Solved: Re: ASA 5510 ccna security lab setup problem

sany98 · ‎12-27-2018

Hi

I'm heaving problem with my lab/asa setup. I can access (ping/https) asa/asdm from my home pc 192.168.1.15 but i cant ping or telnet to subnets 192.168.2, 192.168.3 and 192.168.4. I want to be able to access and configure my routers from my home pc, i know that it has something to do with outside to inside and other way but don't know ho to fix it.

PC1, 2 and 3 have internet access from the ASA. PCs can ping to each other and ping to inside interface. RIP is enabled on all routers and on the ASA and all routers have default route to ASA. Here is problem that I cant access the ASDM on outside interface 192.168.1.133 and ping doesn't work either. Can anyone please help me?

My lab is located in the basement so that's why i want to be able to access everything from my home pc.

Marius Gunnerud · ‎01-01-2019

Check out this link...seems to be the same issue you are experiencing

https://superuser.com/questions/1087392/windows-firewall-blocking-ssh-to-secondary-subnet

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

johnd2310 · ‎12-27-2018

Hi,

You need an access-list on the outside interface to allow ssh from home-pc to required subnets
To allow asdm access from home-pc you need command: http 192.168.1.15 255.255.255.255 OUTSIDE
To allow ping from you home-pc add command: icmp permit host 192.168.1.15 OUTSIDE

Thanks

John

**Please rate posts you find helpful**

sany98 · ‎12-28-2018

Hi john

Thank you for help!

1. created access list on outside like you said but still cant access the subnets on inside:

access-list outside_access_in extended permit tcp 192.168.1.0 255.255.255.0 object internal-lan eq ssh

2. i can already access the asdm from my home pc. problem is that i cant access the asdm from pc1, 2 and 3 on subnets (192.168.2, 3 and 4) on inside network

3. ping from home-pc to asa works now, but from home-pc to subnets on inside doesn't work

johnd2310 · ‎12-28-2018

Hi,

Have you applied the access list to an interface: access-group outside_access_in in interface OUTSIDE. You can use packet-tracer to troubleshoot access list. Please run packet tracer in ASDM and post result. You will find packet tracer from the Tools menu
if you need to access ASDM from the inside network, you need to add the commands: http 192.168.2.0 255.255.255.0 INSIDE, http 192.168.3.0 255.255.255.0 INSIDE and http 192.168.4.0 255.255.255.0 INSIDE
You need to add icmp in the access list outside_access_in

Thanks

John

**Please rate posts you find helpful**

sany98 · ‎12-28-2018

1. access is applied to outside interface

access-group outside_access_in in interface outside

2. i had this command 192.168.0.0 255.255.0.0 and have changed to your suggestion but it still doesnt work. no access to asdm from inside network

3. tried that also but it didn't work either

access-list outside_access_in extended permit icmp 192.168.1.0 255.255.255.0 object-group internal-lan-group

johnd2310 · ‎12-28-2018

Hi,

What is the output when you run packet tracer? Can you post a sanitised running config of your asa.

Thanks

John

**Please rate posts you find helpful**

sany98 · ‎12-29-2018

There was an error in packet tracer with NAT rule, i added one more NAT rule from outside to inside and i got package is allowed. But still when try to telnet, shh or ping from home-pc to inside subnets it still doesn't work. From home-pc it only works to outside/asdm 192.168.1.133. I've tried to disable windows firewall but nothing helps. Thanks for you help i really appreciate it.

sany98 · ‎12-29-2018

hostname firewall

enable password 2KFQnbNIdI.2KYOU encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 9jNfZuG3TC5tCVH0 encrypted

names

!

interface Ethernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 10.2.1.1 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 10.0.0.253 255.255.255.0

!

interface Ethernet0/3

nameif outside

security-level 0

ip address 192.168.1.133 255.255.255.0

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0

!

boot system disk0:/asa917-32-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit intra-interface

object network internal-lan

subnet 192.168.0.0 255.255.0.0

object network asa-outside-ip

host 192.168.1.133

object network inside-netw

subnet 192.168.0.0 255.255.0.0

object network 10.0.0.0

subnet 10.0.0.0 255.255.255.0

object network 2

subnet 192.168.2.0 255.255.255.0

object network 3

subnet 192.168.3.0 255.255.255.0

object network 4

subnet 192.168.4.0 255.255.255.0

object-group network internal-lan-group

network-object object 2

network-object object 3

network-object object 4

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip object-group internal-lan-group object asa-outside-ip

access-list outside_access_in extended permit tcp 192.168.1.0 255.255.255.0 object internal-lan eq ssh

access-list outside_access_in extended permit icmp 192.168.1.0 255.255.255.0 object-group internal-lan-group

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit 192.168.1.0 255.255.255.0 outside

icmp permit 192.168.2.0 255.255.255.0 outside

icmp permit 192.168.3.0 255.255.255.0 outside

icmp permit 192.168.4.0 255.255.255.0 outside

asdm image disk0:/asdm-781-150.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,inside) source static any any destination static internal-lan-group internal-lan-group

!

object network internal-lan

nat (any,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

!

router rip

network 10.0.0.0

network 192.168.0.0

network 192.168.1.0

version 2

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 outside

http 10.1.1.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 inside

http 192.168.4.0 255.255.255.0 inside

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.1.0 255.255.255.0 outside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.0.0.2 source outside

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

webvpn

anyconnect-essentials

cache

disable

username ccna password 0UmvUgEJ6PEb01Te encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5201ca74e2b54b1ac46e55d70a844b83

: end

asdm image disk0:/asdm-781-150.bin

no asdm history enable

Marius Gunnerud · ‎12-29-2018

What type of device is 192.168.1.254? I am leaning towards there is an issue with the forwarding of traffic to other IPs on the LAN through this device. If it is an off the shelf device like Belkin, Dlink, etc. check out the firewall and/or security settings.

--
Please remember to select a correct answer and rate helpful posts

sany98 · ‎12-29-2018

192.168.1.254 is an optical fiber router from my isp. Very simple settings available there but no static routes.

Marius Gunnerud · ‎12-29-2018

So are both the PC and ASA connected directly to router or is this connected via a switch? If they are, I am still leaning towards a forwarding issue on the router. Are you able to ping the ASA from the router or if you connect your PC to the ASA outside interface, are you able to ping the outside interface and get access to the devices behind it?

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎12-29-2018

So are both the PC and ASA connected directly to router or is this connected via a switch? If they are, I am still leaning towards a forwarding issue on the router. Are you able to ping the ASA from the router or if you connect your PC to the ASA outside interface, are you able to ping the outside interface and get access to the devices behind it?

--
Please remember to select a correct answer and rate helpful posts

sany98 · ‎12-29-2018

Yes, both the PC and ASA are directly connected to router. I can ping ASA outside interface 192.168.1.133 from my PC but no further than that. I will try with PC directly to outside.

sany98 · ‎12-29-2018

I have tried with PC directly connected to ASAs outside interface and everything works fine, so issue is with my "home" router. Is there any way to fix it? Like I said only basic settings available.

Marius Gunnerud · ‎12-29-2018

What do you see under LAN and Wireless tabs?

--
Please remember to select a correct answer and rate helpful posts