Re: ASA 5510 8.2 Not able to hit the internet

AaronDownend56622 · ‎01-25-2020

I am newbie to the firewall config arena. I have an ASA 5510 that I have created a basic config for to access the internet. I am connecting to the firewall through the LAN and I am able to ping it and access the config via the ASDM. If I console in I am able to ping hosts on the internet. I assume that I have a NAT/ACL issue. Also (getting a bunch of TCP Deny errors in the log). Running config below.

Any help is much appreciated

ASA Version 8.2(2)
!
hostname
domain-name
enable password 1IxzQZxJCD4u7.Ts encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 173.166.5.185 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
vlan 20
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2.7
vlan 65
nameif WLAN
security-level 32
ip address 172.20.10.1 255.255.255.0
!
interface Ethernet0/3
nameif corp_lan
security-level 30
ip address 172.22.7.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name fbsintdom.com
object-group network obj_any
access-list corp_lan_access_in extended permit ip any any
access-list corp_lan_access_in extended permit icmp any any
access-list outside_acl extended permit ip any any inactive
access-list outside_acl extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu WLAN 1500
mtu corp_lan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 173.166.5.186 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:00:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username vvvvvvv password 9pL7lKE2sX30.27k encrypted
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect http
inspect ip-options
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:884bdc4332706e16b7d8f00292b27899
: end

Muhammad Awais Khan · ‎01-25-2020

Hi,

Every things look good however i did not find ACL applied to the interface.

access-group outside_acl in interface outside

There is one more option to allow ICMP traffic by including it in the default global policy you have in your firewall. This will allow ICMP to other zones also you have in your FW when ICMP initiated from high security zone interfaces to low security zones.

!
policy-map global-policy
class global-class
inspect icmp

Marius Gunnerud · ‎01-26-2020

ACL assigned to the interface is not necessary as security level configuration will take care of that. How are you testing? If with ping then you would need inspect icmp configured in the policy-map as mentioned by Muhammad.

Are you able to ping the default route IP 173.166.5.186 from the ASA? Can you ping the internet (ex. 8.8.8.8) from the ASA?

If yes, to the questions above:

1. Check Logs in ASDM for any drops for the relevant traffic.

2. Configure packet capture on the outside interface with a source of any and destination of the IP you are trying to reach.

cap capout interface outside match ip any host 8.8.8.8

show cap capout

Check to see if you have outgoing traffic, if you see nothing comming back there is a routing issue towards your public assigned IP adresses.

--
Please remember to select a correct answer and rate helpful posts

AaronDownend56622 · ‎01-26-2020

I am able to ping the 186 address as well as the 8.8.8.8 address from the asa, however the capture returns 0 packets.

Log is showing TCP access denied by acl from local machine to inside.

[Image.jpeg]

AaronDownend56622 · ‎01-26-2020

AaronDownend56622 · ‎01-26-2020

Current config after recent changes. Still no success...

ASA Version 8.2(2)
!
hostname
domain-name
enable password 1IxzQZxJCD4u7.Ts encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 173.166.5.185 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
vlan 20
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2.7
vlan 65
nameif WLAN
security-level 32
ip address 172.20.10.1 255.255.255.0
!
interface Ethernet0/3
nameif corp_lan
security-level 30
ip address 172.22.7.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-k8.bin
boot system disk0:/asa917-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list corp_lan_access_in extended permit ip any any
access-list corp_lan_access_in extended permit icmp any any
access-list outside_acl extended permit ip any any inactive
access-list outside_acl extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 173.166.5.184 255.255.255.252
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu WLAN 1500
mtu corp_lan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
icmp permit any corp_lan
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 173.166.5.184 255.255.255.252
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_acl in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 173.166.5.186 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:00:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username fbsadmin password 9pL7lKE2sX30.27k encrypted
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect http
inspect ip-options
inspect icmp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:07caa59f096c3f25b4ee1e6384e88bf8
: end

AaronDownend56622 · ‎01-26-2020

Some additional Info. I cant see a way to remove the implicit deny rule shown in the image below but the trace route seems to indicate that is one of the issues.

Marius Gunnerud · ‎02-05-2020

What are you trying to achieve with this ACL?

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 173.166.5.184 255.255.255.252

You are only permitting access to the ASA's outside interface subnet so all other traffic will be dropped. For internet this should look like the following:

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

Also your packet-tracer is not correct. Packet tracer is for testing traffic that will travel through the ASA, not to the ASA. The only time you would use the ASA interface IP is when testing traffic heading to a server (most likely from the outside interface). In the destination IP section you should be using an IP on the internet, 8.8.8.8 for example.

--
Please remember to select a correct answer and rate helpful posts