cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
4329
Views
58
Helpful
32
Replies

Having trouble matching Old PIX and new ASA configs

KingPrawns
Level 1
Level 1

Hi, I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail.

First problem I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config.

Secondly, the server I have on there ("Sar") can't connect out to the internet.

I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on.

Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.

Cheers,

32 Replies 32

I've added in the route and still not getting anything from the outside packet capture. The router on xxx.xxx.9.129 responds to ping from the firewall, so in theory I should be able to ping it from the server too?

Here is the current config:

bt# sho run

: Saved

:

ASA Version 8.4(1)

!

hostname bt

domain-name mcserv.co.uk

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.20.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.9.130 255.255.255.192

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name mcserv.co.uk

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Sar

host 10.20.3.151

object network Sar_Outside

host xxx.xxx.9.151

object-group network WebServers

network-object object Sar_Outside

object-group service WebsiteTraffic

description Website required services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

access-list outside_access_in extended permit tcp any object Sar_Outside eq 3389

access-list outside_access_in extended permit object-group WebsiteTraffic any object-group WebServers

access-list cap extended permit ip host 10.20.3.151 host 4.2.2.2

access-list cap extended permit ip host 4.2.2.2 host 10.20.3.151

access-list cap extended permit ip host 4.2.2.2 host xxx.xxx.9.151

access-list cap extended permit ip host xxx.xxx.9.151 host 4.2.2.2

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

object network Sar

nat (inside,outside) static Sar_Outside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.9.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.20.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map global-class

match default-inspection-traffic

!

!

policy-map type inspect dns dns-map

parameters

  message-length maximum client 512

  message-length maximum 512

policy-map global-policy

class global-class

  inspect dns dns-map

  inspect ftp

  inspect icmp

  inspect icmp error

  inspect http

  inspect rtsp

  inspect rsh

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect tftp

!

service-policy global-policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f36d6cfcf9791d95e642ae7c4289ed05

: end

Hi Wez,

Now that we have the route in place, can you take the captures again, to see if the packets are getting to the outside interface, unlike earlier.

and also plz provide the complete output of :

packet-tracer input inside tcp 10.20.3.151 2345 1.1.1.1 80 detailed.

Thanks,

Varun

Thanks,
Varun Rao

Ok, we have progress!

I can now access the internet (www.google.com) from the server, however I can't seem to RDP to it or connect to any of the websites. I'm guessing these are access control issues?

Btw, Here is the output of the packet-tacer and capture:

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca88f500, priority=13, domain=capture, deny=false

        hits=1779, user_data=0xca88f400, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcabe35b8, priority=1, domain=permit, deny=false

        hits=1631, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcabe5db0, priority=0, domain=inspect-ip-options, deny=true

        hits=60, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map global-class

match default-inspection-traffic

policy-map global-policy

class global-class

  inspect http

service-policy global-policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb225d98, priority=70, domain=inspect-http, deny=false

        hits=2, user_data=0xcb225b90, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network Sar

nat (inside,outside) static Sar_Outside

Additional Information:

Static translate 10.20.3.151/2345 to xxx.xxx.9.151/2345

Forward Flow based lookup yields rule:

in  id=0xcabc7510, priority=6, domain=nat, deny=false

        hits=53, user_data=0xcabc8c40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.20.3.151, mask=255.255.255.255, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xcac54358, priority=0, domain=inspect-ip-options, deny=true

        hits=58, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 66, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

---------------

bt(config)# sho cap capo

8 packets captured

   1: 05:27:07.728493 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

   2: 05:27:12.494252 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

   3: 05:28:08.333967 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

   4: 05:28:13.226382 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

   5: 10:24:25.168204 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

   6: 10:24:30.242358 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

   7: 10:24:34.874359 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

   8: 10:24:39.506443 802.1Q vlan#2 P0 xxx.xxx.9.151 > 4.2.2.2: icmp: echo request

8 packets shown

Great!!!! , yes it is an access-list issue.

we need to have  the following access-list:

access-list outside_access_in extended permit tcp any object Sar eq 3389

we would need to use the real ip of the server and not public ip, in version 8.3 or above.

This shoudl definitely resolve the issue for you.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

Awesome, that's got me into RDP now. I'm guessing I need to do the same thing to allow port 80 traffic in too?

Edit, got it, just changed the port number after eq.

Thanks for everything, you've been a godsend. If you're ever in town, beers are on me!

Absolutely, happy it resolved the issue for you

-Varun

Thanks,
Varun Rao

Thanks a lot Wez for your ratings.....all the best and take care

-Varun

Thanks,
Varun Rao

Hey, sorry to dig up an old thread but I'm having a similar problem when moving a new server to this vlan/subnet.

Weirdly I can ping anything on the internet from the server (call it 10.20.3.148 or Dev1 ) but when I try access the internet, it fails. Something is stopping port 80 traffic

The following packet trace shows that all traffic is allowed:

     packet-tracer input inside tcp 10.20.3.148 2345 1.1.1.1 80 detailed

Results:

     input-interface: inside

     input-status: up

     input-line-status: up

     output-interface: outside

     output-status: up

     output-line-status: up

     Action: allow

Here are my rules, I tried to copy the existing server (Sar) but with no success

bt(config)# sho run access-list

access-list outside_access_in extended permit tcp any object Sar_Outside eq 3389

access-list outside_access_in extended permit object-group WebsiteTraffic any object-group WebServers

access-list outside_access_in extended permit tcp any host xxx.xxx.9.151 object-group RemoteDesktop

access-list outside_access_in extended permit tcp any object Sar eq 3389

access-list outside_access_in extended permit tcp any object Sar eq www

access-list outside_access_in extended permit tcp any object Sar eq https

access-list outside_access_in extended permit tcp any object Sar eq ftp-data

access-list outside_access_in extended permit tcp any object Sar eq ftp

access-list outside_access_in extended permit tcp any object Sar eq 1433

access-list outside_access_in extended permit tcp any object Dev1 eq www

access-list outside_access_in extended permit tcp any object Dev1_Outside eq www

bt(config)# sho run object-group

object-group network WebServers

network-object object Sar_Outside

network-object object Dev1_Outside

network-object object Dev1

object-group service WebsiteTraffic

description Website required services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service RemoteDesktop tcp

port-object range 3389 3389

bt(config)# sho run nat

!

object network obj_any

nat (inside,outside) dynamic interface

object network Sar

nat (inside,outside) static Sar_Outside

object network Dev1

nat (inside,outside) static Dev1_Outside

bt(config)# sho run object

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Sar

host 10.20.3.151

object network Sar_Outside

host xxx.xxx.9.151

object network Dev1

host 10.20.3.148

object network Dev1_Outside

host xxx.xxx.9.148

Hi Wez,

welcome back

It seems to be a DNS issue , since you are able to ping internet but not access website, can you put the DNS server Ip to be 4.2.2.2 on the host machine and try again???

Thanks,

Varun

Thanks,
Varun Rao

Ah, that's fixed me going out on port 80 ( i can access google at least!) but what about connections coming in?

When trying to browse to a website on the server externally I just get a connection refused error. Guessing that's the firewall side?

Could be possible!!!!

I woudl request you provide me the following details:

Ip address of the server

Public ip used for this server

Is it behind the Inside interface??

I'll let you know the config for it.

Thanks,

Varun

Thanks,
Varun Rao

Hi Wez,

Thanks for the information, I have gone through it and I would suggest that the configuration is fine, casn you test with packet-captures, as I had suggested you earlier in the thread and check where the packets are getting dropped??

Thanks,

Varun

Thanks,
Varun Rao

Make sure the port on the server is open as well.

Thanks,
Varun Rao

Ran a port scan via (https://www.grc.com/) and it's come up with port 80 being closed. I don't think it's an issue on the server itself as I've just scanned an identical server from the subnet it came from and port 80 came up as open.

I get how packet caps work for pinging, does it function the same way for web traffic?

Obviously I can't browse from 4.2.2.2, do I need to get an external IP and try connect from there?

Hi Wez,

Yes, you need to access the url from outside for it, for applying captures use this:

access-list cap permit ip any host xx.xx.xx.148

access-list cap permit ip host xx.xx.xx.148 any

access-list cap permit ip any host 10.150.3.148

access-list cap permit ip host 10.150.3.148 any

cap capo access-list cap interface outside

cap capin access-list cap interface inside

after this try accessiong the url from outside, and then collect the following outputs on ASA.

show cap capo

show cap capin

This shoudl tell where packets are being dropped.

Thanks,

Varun

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: