07-30-2013 09:23 PM - edited 03-11-2019 07:19 PM
Hello
Looking for suggestions what might be wrong in my situation. I have an ASA 5505 configured - Sec Plus license. It has the following zones:
PCI - 100
Inside - 50
Outside 0
I am trying to pass AFP (Apple file protocol) from the PCI zone to a machine on the inside zone. I cannot get to it at all. For that matter, I cannot even ping across from PCI to Inside. I have another machine in my lab with the same setup and it works. I have combed the settings but am missing something. Even stranger, when I run packet-tracer (see below at bottom) there is no indication that anything is wrong. I run packet tracer with both echo and echo reply and the come back fine. I checked for firewalls on the OSX machine that is the client and it is not enabled. Relevant parts of configs below. Any suggestions
Thanks
Jerry
object network retail_inside
nat (inside,outside) dynamic interface
object network retail_pci_inside
nat (pci,outside) dynamic interface
object network retail_vpn
nat (outside,outside) dynamic interface
object network retail_pci_vpn
nat (outside,outside) dynamic interface
asa2(config)# sh run obj net
object network retail_inside
subnet 192.168.18.0 255.255.255.0
object network riverroad_inside
subnet 192.168.16.0 255.255.255.0
description Inside network at RR
object network retail_pci_inside
subnet 192.168.17.0 255.255.255.248
description PCI hosts on inside at Retail
object network riverroad_pci_inside
subnet 192.168.20.0 255.255.255.248
description PCI hosts on insde at RR
object network retail_vpn
subnet 10.10.120.0 255.255.255.224
description External VPN to Retail
object network retail_pci_vpn
subnet 10.10.130.0 255.255.255.248
description External PCI VPN to Retail
object network rr_vpn
subnet 10.10.140.0 255.255.255.224
description External VPN to Riverroad
object network rr_pci_vpn
subnet 10.10.150.0 255.255.255.248
description External PCI VPN to Riverroad
object network pos
host 192.168.17.2
description Lightspeed POS
object network pos_client
host 192.168.17.3
description Lightspeed POS client
object network freenas
host 192.168.18.5
description FreeNAS Storage Appliance
access-list inside_access_in extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list vpn_inside extended permit ip object retail_inside object riverroad_inside
access-list vpn_inside extended permit ip object retail_vpn object riverroad_inside
access-list vpn_inside extended permit ip object retail_inside object rr_vpn
access-list vpn_pci extended permit ip object retail_pci_inside object riverroad_pci_inside
access-list vpn_pci extended permit ip object retail_pci_vpn object riverroad_pci_inside
access-list vpn_pci extended permit ip object retail_pci_inside object rr_pci_vpn
access-list retail_inside_nat0_retail_vpn extended permit ip object retail_vpn object retail_inside
access-list retail_inside_nat0_retail_vpn extended permit ip object retail_inside object retail_vpn
access-list retail_inside_nat0_retail_vpn extended permit ip object riverroad_inside object retail_vpn
access-list retail_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0
access-list retail_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0
access-list retail_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248
access-list retail_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248
access-list retail_pci_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0
access-list retail_pci_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0
access-list retail_pci_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248
access-list retail_pci_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248
access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_inside object retail_pci_vpn
access-list pci_retail_inside_nat0_retail_vpn extended permit ip object riverroad_pci_inside object retail_pci_vpn
access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_vpn object retail_pci_inside
nat (inside,outside) source static retail_inside retail_inside destination static riverroad_inside riverroad_inside
nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static riverroad_pci_inside riverroad_pci_inside
nat (inside,outside) source static retail_inside retail_inside destination static retail_vpn retail_vpn
nat (outside,outside) source static retail_vpn retail_vpn destination static riverroad_inside riverroad_inside
nat (outside,outside) source static retail_pci_vpn retail_pci_vpn destination static riverroad_pci_inside riverroad_pci_inside
nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static retail_pci_vpn retail_pci_vpn
nat (inside,outside) source static retail_inside retail_inside destination static rr_vpn rr_vpn
nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static rr_pci_vpn rr_pci_vpn
!
object network retail_inside
nat (inside,outside) dynamic interface
object network retail_pci_inside
nat (pci,outside) dynamic interface
object network retail_vpn
nat (outside,outside) dynamic interface
object network retail_pci_vpn
nat (outside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any pci
asa2(config)# packet-tracer input inside icmp 192.168.17.2 0 0 192.168.18.5
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.18.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14784, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
07-30-2013 11:08 PM
Share the following output
packet-tracer input icmp PCI 192.168.18.5 8 0 192.168.17.2
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-30-2013 11:44 PM
Here it is
asa2(config)# packet-tracer input pci icmp 192.168.18.5 8 0 192.168.17.5
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.17.0 255.255.255.248 pci
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 49022, packet dispatched to next module
Result:
input-interface: pci
input-status: up
input-line-status: up
output-interface: pci
output-status: up
output-line-status: up
Action: allow
07-31-2013 09:49 AM
Hello Jerry,
Check this out:
input-interface: pci
output-interface: pci
Is 192.168.17.5 behind the PCI interface? If no I will need the entire configuration to fix this
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-31-2013 10:40 PM
Hello Julio
17.x is behind the PCI interface. The 18.x is behind inside
Thanks
Jerry
08-01-2013 09:24 AM
Hello,
The ASA thinks they are behind the same interface,
I will need to see the entire setup to find out why,
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-01-2013 09:17 PM
Hello
Here it is
Thanks
Jerry
ASA Version 9.1(2)
!
terminal width 140
hostname asa2
names
ip local pool remote_vpn_pool 10.10.120.1-10.10.120.25 mask 255.255.255.224
ip local pool remote_pci_vpn_pool 10.10.130.1-10.10.130.6 mask 255.255.255.248
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description Outside Network
nameif outside
security-level 0
ip address 70.167.204.216 255.255.255.240
!
interface Vlan2
description Inside Vlan
nameif inside
security-level 50
ip address 192.168.18.1 255.255.255.0
!
interface Vlan3
nameif pci
security-level 100
ip address 192.168.17.1 255.255.255.248
!
boot system disk0:/asa912-k8.bin
ftp mode passive
clock timezone ARIZONA -7
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup pci
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network retail_inside
subnet 192.168.18.0 255.255.255.0
object network riverroad_inside
subnet 192.168.16.0 255.255.255.0
description Inside network at RR
object network retail_pci_inside
subnet 192.168.17.0 255.255.255.248
description PCI hosts on inside at Retail
object network riverroad_pci_inside
subnet 192.168.20.0 255.255.255.248
description PCI hosts on insde at RR
object network retail_vpn
subnet 10.10.120.0 255.255.255.224
description External VPN to Retail
object network retail_pci_vpn
subnet 10.10.130.0 255.255.255.248
description External PCI VPN to Retail
object network rr_vpn
subnet 10.10.140.0 255.255.255.224
description External VPN to Riverroad
object network rr_pci_vpn
subnet 10.10.150.0 255.255.255.248
description External PCI VPN to Riverroad
object network pos
host 192.168.17.2
description Lightspeed POS
object network pos_client
host 192.168.17.3
description Lightspeed POS client
object network freenas
host 192.168.18.5
description FreeNAS Storage Appliance
object network freenas-ext-ip
host 70.167.204.216
object network db1
range 192.168.16.32 192.168.16.33
description DB1 server at Riverroad
access-list inside_access_in extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit tcp object db1 object pos eq 9630
access-list vpn_inside extended permit ip object retail_inside object riverroad_inside
access-list vpn_inside extended permit ip object retail_vpn object riverroad_inside
access-list vpn_inside extended permit ip object retail_inside object rr_vpn
access-list vpn_pci extended permit ip object retail_pci_inside object riverroad_pci_inside
access-list vpn_pci extended permit ip object retail_pci_vpn object riverroad_pci_inside
access-list vpn_pci extended permit ip object retail_pci_inside object rr_pci_vpn
access-list retail_inside_nat0_retail_vpn extended permit ip object retail_vpn object retail_inside
access-list retail_inside_nat0_retail_vpn extended permit ip object retail_inside object retail_vpn
access-list retail_inside_nat0_retail_vpn extended permit ip object riverroad_inside object retail_vpn
access-list retail_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0
access-list retail_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0
access-list retail_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248
access-list retail_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248
access-list retail_pci_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0
access-list retail_pci_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0
access-list retail_pci_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248
access-list retail_pci_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248
access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_inside object retail_pci_vpn
access-list pci_retail_inside_nat0_retail_vpn extended permit ip object riverroad_pci_inside object retail_pci_vpn
access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_vpn object retail_pci_inside
access-list pci_access_out extended permit ip any any inactive
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pci 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any pci
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static retail_inside retail_inside destination static riverroad_inside riverroad_inside
nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static riverroad_pci_inside riverroad_pci_inside
nat (inside,outside) source static retail_inside retail_inside destination static retail_vpn retail_vpn
nat (outside,outside) source static retail_vpn retail_vpn destination static riverroad_inside riverroad_inside
nat (outside,outside) source static retail_pci_vpn retail_pci_vpn destination static riverroad_pci_inside riverroad_pci_inside
nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static retail_pci_vpn retail_pci_vpn
nat (inside,outside) source static retail_inside retail_inside destination static rr_vpn rr_vpn
nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static rr_pci_vpn rr_pci_vpn
nat (pci,outside) source static db1 db1 destination static retail_pci_inside retail_pci_inside inactive
nat (pci,pci) source static db1 db1 destination static retail_pci_inside retail_pci_inside inactive
nat (outside,outside) source static db1 db1 destination static retail_pci_inside retail_pci_inside inactive
nat (pci,outside) source static pos pos destination static db1 db1
!
object network retail_inside
nat (inside,outside) dynamic interface
object network retail_pci_inside
nat (pci,outside) dynamic interface
object network retail_vpn
nat (outside,outside) dynamic interface
object network retail_pci_vpn
nat (outside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 70.167.204.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 70.176.238.137 255.255.255.255 outside
http 70.167.204.216 255.255.255.255 outside
http 192.168.18.0 255.255.255.0 inside
http 192.168.17.0 255.255.255.248 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set esp-3des-sha_trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set esp-3des-sha_trans mode transport
crypto ipsec ikev1 transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set esp-3des-sha_trans esp-3des-sha
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map inside_cryptomap 1 match address vpn_inside
crypto map inside_cryptomap 1 set peer 66.208.204.49
crypto map inside_cryptomap 1 set ikev2 ipsec-proposal secure
crypto map inside_cryptomap 5 match address vpn_pci
crypto map inside_cryptomap 5 set peer 66.208.204.49
crypto map inside_cryptomap 5 set ikev2 ipsec-proposal secure
crypto map inside_cryptomap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_cryptomap interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 120
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 70.176.238.137 255.255.255.255 outside
ssh 70.167.204.216 255.255.255.255 outside
ssh 192.168.16.0 255.255.255.0 outside
ssh 192.168.100.0 255.255.255.0 outside
ssh 10.10.120.0 255.255.255.224 outside
ssh 66.208.204.49 255.255.255.255 outside
ssh 192.168.18.0 255.255.255.0 inside
ssh 192.168.17.0 255.255.255.248 pci
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.18.50-192.168.18.99 inside
dhcpd dns 208.67.222.222 8.8.8.8 interface inside
dhcpd domain nss.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 65.105.28.13 source outside
ntp server 64.147.116.229 source outside prefer
group-policy retail_vpn internal
group-policy retail_vpn attributes
dns-server value 208.67.222.222 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value retail_vpn_splittunnel
default-domain value nss.local
group-policy retail_pci_vpn internal
group-policy retail_pci_vpn attributes
dns-server value 208.67.222.222 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value retail_pci_vpn_splittunnel
default-domain value nss.local
tunnel-group 192.168.100.168 type ipsec-l2l
tunnel-group 192.168.100.168 ipsec-attributes
isakmp keepalive threshold 120 retry 5
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group retail_tunnel type remote-access
tunnel-group retail_tunnel general-attributes
address-pool remote_vpn_pool
default-group-policy retail_vpn
tunnel-group retail_tunnel ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 40 retry 5
tunnel-group retail_tunnel ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group retail_pci_tunnel type remote-access
tunnel-group retail_pci_tunnel general-attributes
address-pool remote_pci_vpn_pool
default-group-policy retail_pci_vpn
tunnel-group retail_pci_tunnel ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 40 retry 5
tunnel-group retail_pci_tunnel ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group 66.208.204.49 type ipsec-l2l
tunnel-group 66.208.204.49 ipsec-attributes
isakmp keepalive threshold 40 retry 5
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect icmp
inspect netbios
inspect pptp
inspect http
inspect icmp error
!
08-02-2013 07:40 AM
try clearing the xlate table. be aware that this will cause a short disruption in traffic flow.
08-02-2013 03:17 PM
Hi
Thanks. Tried it. Afraid that did not help
Jerry
08-02-2013 03:21 PM
Hello Jerry,
The packet-tracer is wrong
try
packet-tracer input inside icmp 192.168.18.5 8 0 192.168.17.5
Provide the output
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide