11-18-2013 11:20 AM - edited 03-11-2019 08:06 PM
Just upgraded to ver 8.4.3 from 8.1 and i know the NAT has changed and i am wondering if it converted everything correctly or is there something else i need to do. All traffice seems to flow just fine but small things like this seem to bother me. See the attached SS and config.
interface Ethernet0/0 nameif Outside security-level 0 ip address 216.*.*.* 255.255.255.240 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.** 255.255.254.0 ! interface Ethernet0/2 speed 100 duplex full shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only
!
!
!
boot system disk0:/asa843-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup Inside dns server-group DefaultDNS name-server 192.168.*.* name-server 192.168.*.* name-server 192.168.*.* domain-name ****** same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-192.168.180.0 subnet 192.168.180.0 255.255.254.0 object network obj-192.168.188.0 subnet 192.168.188.0 255.255.255.0 object network obj-216.86.7.128 subnet 216.86.7.128 255.255.255.240 object network obj-192.168.193.0 subnet 192.168.193.0 255.255.255.0 object network obj-172.27.0.0 subnet 172.27.0.0 255.255.255.128 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-0.0.0.0 subnet 0.0.0.0 0.0.0.0 object network obj-172.25.11.0 subnet 172.25.11.0 255.255.255.0 object network obj-172.35.0.0 subnet 172.35.0.0 255.255.254.0 object network SpamBox_1 host 192.168.180.244 object network SpamBox_2 host 192.168.180.248 object network Exchange host 192.168.180.235 object network PMG subnet 192.168.178.0 255.255.255.0 object network Outside_Gateway host 216.*.*.* object network AHCCN subnet 172.35.0.0 255.255.254.0 object network PMG-1 subnet 192.168.178.0 255.255.255.0 object network MM subnet 10.90.254.0 255.255.255.0 object network NETWORK_OBJ_172.27.0.0_25 subnet 172.27.0.0 255.255.255.128 object network NETWORK_OBJ_172.27.0.0_26 subnet 172.27.0.0 255.255.255.192 object network obj-172.35.1.199 host 172.35.1.199 object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp-udp destination eq www object-group network DM_INLINE_NETWORK_1 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_2 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_4 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_3 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_16 network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_5 network-object object AHCCN network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_6 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_4 service-object icmp service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_5 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq time service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_6 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq time service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_0 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp object-group network DM_INLINE_NETWORK_7 network-object object MM network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_8 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp-udp destination eq domain service-object tcp destination eq citrix-ica object-group network DM_INLINE_NETWORK_10 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group network DM_INLINE_NETWORK_9 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_11 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_13 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_14 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_15 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object PMG access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.188.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip object obj-192.168.180.0 object obj-216.*.*.* access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 192.168.193.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_7 object obj-172.27.0.0 access-list Outside_1_cryptomap extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_14 access-list Outside_2_cryptomap extended permit ip object obj-192.168.193.0 object-group DM_INLINE_NETWORK_15 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object PMG object-group DM_INLINE_NETWORK_8 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object Exchange access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object SpamBox_1 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object SpamBox_2 access-list Outside_access_in extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list Outside_access_in extended permit ip 192.168.193.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 access-list Outside_access_in extended deny ip any any access-list global_mpc extended permit ip any any access-list global_access extended permit udp object obj-172.*** any eq snmp access-list global_access extended permit ip object obj-172.2** any access-list splitTunnelAcl standard permit 192.168.** 255.255.254.0 access-list splitTunnelAcl standard permit 172.*** 255.255.254.0 access-list splitTunnelAcl standard permit 172.25.** 255.255.255.0 access-list splitTunnelAcl standard permit 10.90.** 255.255.255.0 access-list Outside_cryptomap_1 extended permit ip object *** object-group DM_INLINE_NETWORK_13 access-list Inside_access_in extended permit ip any any
!
!flow-export destination Inside 192.168.180.109 2055 mtu Outside 1500 mtu Inside 1500 mtu management 1500 ip local pool Client_Pool 172.27.0.50-172.27.0.100 mask 255.255.255.0 ip local pool RA_POOL 172.27.0.1-172.27.0.49 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any Inside asdm history enable arp timeout 14400 nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.188.0 obj-192.168.188.0 no-proxy-arp nat (Inside,Outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.193.0 obj-192.168.193.0 nat (Inside,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static PMG PMG nat (Inside,Outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static PMG PMG no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_172.27.0.0_25 NETWORK_OBJ_172.27.0.0_25 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_172.27.0.0_26 NETWORK_OBJ_172.27.0.0_26 no-proxy-arp route-lookup ! object network obj_any nat (Inside,Outside) dynamic interface object network SpamBox_1 nat (Inside,Outside) static 216.*.*.* object network SpamBox_2 nat (Inside,Outside) static 216.*.*.* object network Exchange nat (Inside,Outside) static 216.*.*.* dns access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside access-group global_access global
Solved! Go to Solution.
11-18-2013 12:33 PM
Hi,
I don't know if there really is anything in your configuration above that would tell the reason of these error messages in the syslog. Atleast I am not sure what is causing them.
Generally you see the "no connection" log messages for these reasons (atleast)
I guess the main thing is that everything seems to be working.
I would suggest monitoring the logs and seeing if there is any certain hosts for which these log messages repeat and then capture traffic for their connections and see what actually happens to those TCP Connection which are already been removed from the ASA but for which traffic is still coming to the ASA.
You can configure a traffic capture on the ASA itself if needed.
- Jouni
11-18-2013 12:33 PM
Hi,
I don't know if there really is anything in your configuration above that would tell the reason of these error messages in the syslog. Atleast I am not sure what is causing them.
Generally you see the "no connection" log messages for these reasons (atleast)
I guess the main thing is that everything seems to be working.
I would suggest monitoring the logs and seeing if there is any certain hosts for which these log messages repeat and then capture traffic for their connections and see what actually happens to those TCP Connection which are already been removed from the ASA but for which traffic is still coming to the ASA.
You can configure a traffic capture on the ASA itself if needed.
- Jouni
11-18-2013 01:19 PM
I ran a capture and found that the traffic that was being dropped was infact denied traffic from my web-filter behind the ASA. No malicious traffic that i can see. Most of it is denied traffic to adobe updater.. Thanks for the insight, i was just concerned since i started seeing these after the upgrade.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide