cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2923
Views
5
Helpful
19
Replies

Internet Access from LAN flapping on ASA 5506

jrnetipsec
Level 1
Level 1

Hi Community,

 

We have been in situation feels like crazy as everything on ASA configured is OK. Still Internet is not working on LAN side or sometimes flapped. Here I am giving all the required configuration and testing done by me.

 

WAN: x.x.x.x

LAN: 10.184.2.1

 

From ASA can able to ping both LAN side devices as well as WAN side (8.8.8.8) & (Gateway).

 

Running Config:

ciscoasa# sh run
: Saved

:
: Serial Number: ABCDZEE
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password $sha512$5000$7M8VSNtue5ABc2G1tmiuDQ==$3jzB+QaYW6Puc8mqWAfEWw== pbkdf2
names

!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 10.184.2.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
no nameif
security-level 100
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:653c319420afd6503f38236cecd2c6e0
: end

 

Even tested using Packet-Tracer and it's positive still where is the fault:

ciscoasa# sh runsh natsh access-list packet-tracer input inside icmp 10.184.2.25 8 0 8.8.8.8 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop (x.x.x.x gateway)using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.184.2.25/0 to x.x.x.x/14506
Forward Flow based lookup yields rule:
in id=0x7fb4f9b6cec0, priority=6, domain=nat, deny=false
hits=1251, user_data=0x7fb4f90af9d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb4f8c60c40, priority=0, domain=nat-per-session, deny=true
hits=1086, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb4f986c390, priority=0, domain=inspect-ip-options, deny=true
hits=1392, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb4f99cd0c0, priority=70, domain=inspect-icmp, deny=false
hits=8, user_data=0x7fb4fa0fe1b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb4f986bba0, priority=66, domain=inspect-icmp-error, deny=false
hits=263, user_data=0x7fb4f986b110, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb4f8c60c40, priority=0, domain=nat-per-session, deny=true
hits=1088, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb4f98fffc0, priority=0, domain=inspect-ip-options, deny=true
hits=1150, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1428, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

 

PLEASE SUGGEST! THANKS IN ADVANCE. 

19 Replies 19

Hi,
So the output of the packet-tracer confirms it should be permitted, but what source IP address are you using when it does not work?
Is it also from the 10.184.2.x network?
You have multiple interfaces defined are you accessing from these networks? Your current nat entry only allows from the source "inside".

@Rob IngramI was thinking he is missing the subnet as in current config the subnet is 0.0.0.0 0.0.0.0 which is why  lan can not use the nat to do the PAT.

please do not forget to rate.

Yes the devices on lan is on subnet 10.184.2.x /24. As per above configuration NAT allowed is correct or not ?

i think you need to give this command and test it.

 

object network obj_any
 subnet 10.184.2.0 255.255.255.0
 nat (inside,outside) dynamic interface

please do not forget to rate.

can you try this and tell us if its working

 

 

object network obj_any
 subnet 10.184.2.0 255.255.255.0
 nat (inside,outside) dynamic interface

please do not forget to rate.

Done. Still the problem persist. Even changed the firewall.

give us a output of this command

 

show conn

 

not all of them few of the output would be ok. do you have any switch between the user and the firewall? As per your packet tracer output 10.x.x.x network is ok go to out to internet. if there is switch in between than check that might be flapping in on that side?

please do not forget to rate.

Hi, please refer to this link for the output. https://pastebin.com/0PtkVBMN

Thanks for the output as one example: 

outside  8.8.8.8:53 inside  10.184.2.71:49580 seem your nat is working fine. but could you explain how the user are connected to firewall?

please do not forget to rate.

Firewall LAN side port is connected to cisco switch sg 220 and then users. currently checking the issue with switch if any.

looking into your firewall config. you have one interface conneted to firewall as inside and other one is connected to internet.

 

USER----->SW----->FW------INTERNET

 

 

 

in regards to your firewall config is ok according to your network. i suspect there is issue somewhere in switch. as i see the conn connection there is traffic flow happening.

please do not forget to rate.

If switch is the issue. Then can I connect those four servers directly in firewall interface and can act as one (subnet using Bvi) ?

your BVI has no ip address and no name and no nat rule. once you define these than yes you can connect your server directly to the firewall.

please do not forget to rate.

In past when I entered nameif command in Bvi firewall crashed. So What is the issue with that ? What if it happen again.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: