05-23-2017 06:29 AM - edited 03-12-2019 02:24 AM
I am having a very strange issue. Initially I thought this was a simple fix...5 hours later i am still in the same predicament. I am simply trying to use an ASA 5505 as a router. Why not use a router you ask, unfortunately I do not have that option. The ASA is running 9.2(4) code. We have another ASA on the remote end (5512 running the same code) and it works as expected routing traffic from the outside interface to the inside and vice versa. I have created ACL's allowing any any still to no avail. Attached is a drawing of the connectivity and the config file from the ASA in question. Any assistance would be greatly appreciated.
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.1.0 House-1
name 10.2.1.0 House-2
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif private
security-level 100
ip address 192.168.1.250 255.255.255.0
!
interface Vlan2
nameif engineering
security-level 100
ip address 10.3.200.31 255.255.255.0
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network House-1
subnet 10.1.1.0 255.255.255.0
description Created during name migration
object network House-2
subnet 10.2.1.0 255.255.255.0
description Created during name migration
object-group network DM_INLINE_NETWORK_1
network-object object House-1
network-object object House-2
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2626
port-object eq 2627
object-group service DM_INLINE_TCP_2 tcp
port-object eq 2626
port-object eq 2627
object-group network DM_INLINE_NETWORK_2
network-object host 10.3.201.165
network-object host 10.3.201.37
network-object host 10.3.201.38
object-group network DM_INLINE_NETWORK_3
network-object host 10.3.201.164
network-object host 10.3.201.37
network-object host 10.3.201.38
access-list cap extended permit icmp 10.0.0.0 255.0.0.0 any
access-list private_access_in remark Automation Timecode
access-list private_access_in extended permit ip 192.168.1.0 255.255.255.0 any4
access-list private_access_in extended permit ip any any
access-list in_engineering extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging buffered warnings
logging asdm informational
mtu private 1500
mtu engineering 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any private
icmp permit any engineering
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group private_access_in in interface private
access-group in_engineering in interface engineering
route engineering 0.0.0.0 0.0.0.0 10.3.200.1 1
route engineering 192.168.9.0 255.255.255.0 10.3.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.1.1.17 source engineering prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect esmtp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c16a8714e9850302ee5a66536bac6edc
: end
ASA# sh activation-key
Running Permanent Activation Key: 0xc318c05a 0x58dc1d04 0x445265dc 0x83c83870 0x0b0822b4
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
The flash permanent activation key is the SAME as the running permanent key.
Solved! Go to Solution.
05-23-2017 01:32 PM
If the capture shows traffic passing the only other thing I can think of would be the IP settings on the clients ie. subnet mask and default gateway.
Jon
05-23-2017 02:29 PM
This is as you say even more confusing now.
So the ASA can route traffic assuming it is simply not showing in the traceoute which it won't do by default as I understand it.
And looking at the screenshot the default gateway for that 192.168.1.x client is set correctly.
You said in an earlier post you could not ping the inside devices from the 10.3.200.1 IP on the core switch so can you try that ping to this specific client ie. 192.168.1.116 and see what happens ?
Jon
05-23-2017 08:53 AM
Configuration looks good to me,
you are trying to ping 192.168.1.250 which is private interface IP, Did you try connecting a PC to any of the physical ports in VLAN 1 and then ping that IP? You will not be able to ping inside interface from WAN side, ASA architecture doesn't allow it.
05-23-2017 09:08 AM
Hi Ashish,
Thank you for your response!! From the ASA and from another PC in the same subnet you can ping other IP's in the 192.168.1.x range yes. I think you may be mistaken "You will not be able to ping inside interface from WAN side, ASA architecture doesn't allow it." unless that is a caveat specific to the 5505. I have an ASA on the other side (5512) and is is allowing icmp from outside to inside. This command allows for traffic between interfaces if they are the same security level - same-security-traffic permit inter-interface. Also I have an ACL permitting all IP traffic. and the following:
icmp permit any private (inside)
icmp permit any engineering (outside)
05-23-2017 09:47 AM
ACLs and same security level - same-security-traffic permit inter-interface commands allow through the box traffic.
icmp permit any private (inside)
icmp permit any engineering (outside)
commands allow ping on the interface but ping request has to come from same interface, So if you want to ping LAN IP of ASA you have to ping it from LAN subnets or networks behind LAN interface. you can't ping WAN IP from LAN subnet.
05-23-2017 12:10 PM
Ah I see the confusion. I do not need to ping the ASA LAN/inside interface, my apologies if my initial question eluded to that. I only need to connect to the devices behind the LAN interface. Like a router basically.
05-23-2017 12:24 PM
It may just be a typo but on the 4431 on the right hand side the next hop for the 192.168.1.0/24 subnet is the firewall but there is a L3 core device in between.
Shouldn't the next hop be 10.1.1.x ?
Jon
05-23-2017 12:40 PM
Nice catch Jon however that did not do it. I can't even ping devices on the inside network from the L3 switch (Core on right in purple) that has the SVI for the ASA's default route.
05-23-2017 12:46 PM
Worth a try :)
Out of interest can you ping 10.3.200.31 from the core switch ?
Jon
05-23-2017 12:55 PM
Yes, the outside address is reachable all the way from the other ASA (5512).
5512(config)# ping 10.3.200.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.200.31, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
5512(config)# traceroute 10.3.200.31
Type escape sequence to abort.
Tracing the route to 10.3.200.31
1 10.1.4.11 10 msec 0 msec 0 msec
2 192.168.101.1 10 msec 10 msec 20 msec
3 10.1.1.1 20 msec 20 msec 20 msec
4 * * *
5 * * *
6 * * *
05-23-2017 05:07 PM
hi,
did you check if VLAN assignment (or allowed VLAN on trunk) is correct on the port on IDF-2 (puple side) which connects to 5505 eth0/0? it should be the same VLAN as the SVI for Core 10.3.200.1.
if theVLAN is correct, the 5505 should ping 10.3.200.1 (and vice-versa on Core-purple side)
05-23-2017 12:49 PM
Chris
Apologies, just looked at your schematic again and can see you can ping that IP from the other side.
Jon
05-23-2017 12:58 PM
Yeah everything points to something in the ASA it seems. I just have no clue what that is...I have upgraded the code and see no bugs related. The config is just about replicated from the other ASA that is passing traffic...no clue at this point. Thank you for taking a stab at it.
05-23-2017 01:08 PM
Okay, don't want to insult your intelligence but the obvious things ie. you say you can ping a 192.168.1.x client from the ASA. Are you trying to ping the same client through the firewall ie. just trying to make sure the clients are not blocking the pings.
Have you tried the packet tracer command to see if it should be allowed ie.
"packet-tracer input outside icmp 10.200.31.1 8 0 192.168.1.x"
and also you could try applying an acl outbound to the inside interface to see if traffic is actually going out to the 192.168.1.x client.
Apologies if you have done all this :)
Jon
05-23-2017 01:29 PM
Hey Jon,
No worries, I am here because I am out of ideas, no harm in double checking.
Yes same client with no firewall blocking ICMP. I have done the packet tracer and the ASA comes back saying all should pass:
5505(config)# packet-tracer input engineering icmp 192.168.9.12 0 0 192.168.1.$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 private
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group in_engineering in interface engineering
access-list in_engineering extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcccedcf0, priority=13, domain=permit, deny=false
hits=4339, user_data=0xca2ce520, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbcaa5c8, priority=0, domain=nat-per-session, deny=true
hits=4398, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc3bbab0, priority=0, domain=inspect-ip-options, deny=true
hits=13221, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccc74e70, priority=70, domain=inspect-icmp, deny=false
hits=32, user_data=0xccc73798, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccc77ee8, priority=70, domain=inspect-icmp-error, deny=false
hits=32, user_data=0xccc76780, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=engineering, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13014, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: engineering
input-status: up
input-line-status: up
output-interface: private
output-status: up
output-line-status: up
Action: allow
I have not ran a capture. Good call I will try that now.
05-23-2017 01:32 PM
If the capture shows traffic passing the only other thing I can think of would be the IP settings on the clients ie. subnet mask and default gateway.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide