Solved: ASA 5510 - Cisco 2811 Router - Page 2

Mitchell Tuckness · ‎01-08-2014

Hi all, I really could use some assistence in regards to a ASA 5510 and a 2811 Router. I have working internet, but Access lists are killing me, I am just not quite able to wrap my head around them. First off let me say what I want to do. I want the ASA to act as a firewall. No routing done on it, well no routing past the one to get traffic to the router.

I want the 2811 to do the routing for the internal network, that is until I wrap my head around everything, then I might do some routing with the ASA to add a DMZ or et cetera.

So, with that said, what changes do I have to make to the ASA to set a static rout for all inc traffic to the router and secondly, how does ACL's work between the ASA and the router.

For example, if the ASA was setup correctly with a static route, how would I pass SSH through the ASA to be able to SSH to the router?

How would I allow traffic to hit an internal Webserver on a 192.168.1.5 address?

Here are my configs.

ASA:

ASA5510# sh running-config

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name maladomini.int

enable password <redacted> encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd <redacted>

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.199.199.123 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

object-group network DM_INLINE_NETWORK_1

network-object host <redacted>

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 interface Outside eq ssh

access-list 100 extended permit icmp interface Inside any

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

network 199.195.168.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.121.18 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

password encryption aes

: end

2811:

CISCO-2811#sh running-config brief

Building configuration...

Current configuration : 3449 bytes

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CISCO-2811

!

boot-start-marker

boot system flash

boot-end-marker

!

enable secret 4 DWJfYBf6KhkIRmhhIhx8ibAAXVGQWjwfuyzfaX4Im8M

!

aaa new-model

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 172.16.20.1 172.16.20.49

!

ip dhcp pool Mitchs_Network

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 192.168.1.1

!

ip dhcp pool VLAN10

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

!

ip dhcp pool VLAN20

network 172.16.20.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 172.16.20.1

!

ip domain name maladomini.int

ip name-server 192.168.1.2

ip name-server 199.195.168.4

ip name-server 205.171.2.65

ip name-server 205.171.3.65

ip name-server 8.8.8.8

no vlan accounting input

!

multilink bundle-name authenticated

!

password encryption aes

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1290569776

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1290569776

revocation-check none

rsakeypair TP-self-signed-1290569776

!

crypto pki certificate chain TP-self-signed-1290569776

certificate self-signed 01

!

license udi pid CISCO2811 sn FTX1041A07T

username

!

redundancy

!

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh version 2

!

interface FastEthernet0/0

description CONNECTION TO INSIDE INT. OF ASA

ip address 10.10.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1.1

description VLAN 10

encapsulation dot1Q 10

ip address 172.16.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.2

description VLAN 20

encapsulation dot1Q 20

ip address 172.16.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.3

description Trunk Interface VLAN 1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

no ip address

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

network 199.195.168.0

no auto-summary

!

ip default-gateway 10.10.1.1

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 10.10.1.1

ip ospf name-lookup

!

access-list 1 permit any

access-list 100 permit tcp host 10.10.1.1 host 192.168.1.5 eq www

access-list 100 permit icmp host 10.10.1.1 any echo-reply

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

exec-timeout 0 0

password <redacted>

line aux 0

line vty 0 4

exec-timeout 0 0

password <redacted>

transport input ssh

!

scheduler allocate 20000 1000

end

Thank you for the help!

Jouni Forss · ‎01-13-2014

Hi,

Seems that the problem is that the traffic is not allowed.

The following commands would show your ACL configurations

show run access-list

show run access-group

If the only aim was to allow this traffic to your internal network then the commands would be

access-list OUTSIDE-IN permit tcp host object ROUTER-2811 eq ssh

access-group OUTSIDE-IN in interface Outside

I think you had some other configuration required too so better to make sure you have the above rule (with correct source ip) and its attached to the interface with the "access-group" command like above (with current ACL name)

- Jouni

metuckness · ‎01-13-2014

OK I will add those. That will not prevent other internet traffic from coming in correct? I don't want to cut my internet access at home while I am here at work, I'd have some upset family members

Here is my current sh run access-list:

ASA5510# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 99.22.121.180 object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 99.22.121.190 object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 99.22.121.180 object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 99.22.121.190 object ROUTER-2811 eq ssh

Current sh run access-group:

ASA5510# sh run access-group

ASA5510#

Don't seem to have any Access-Groups.

Jouni Forss · ‎01-13-2014

Hi,

You would need to enter the command

access-group Outside_access_in in interface Outside

This wont affect any connections established from behind the ASA (from the LAN network). This is because the ASA has already allowed the traffic from LAN to WAN so it wont check the return traffic for your basic Internet traffic. Certain protocols are naturally checked differently but nothing you should worry about for basic Internet use.

Notice also that your source IP in the "packet-tracer" is different than the ones shown on the ACL so check those too

I mean the above ACL IPs start with 99.22

In the "packet-tracer" you used 98.22

Hope this helps

- Jouni

metuckness · ‎01-13-2014

Yes I just changed those up so it didn't show the real IP's.

That worked fo rthe SSh. I can now access the router via SSH on the specified port!

Though I cannot access the WEBCAM-01 and it is in the same group. Is there an additional command for that? It looks like the Packet is alowed past the ASA, according to the packet-tracer feature:

ASA5510(config)# packet-tracer input Outside tcp 99.22.121.180 80 199.195.168.1$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www www

Additional Information:

NAT divert to egress interface Inside

Untranslate 100.100.100.123/80 to 192.168.1.5/80

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Outside_access_in in interface Outside

access-list Outside_access_in extended permit tcp host 99.22.121.180 object WEBCAM-01 eq www

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www www

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 85078, packet dispatched to next module

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: allow

Jouni Forss · ‎01-13-2014

Hi,

I would start by monitoring the logs through the ASDM while connecting to the Webcam.

Are you sure that the port TCP/80 is everything that is needed? If its not and the the connections is actually formed to some other port (too) then the ASDM probably will show this when you attempt the connection.

The above would seem to suggest that this particular port connection would pass the ASA with no problems.

- Jouni

metuckness · ‎01-13-2014

It is a FOSCAM IP Camera. It just uses a built in WEB interface. It has an ACTIVE-X mode for IE and a PUSH mode for FIREFOX, but it just works on a WEB port 80. You can change the port to whatever you like, but 80 is the default.

That was why I was thinking it might be something on the router, but I don't believe I have any restrictions on my inside router currently because I haven't setup rules for any traffic other than allow all.

metuckness · ‎01-13-2014

Hi JouniForss,

I got ASDM setup so I can log into it from work. When I try and hit it on the www interface for the WEBCAM-01 (I enter my external IP in my browser for www) I see this on the ASDM:

6

Jan 13 2014

11:50:02

98.22.xxx.xxx

59439

192.168.1.5

80

Built inbound TCP connection 90795 for Outside:98.22.xxx.xxx/59439 (98.22.xxx.xxx/59439) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)

6

Jan 13 2014

11:50:01

98.22.xxx.xxx

59437

192.168.1.5

80

Built inbound TCP connection 90794 for Outside:98.22.xxx.xxx/59437 (98.22.xxx.xxx/59437) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)

Another Try:

6

Jan 13 2014

11:56:51

98.22.xxx.xx

59750

192.168.1.5

80

Built inbound TCP connection 90974 for Outside:98.22.xxx.xxx/59750 (98.22.xxx.xxx/59750) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)

6

Jan 13 2014

11:56:51

98.22.xxx.xxx

59750

192.168.1.5

80

Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/59750 to Inside:192.168.1.5/80

6

Jan 13 2014

11:56:51

98.22.xxx.xxx

59752

192.168.1.5

80

Built inbound TCP connection 90975 for Outside:98.22.xxx.xxx/59752 (98.22.xxx.xxx/59752) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)

metuckness · ‎01-13-2014

On a router, how do I create and apply access lists?

I have a couple, but it seems to me that when I apply one to an interface, I block all other traffic to that subnet.

CISCO-2811#sh access-lists

Standard IP access list 1

10 permit any (3887 matches)

Extended IP access list 100

10 permit tcp host 10.10.1.1 host 192.168.1.5 eq www

20 permit icmp host 10.10.1.1 any echo-reply

CISCO-2811#sh access-expression

CISCO-2811#

CISCO-2811#sh route-map

CISCO-2811#

So for example, if I enabled access-list 100 it would block all the traffic I believe to that network.

I am unable to ping the router from the ASA, I remember being used to, not sure what changed.