cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3848
Views
0
Helpful
9
Replies

ASA 5505 - Packet Tracer Works - Client does not

jerry.henzel
Level 1
Level 1

Hello

Looking for suggestions what might be wrong in my situation.  I have an ASA 5505 configured - Sec Plus license.  It has the following zones:

PCI - 100

Inside - 50

Outside 0

I am trying to pass AFP (Apple file protocol) from the PCI zone to a machine on the inside zone.  I cannot get to it at all.  For that matter,  I cannot even ping across from PCI to Inside.  I have another machine in my lab with the same setup and it works.  I have combed the settings but am missing something.  Even stranger, when I run packet-tracer (see below at bottom)  there is no indication that anything is wrong.  I run packet tracer with both echo and echo reply and the come back fine.  I checked for firewalls on the OSX machine that is the client and it is not enabled.  Relevant parts of configs below.  Any suggestions

Thanks

Jerry

object network retail_inside

nat (inside,outside) dynamic interface

object network retail_pci_inside

nat (pci,outside) dynamic interface

object network retail_vpn

nat (outside,outside) dynamic interface

object network retail_pci_vpn

nat (outside,outside) dynamic interface

asa2(config)# sh run obj net

object network retail_inside

subnet 192.168.18.0 255.255.255.0

object network riverroad_inside

subnet 192.168.16.0 255.255.255.0

description Inside network at RR

object network retail_pci_inside

subnet 192.168.17.0 255.255.255.248

description PCI hosts on inside at Retail

object network riverroad_pci_inside

subnet 192.168.20.0 255.255.255.248

description PCI hosts on insde at RR

object network retail_vpn

subnet 10.10.120.0 255.255.255.224

description External VPN to Retail

object network retail_pci_vpn

subnet 10.10.130.0 255.255.255.248

description External PCI VPN to Retail

object network rr_vpn

subnet 10.10.140.0 255.255.255.224

description External VPN to Riverroad

object network rr_pci_vpn

subnet 10.10.150.0 255.255.255.248

description External PCI VPN to Riverroad

object network pos

host 192.168.17.2

description Lightspeed POS

object network pos_client

host 192.168.17.3

description Lightspeed POS client

object network freenas

host 192.168.18.5

description FreeNAS Storage Appliance

access-list inside_access_in extended permit ip any any

access-list OUTSIDE_IN extended permit icmp any any

access-list vpn_inside extended permit ip object retail_inside object riverroad_inside

access-list vpn_inside extended permit ip object retail_vpn object riverroad_inside

access-list vpn_inside extended permit ip object retail_inside object rr_vpn

access-list vpn_pci extended permit ip object retail_pci_inside object riverroad_pci_inside

access-list vpn_pci extended permit ip object retail_pci_vpn object riverroad_pci_inside

access-list vpn_pci extended permit ip object retail_pci_inside object rr_pci_vpn

access-list retail_inside_nat0_retail_vpn extended permit ip object retail_vpn object retail_inside

access-list retail_inside_nat0_retail_vpn extended permit ip object retail_inside object retail_vpn

access-list retail_inside_nat0_retail_vpn extended permit ip object riverroad_inside object retail_vpn

access-list retail_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0

access-list retail_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0

access-list retail_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248

access-list retail_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248

access-list retail_pci_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0

access-list retail_pci_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0

access-list retail_pci_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248

access-list retail_pci_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248

access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_inside object retail_pci_vpn

access-list pci_retail_inside_nat0_retail_vpn extended permit ip object riverroad_pci_inside object retail_pci_vpn

access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_vpn object retail_pci_inside

nat (inside,outside) source static retail_inside retail_inside destination static riverroad_inside riverroad_inside

nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static riverroad_pci_inside riverroad_pci_inside

nat (inside,outside) source static retail_inside retail_inside destination static retail_vpn retail_vpn

nat (outside,outside) source static retail_vpn retail_vpn destination static riverroad_inside riverroad_inside

nat (outside,outside) source static retail_pci_vpn retail_pci_vpn destination static riverroad_pci_inside riverroad_pci_inside

nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static retail_pci_vpn retail_pci_vpn

nat (inside,outside) source static retail_inside retail_inside destination static rr_vpn rr_vpn

nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static rr_pci_vpn rr_pci_vpn

!

object network retail_inside

nat (inside,outside) dynamic interface

object network retail_pci_inside

nat (pci,outside) dynamic interface

object network retail_vpn

nat (outside,outside) dynamic interface

object network retail_pci_vpn

nat (outside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any pci

asa2(config)# packet-tracer input inside icmp 192.168.17.2 0 0 192.168.18.5

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.18.0    255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:     

Result: ALLOW

Config:

Additional Information:

New flow created with id 14784, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Share the following output

packet-tracer input icmp PCI 192.168.18.5 8 0 192.168.17.2

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here it is

asa2(config)# packet-tracer input pci icmp 192.168.18.5 8 0 192.168.17.5

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.17.0    255.255.255.248 pci

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 49022, packet dispatched to next module

Result:

input-interface: pci

input-status: up

input-line-status: up

output-interface: pci

output-status: up

output-line-status: up

Action: allow

Hello Jerry,

Check this out:

input-interface: pci

output-interface: pci

Is 192.168.17.5 behind the PCI interface? If no I will need the entire configuration to fix this

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio

17.x is behind the PCI interface.  The 18.x is behind inside

Thanks

Jerry

Hello,

The ASA thinks they are behind the same interface,

I will need to see the entire setup to find out why,

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello

Here it is

Thanks

Jerry

ASA Version 9.1(2)

!

terminal width 140

hostname asa2

names

ip local pool remote_vpn_pool 10.10.120.1-10.10.120.25 mask 255.255.255.224

ip local pool remote_pci_vpn_pool 10.10.130.1-10.10.130.6 mask 255.255.255.248

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

shutdown

!            

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description Outside Network

nameif outside

security-level 0

ip address 70.167.204.216 255.255.255.240

!

interface Vlan2

description Inside Vlan

nameif inside

security-level 50

ip address 192.168.18.1 255.255.255.0

!

interface Vlan3

nameif pci

security-level 100

ip address 192.168.17.1 255.255.255.248

!

boot system disk0:/asa912-k8.bin

ftp mode passive

clock timezone ARIZONA -7

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup pci

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network retail_inside

subnet 192.168.18.0 255.255.255.0

object network riverroad_inside

subnet 192.168.16.0 255.255.255.0

description Inside network at RR

object network retail_pci_inside

subnet 192.168.17.0 255.255.255.248

description PCI hosts on inside at Retail

object network riverroad_pci_inside

subnet 192.168.20.0 255.255.255.248

description PCI hosts on insde at RR

object network retail_vpn

subnet 10.10.120.0 255.255.255.224

description External VPN to Retail

object network retail_pci_vpn

subnet 10.10.130.0 255.255.255.248

description External PCI VPN to Retail

object network rr_vpn

subnet 10.10.140.0 255.255.255.224

description External VPN to Riverroad

object network rr_pci_vpn

subnet 10.10.150.0 255.255.255.248

description External PCI VPN to Riverroad

object network pos

host 192.168.17.2

description Lightspeed POS

object network pos_client

host 192.168.17.3

description Lightspeed POS client

object network freenas

host 192.168.18.5

description FreeNAS Storage Appliance

object network freenas-ext-ip

host 70.167.204.216

object network db1

range 192.168.16.32 192.168.16.33

description DB1 server at Riverroad

access-list inside_access_in extended permit ip any any

access-list OUTSIDE_IN extended permit icmp any any

access-list OUTSIDE_IN extended permit tcp object db1 object pos eq 9630

access-list vpn_inside extended permit ip object retail_inside object riverroad_inside

access-list vpn_inside extended permit ip object retail_vpn object riverroad_inside

access-list vpn_inside extended permit ip object retail_inside object rr_vpn

access-list vpn_pci extended permit ip object retail_pci_inside object riverroad_pci_inside

access-list vpn_pci extended permit ip object retail_pci_vpn object riverroad_pci_inside

access-list vpn_pci extended permit ip object retail_pci_inside object rr_pci_vpn

access-list retail_inside_nat0_retail_vpn extended permit ip object retail_vpn object retail_inside

access-list retail_inside_nat0_retail_vpn extended permit ip object retail_inside object retail_vpn

access-list retail_inside_nat0_retail_vpn extended permit ip object riverroad_inside object retail_vpn

access-list retail_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0

access-list retail_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0

access-list retail_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248

access-list retail_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248

access-list retail_pci_vpn_splittunnel standard permit 192.168.16.0 255.255.255.0

access-list retail_pci_vpn_splittunnel standard permit 192.168.18.0 255.255.255.0

access-list retail_pci_vpn_splittunnel standard permit 192.168.17.0 255.255.255.248

access-list retail_pci_vpn_splittunnel standard permit 192.168.20.0 255.255.255.248

access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_inside object retail_pci_vpn

access-list pci_retail_inside_nat0_retail_vpn extended permit ip object riverroad_pci_inside object retail_pci_vpn

access-list pci_retail_inside_nat0_retail_vpn extended permit ip object retail_pci_vpn object retail_pci_inside

access-list pci_access_out extended permit ip any any inactive

pager lines 24

logging monitor debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu pci 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any pci

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static retail_inside retail_inside destination static riverroad_inside riverroad_inside

nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static riverroad_pci_inside riverroad_pci_inside

nat (inside,outside) source static retail_inside retail_inside destination static retail_vpn retail_vpn

nat (outside,outside) source static retail_vpn retail_vpn destination static riverroad_inside riverroad_inside

nat (outside,outside) source static retail_pci_vpn retail_pci_vpn destination static riverroad_pci_inside riverroad_pci_inside

nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static retail_pci_vpn retail_pci_vpn

nat (inside,outside) source static retail_inside retail_inside destination static rr_vpn rr_vpn

nat (pci,outside) source static retail_pci_inside retail_pci_inside destination static rr_pci_vpn rr_pci_vpn

nat (pci,outside) source static db1 db1 destination static retail_pci_inside retail_pci_inside inactive

nat (pci,pci) source static db1 db1 destination static retail_pci_inside retail_pci_inside inactive

nat (outside,outside) source static db1 db1 destination static retail_pci_inside retail_pci_inside inactive

nat (pci,outside) source static pos pos destination static db1 db1

!

object network retail_inside

nat (inside,outside) dynamic interface

object network retail_pci_inside

nat (pci,outside) dynamic interface

object network retail_vpn

nat (outside,outside) dynamic interface

object network retail_pci_vpn

nat (outside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 70.167.204.209 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 70.176.238.137 255.255.255.255 outside

http 70.167.204.216 255.255.255.255 outside

http 192.168.18.0 255.255.255.0 inside

http 192.168.17.0 255.255.255.248 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set esp-3des-sha_trans esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set esp-3des-sha_trans mode transport

crypto ipsec ikev1 transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal secure

protocol esp encryption aes 3des des

protocol esp integrity sha-1

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map dyn_map 20 set reverse-route

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set esp-3des-sha_trans esp-3des-sha

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map inside_cryptomap 1 match address vpn_inside

crypto map inside_cryptomap 1 set peer 66.208.204.49

crypto map inside_cryptomap 1 set ikev2 ipsec-proposal secure

crypto map inside_cryptomap 5 match address vpn_pci

crypto map inside_cryptomap 5 set peer 66.208.204.49

crypto map inside_cryptomap 5 set ikev2 ipsec-proposal secure

crypto map inside_cryptomap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map inside_cryptomap interface outside

crypto ca trustpool policy

crypto isakmp nat-traversal 120

crypto ikev2 policy 1

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 43200

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 70.176.238.137 255.255.255.255 outside

ssh 70.167.204.216 255.255.255.255 outside

ssh 192.168.16.0 255.255.255.0 outside

ssh 192.168.100.0 255.255.255.0 outside

ssh 10.10.120.0 255.255.255.224 outside

ssh 66.208.204.49 255.255.255.255 outside

ssh 192.168.18.0 255.255.255.0 inside

ssh 192.168.17.0 255.255.255.248 pci

ssh timeout 30

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd address 192.168.18.50-192.168.18.99 inside

dhcpd dns 208.67.222.222 8.8.8.8 interface inside

dhcpd domain nss.local interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 65.105.28.13 source outside

ntp server 64.147.116.229 source outside prefer

group-policy retail_vpn internal

group-policy retail_vpn attributes

dns-server value 208.67.222.222 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value retail_vpn_splittunnel

default-domain value nss.local

group-policy retail_pci_vpn internal

group-policy retail_pci_vpn attributes

dns-server value 208.67.222.222 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value retail_pci_vpn_splittunnel

default-domain value nss.local

tunnel-group 192.168.100.168 type ipsec-l2l

tunnel-group 192.168.100.168 ipsec-attributes

isakmp keepalive threshold 120 retry 5

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group retail_tunnel type remote-access

tunnel-group retail_tunnel general-attributes

address-pool remote_vpn_pool

default-group-policy retail_vpn

tunnel-group retail_tunnel ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 40 retry 5

tunnel-group retail_tunnel ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group retail_pci_tunnel type remote-access

tunnel-group retail_pci_tunnel general-attributes

address-pool remote_pci_vpn_pool

default-group-policy retail_pci_vpn

tunnel-group retail_pci_tunnel ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 40 retry 5

tunnel-group retail_pci_tunnel ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group 66.208.204.49 type ipsec-l2l

tunnel-group 66.208.204.49 ipsec-attributes

isakmp keepalive threshold 40 retry 5

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

  inspect icmp

  inspect netbios

  inspect pptp

  inspect http

  inspect icmp error

!

try clearing the xlate table.  be aware that this will cause a short disruption in traffic flow.

--
Please remember to select a correct answer and rate helpful posts

Hi

Thanks.  Tried it.  Afraid that did not help

Jerry

Hello Jerry,

The packet-tracer is wrong

try

packet-tracer input inside icmp 192.168.18.5 8 0 192.168.17.5

Provide the output

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card