Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1942
Views
0
Helpful
5
Replies

Traffic not passing between inside and outside interface

Go to solution
Jonathancert_2
Level 1
Level 1

‎02-11-2015 10:21 AM - edited ‎03-11-2019 10:29 PM

Traffic is being blocked from "interface GigabitEthernet1/3.420" to nameif outside.   When i do a ping from inside network, can see traffic hitting ASA but appears to be getting blocked by access group.   Tried to motify ACL but nothing helps.  Config below.

 

4|Feb 11 2015 18:15:11|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:11|106023: Deny icmp src outside:124.40.254.242 dst CHTN-A10-EXTERNAL:40.32.218.29 (type 11, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:12|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:13|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:14|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]

 

CHTN-INET-ASA/sec/act#   sho running-config
: Saved
:
ASA Version 9.1(1)
!
hostname CHTN-INET-ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.120.0.0 A-10.120.0.0 description WDO Internal
name 10.120.16.13 Orion description Orion
!
interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description LAN/STATE Failover Interface
!
interface GigabitEthernet1/0
 nameif outside
 security-level 0
 ip address 80.10.149.246 255.255.255.240 standby 80.10.149.247
!
interface GigabitEthernet1/1
 nameif dmz
 security-level 50
 ip address 80.10.149.3 255.255.255.192 standby 80.10.149.4
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.121.0.1 255.255.255.248 standby 10.121.0.2
!
interface GigabitEthernet1/3
 nameif DMZ-TRUNK
 security-level 50
 no ip address
!
interface GigabitEthernet1/3.420
 description Charleston A10 direct-connect
 vlan 420
 nameif CHTN-A10-EXTERNAL
 security-level 70
 ip address 40.32.218.1 255.255.255.224
!
boot system disk0:/asa911-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.120.100.50
 host 10.120.100.50
object network Orion
 host 10.120.16.13
 description Created during name migration
object-group network Outside-Management
 description Outside-Management IP Space
 network-object host 10.121.10.2
 network-object host 10.121.10.3
 network-object host 10.121.10.4
 network-object host 10.121.10.5
object-group network WDO-Internal
 description WDO-Internal IP Space
 network-object A-10.120.0.0 255.252.0.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object udp destination eq ntp
 service-object udp destination eq snmp
 service-object udp destination eq snmptrap
 service-object udp destination eq syslog
 service-object tcp destination eq tacacs
 service-object udp destination eq 2055
object-group network DM_INLINE_NETWORK_1
 network-object A-10.120.0.0 255.252.0.0
 network-object 80.10.149.240 255.255.255.240
object-group network CHTN-A10-EXTERNAL
 network-object 40.32.218.0 255.255.255.224
access-list inside extended permit ip object-group WDO-Internal object-group Outside-Management
access-list CHTN-A10-EXTERNAL_access_in extended permit ip object-group CHTN-A10-EXTERNAL any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 object-group Outside-Management object-group WDO-Internal
access-list outside extended permit icmp object-group DM_INLINE_NETWORK_1 object Orion
access-list outside remark Migration, ACE (line 3) expanded: permit tcp object-group Outside-Management host 80.10.149.244 eq
access-list outside extended permit tcp host 10.121.10.2 host 10.120.100.50 eq tacacs
access-list outside extended permit tcp host 10.121.10.3 host 10.120.100.50 eq tacacs
access-list outside extended permit tcp host 10.121.10.4 host 10.120.100.50 eq tacacs
access-list outside extended permit tcp host 10.121.10.5 host 10.120.100.50 eq tacacs
access-list outside remark Migration: End of expansion
access-list outside remark Migration, ACE (line 3) expanded: permit tcp object-group Outside-Management host 80.10.149.244 eq
access-list outside remark Migration: End of expansion
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 100000
logging trap warnings
logging asdm informational
logging from-address asa@ntelospcs.net
logging facility 22
logging host inside Orion
logging host inside 10.121.16.231
logging host inside 10.120.16.231
logging permit-hostdown
logging message 106001 level informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu DMZ-TRUNK 1500
mtu CHTN-A10-EXTERNAL 1500
failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 10.121.0.45 255.255.255.252 standby 10.121.0.46
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface description PAT for Internet Access
!
object network obj-10.120.100.50
 nat (inside,outside) static 80.10.149.244 service tcp tacacs tacacs
access-group outside in interface outside
access-group inside in interface inside
access-group CHTN-A10-EXTERNAL_access_in in interface CHTN-A10-EXTERNAL
!
router ospf 100
 router-id 10.121.0.1
 network 10.124.252.24 255.255.255.248 area 0
 log-adj-changes
 redistribute connected subnets
 redistribute static subnets
 default-information originate always
!
route outside 0.0.0.0 0.0.0.0 80.10.149.241 1
route inside A-10.120.0.0 255.252.0.0 10.121.0.5 1
route outside 10.121.10.2 255.255.255.255 80.10.149.241 1
route outside 10.121.10.3 255.255.255.255 80.10.149.241 1
route outside 10.121.10.4 255.255.255.255 80.10.149.241 1
route outside 10.121.10.5 255.255.255.255 80.10.149.241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tac protocol tacacs+
aaa-server tac (inside) host 10.121.16.32
 key *****
aaa-server tac (inside) host 10.120.16.32
 key *****
user-identity default-domain LOCAL
aaa authentication enable console tac LOCAL
aaa authentication http console tac LOCAL
aaa authentication ssh console tac LOCAL
aaa accounting enable console tac
aaa accounting serial console tac
aaa accounting ssh console tac
aaa accounting telnet console tac
aaa accounting command tac
http server enable
http A-10.120.0.0 255.255.0.0 inside
http 10.120.9.0 255.255.255.0 inside
http 10.120.16.22 255.255.255.255 inside
snmp-server host inside 10.120.16.10 poll community ***** version 2c
snmp-server host inside Orion community ***** version 2c
snmp-server host inside 10.120.16.231 community ***** version 2c
snmp-server host inside 10.120.9.120 poll community ***** version 2c
snmp-server host inside 10.121.16.231 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh A-10.120.0.0 255.252.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.121.10.0 source inside prefer
ntp server 10.121.10.1 source inside
ssl encryption 3des-sha1 des-sha1
username admin password suAq/dPwstP7b0/A encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname priority state
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b9c9506a6efa5d3a332c90dc7f2a6496
: end
CHTN-INET-ASA/sec/act#

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andre Neethling
Level 4
Level 4
In response to Jonathancert_2

‎02-11-2015 11:39 PM

Or you can add ICMP inspection to your Global Policy map

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎02-11-2015 02:35 PM

You need to allow ICMP echo-reply from the destination.

access-list outside extended permit icmp host 4.2.2.2 any eq echo-reply

0 Helpful

Go to solution
Jonathancert_2
Level 1
Level 1
In response to Collin Clark

‎02-11-2015 02:42 PM

OK, thanks.   I'll give it tonight in a maintenance window and see what happens.

 

Jonathan,

0 Helpful

Go to solution
Andre Neethling
Level 4
Level 4
In response to Jonathancert_2

‎02-11-2015 11:39 PM

Or you can add ICMP inspection to your Global Policy map

0 Helpful

Go to solution
Jonathancert_2
Level 1
Level 1
In response to Andre Neethling

‎02-12-2015 06:39 AM

Andre,

 

I liked your options.  Gave it a try and it solved the problem, thanks.
 

0 Helpful

Go to solution
Andre Neethling
Level 4
Level 4
In response to Jonathancert_2

‎02-12-2015 09:14 PM

it's a pleasure to be of assistance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card