ASA 5506-X: Unable to trigger ACL

FischerPrice · ‎02-02-2022

So I have a few issues I've been slamming my head against and it might have to do with my topology, but I don't think so.

I am sitting behind R1 R2 and R3 and then there is the ASA at 10.10.129.4. I can reach anything on 10.10.129.0 that isn't using the ASA as its DG, so routing is in tact. The ASA has internet access and can resolve by name but that is not necessary as this is all in my core.

One is I can not ping or traceroute my ASA, from behind R1 or even on same subnet. I have read through forum after forum and referenced all of my other ASA's in the wild and can't figure out why this one is acting differently. I have ICMP inspect on, I've tried adding extended ACL's, changing TTL settings, etc but cannot get it to respond.

Second is I cannot access anything behind ASA. Again, we have several ASA's out there and this should not be an issue. Log viewer shows my session hitting firewall but Deny TCP (no connection) on each attempt. It also shows my ICMP build inbound and teardown but I am not getting a response. Below is my relevant config

ASA Version 9.15(1)1
!
hostname fw001-den1

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 204.11.41.213 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.129.4 255.255.255.0
!
boot system disk0:/asdm-openjre-7161-150.bin
boot system disk0:/asa9-15-1-1-1fbff-k8.SPA
boot system disk0:/asa9-15-1-1-lfbff-k8.SPA
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 204.11.40.4 outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN-10.10.129.0
subnet 10.10.129.0 255.255.255.0
object network OBJ-NAT-ALL-Mgmt
subnet 0.0.0.0 0.0.0.0
object network BearCorp
host 204.11.43.114
object service vmware
service tcp source eq 5480 destination eq 5480
access-list global_access_1 extended permit ip object BearCorp any
access-list Mgmt_Internet_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit icmp any any echo-reply
access-list outside_access_in_1 extended permit icmp any any echo
access-list outside_access_in_1 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Mgmt_Internet 1500
icmp unreachable rate-limit 50 burst-size 6
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-openjre-7161-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
nat (inside,outside) after-auto source dynamic LAN-10.10.129.0 interface
access-group outside_access_in_1 in interface outside
access-group inside_access_in in interface inside
access-group global_access_1 global
route outside 0.0.0.0 0.0.0.0 204.11.41.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
!
class-map inspect_default
match default-inspection-traffic
!
policy-map global_policy
class inspect_default
inspect snmp
inspect icmp
class class-default
set connection decrement-ttl
!
service-policy global_policy global

Marvin Rhoads · ‎02-02-2022

It's not clear why you have the global access-list applied.

It's also not clear what the topology is including all of the routers you mention.

If you try a packet-tracer on the icmp traffic in question what does the ASA tell you?

Marius Gunnerud · ‎02-03-2022

Would be good to see a network diagram.

So when you say that you are able to reach everything on the 10.10.129.0/24 network that is not using the ASA as the default gateway, I am assuming you are sitting on a network that is not part of the 10.10.129.0/24 subnet. Is this correct? If yes, then you have a routing problem on the ASA as you only have a default route which looks to be pointing to the internet

route outside 0.0.0.0 0.0.0.0 204.11.41.209 1

Meaning that the ASA doesn't know about any other networks in your local LAN.

If my assumption is not correct we would need more information about your setup, where you are testing from, and how R1, R2, and R3 are connected in relation to your ASA and test PC.

--
Please remember to select a correct answer and rate helpful posts

FischerPrice · ‎02-03-2022

I removed the global ACL, was just trying to get traffic from my subnet 192.168.75.0 to hit 10.10.129.0.

The route outside is getting the ASA to the core R3. Below is packet tracer and topology. I am on 192.168.75.0 and can ping anything on the 10.10.129.0 subnet using the 172.16.41.2 route except ASA or hosts behind ASA. Packet tracer shows the packet was allowed.. Thank you so much for the help and input.

fw001-den1# packet-tracer input inside icmp 192.168.75.106 8 0 10.10.129.25

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.10.129.25 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspect_default
 match default-inspection-traffic
policy-map global_policy
 class inspect_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13044, packet dispatched to next module

Phase: 11
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.129.25 using egress ifc  inside

Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.10.129.25 on interface  inside
Adjacency :Active
MAC address 000c.29f2.d617 hits 0 reference 1

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Marius Gunnerud · ‎02-04-2022

Are you hair-pinning the traffic on the ASA? Assuming that all routing is correct on the routers and / or switches, you are running into asynchronous routing which will be dropped by default.

packet-tracer input inside icmp 192.168.75.106 8 0 10.10.129.25

Result:

input-interface: inside <---

input-status: up

input-line-status: up

output-interface: inside <---

output-status: up

output-line-status: up

Action: allow

--
Please remember to select a correct answer and rate helpful posts