Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2494
Views
0
Helpful
20
Replies

ASA 5505 with Security+ not passing traffic through ASA

Go to solution
Chris Heighway
Level 1
Level 1

‎05-23-2017 06:29 AM - edited ‎03-12-2019 02:24 AM

I am having a very strange issue.  Initially I thought this was a simple fix...5 hours later i am still in the same predicament.  I am simply trying to use an ASA 5505 as a router.  Why not use a router you ask, unfortunately I do not have that option.  The ASA is running 9.2(4) code.  We have another ASA on the remote end (5512 running the same code) and it works as expected routing traffic from the outside interface to the inside and vice versa.  I have created ACL's allowing any any still to no avail.  Attached is a drawing of the connectivity and the config file from the ASA in question.  Any assistance would be greatly appreciated.

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.1.0 House-1
name 10.2.1.0 House-2
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif private
 security-level 100
 ip address 192.168.1.250 255.255.255.0
!
interface Vlan2
 nameif engineering
 security-level 100
 ip address 10.3.200.31 255.255.255.0
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network House-1
 subnet 10.1.1.0 255.255.255.0
 description Created during name migration
object network House-2
 subnet 10.2.1.0 255.255.255.0
 description Created during name migration
object-group network DM_INLINE_NETWORK_1
 network-object object House-1
 network-object object House-2
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 2626
 port-object eq 2627
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 2626
 port-object eq 2627
object-group network DM_INLINE_NETWORK_2
 network-object host 10.3.201.165
 network-object host 10.3.201.37
 network-object host 10.3.201.38
object-group network DM_INLINE_NETWORK_3
 network-object host 10.3.201.164
 network-object host 10.3.201.37
 network-object host 10.3.201.38
access-list cap extended permit icmp 10.0.0.0 255.0.0.0 any
access-list private_access_in remark Automation Timecode
access-list private_access_in extended permit ip 192.168.1.0 255.255.255.0 any4
access-list private_access_in extended permit ip any any
access-list in_engineering extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging buffered warnings
logging asdm informational
mtu private 1500
mtu engineering 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any private
icmp permit any engineering
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group private_access_in in interface private
access-group in_engineering in interface engineering
route engineering 0.0.0.0 0.0.0.0 10.3.200.1 1
route engineering 192.168.9.0 255.255.255.0 10.3.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL


no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.1.1.17 source engineering prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 2048
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect esmtp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c16a8714e9850302ee5a66536bac6edc
: end


ASA# sh activation-key

Running Permanent Activation Key: 0xc318c05a 0x58dc1d04 0x445265dc 0x83c83870 0x0b0822b4

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 25             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

Labels:
Preview file
3033 KB
0 Helpful
20 Replies 20

Go to solution
Chris Heighway
Level 1
Level 1
In response to Jon Marshall

‎05-23-2017 01:52 PM

Yeah I have asked them 3 times to verify that..they ensure me that is all correct.  Guess I will need to validate myself.  The capture shows inbound but no outbound.

access-list cap line 1 extended permit ip any4 any4 (hitcnt=23914)

capture capin type raw-data access-list cap interface engineering

5505# sh cap capin | inc 10.1.4.41
3: 15:46:33.275040 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
73: 15:46:35.274994 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
145: 15:46:37.274994 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
208: 15:46:39.274949 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request
258: 15:46:41.275010 802.1Q vlan#2 P0 10.1.4.41 > 192.168.1.101: icmp: echo request

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris Heighway

‎05-23-2017 02:04 PM

It is a bit of a puzzle this one :)

Can't think of anything else at the moment. If the ASA can ping 192.168.1.x clients then it looks like the internal switch connectivity is fine.

If anything else comes to mind I'll post back.

Jon

0 Helpful

Go to solution
Chris Heighway
Level 1
Level 1
In response to Chris Heighway

‎05-23-2017 02:07 PM

I have another piece to the puzzle that only makes things even more confusing...

 There is a subnet (who's SVI is on the same core switch) that can reach the 192.168.1.x network both ways.  10.3.201.x.  I attached a couple screenshots they took.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris Heighway

‎05-23-2017 02:29 PM

This is as you say even more confusing now.

So the ASA can route traffic assuming it is simply not showing in the traceoute which it won't do by default as I understand it.

And looking at the screenshot the default gateway for that 192.168.1.x client is set correctly.

You said in an earlier post you could not ping the inside devices from the 10.3.200.1 IP on the core switch so can you try that ping to this specific client ie. 192.168.1.116 and see what happens ?

Jon

0 Helpful

Go to solution
Chris Heighway
Level 1
Level 1
In response to Jon Marshall

‎05-24-2017 08:25 AM

Ok, so it looks like, of the IP'd devices on the "inside" of the 5505 (192.168.1.x) may in fact have a mis-configuration though I was assured that all was well...

That address (1.116) is reachable through the whole path..it is the only one of mess..seen by the ASA..

 Thanks for all the tips!!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Chris Heighway

‎05-24-2017 08:32 AM

No problem, thanks for letting me know.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card