolved the issue for you
-Varun
07-17-2011 11:08 AM
Thanks a lot Wez for your ratings.....all the best and take care
-Varun
09-22-2011 04:41 AM
Hey, sorry to dig up an old thread but I'm having a similar problem when moving a new server to this vlan/subnet.
Weirdly I can ping anything on the internet from the server (call it 10.20.3.148 or Dev1 ) but when I try access the internet, it fails. Something is stopping port 80 traffic
The following packet trace shows that all traffic is allowed:
packet-tracer input inside tcp 10.20.3.148 2345 1.1.1.1 80 detailed
Results:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Here are my rules, I tried to copy the existing server (Sar) but with no success
bt(config)# sho run access-list
access-list outside_access_in extended permit tcp any object Sar_Outside eq 3389
access-list outside_access_in extended permit object-group WebsiteTraffic any object-group WebServers
access-list outside_access_in extended permit tcp any host xxx.xxx.9.151 object-group RemoteDesktop
access-list outside_access_in extended permit tcp any object Sar eq 3389
access-list outside_access_in extended permit tcp any object Sar eq www
access-list outside_access_in extended permit tcp any object Sar eq https
access-list outside_access_in extended permit tcp any object Sar eq ftp-data
access-list outside_access_in extended permit tcp any object Sar eq ftp
access-list outside_access_in extended permit tcp any object Sar eq 1433
access-list outside_access_in extended permit tcp any object Dev1 eq www
access-list outside_access_in extended permit tcp any object Dev1_Outside eq www
bt(config)# sho run object-group
object-group network WebServers
network-object object Sar_Outside
network-object object Dev1_Outside
network-object object Dev1
object-group service WebsiteTraffic
description Website required services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service RemoteDesktop tcp
port-object range 3389 3389
bt(config)# sho run nat
!
object network obj_any
nat (inside,outside) dynamic interface
object network Sar
nat (inside,outside) static Sar_Outside
object network Dev1
nat (inside,outside) static Dev1_Outside
bt(config)# sho run object
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Sar
host 10.20.3.151
object network Sar_Outside
host xxx.xxx.9.151
object network Dev1
host 10.20.3.148
object network Dev1_Outside
host xxx.xxx.9.148
09-22-2011 04:45 AM
Hi Wez,
welcome back
It seems to be a DNS issue , since you are able to ping internet but not access website, can you put the DNS server Ip to be 4.2.2.2 on the host machine and try again???
Thanks,
Varun
09-22-2011 05:03 AM
Ah, that's fixed me going out on port 80 ( i can access google at least!) but what about connections coming in?
When trying to browse to a website on the server externally I just get a connection refused error. Guessing that's the firewall side?
09-22-2011 05:07 AM
Could be possible!!!!
I woudl request you provide me the following details:
Ip address of the server
Public ip used for this server
Is it behind the Inside interface??
I'll let you know the config for it.
Thanks,
Varun
09-22-2011 05:58 AM
Hi Wez,
Thanks for the information, I have gone through it and I would suggest that the configuration is fine, casn you test with packet-captures, as I had suggested you earlier in the thread and check where the packets are getting dropped??
Thanks,
Varun
09-22-2011 05:58 AM
Make sure the port on the server is open as well.
09-22-2011 06:34 AM
Ran a port scan via (https://www.grc.com/) and it's come up with port 80 being closed. I don't think it's an issue on the server itself as I've just scanned an identical server from the subnet it came from and port 80 came up as open.
I get how packet caps work for pinging, does it function the same way for web traffic?
Obviously I can't browse from 4.2.2.2, do I need to get an external IP and try connect from there?
09-22-2011 06:43 AM
Hi Wez,
Yes, you need to access the url from outside for it, for applying captures use this:
access-list cap permit ip any host xx.xx.xx.148
access-list cap permit ip host xx.xx.xx.148 any
access-list cap permit ip any host 10.150.3.148
access-list cap permit ip host 10.150.3.148 any
cap capo access-list cap interface outside
cap capin access-list cap interface inside
after this try accessiong the url from outside, and then collect the following outputs on ASA.
show cap capo
show cap capin
This shoudl tell where packets are being dropped.
Thanks,
Varun
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: