ASA 5512 Issue

tsheltonuk · ‎03-16-2016

Hello,

I am trying to set up a guest network on a ASA 5512 but to no avail. I have attached the config, am I missing anything?

Thanks all!

Aditya Ganjoo · ‎03-16-2016

Hi,

May I know what are the requirements for the Guest network ?

What do we want to access from the Guest network ?

Regards,

Aditya

tsheltonuk · ‎03-16-2016

Just internet access. The guest network should utilize public DNS (8.8.8.8) and should not be able to access anything on the Corporate LAN (10.7.0.0/16).

Thanks

Tom

Aditya Ganjoo · ‎03-16-2016

Hi,

The config looks fine for internet access.

Can you share the packet-tracer output for the Guest vlan:

packet-tracer input guest icmp 10.3.0.2 8 0 4.2.2.2 det

Also on the inside access-group inside_access_in you can deny the Guest subnet.

Regards,

Aditya

Please rate helpful posts.

tsheltonuk · ‎03-16-2016

Hi there,

See below:

ABNS-Aptus-Bolton-ASA-01# packet-tracer input guest icmp 10.3.0.2 8 0 4.2.2.2 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa23a8f40, priority=1, domain=permit, deny=false
hits=4, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=guest, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 185.12.137.189, outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Guest-Network
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 10.3.0.2/0 to 185.12.137.190/9827
Forward Flow based lookup yields rule:
in id=0x7fffa22f0770, priority=6, domain=nat, deny=false
hits=79, user_data=0x7fffa3ea2cc0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.3.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1921740, priority=0, domain=nat-per-session, deny=true
hits=211585, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa236a640, priority=0, domain=inspect-ip-options, deny=true
hits=756, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=guest, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa23aa3b0, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0x7fffa3215480, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=guest, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2369ed0, priority=66, domain=inspect-icmp-error, deny=false
hits=5, user_data=0x7fffa238a6e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=guest, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa1921740, priority=0, domain=nat-per-session, deny=true
hits=211587, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa22de970, priority=0, domain=inspect-ip-options, deny=true
hits=552646, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 541426, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: guest
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Aditya Ganjoo · ‎03-16-2016

Hi,

The output seems fine and it should allow access to the internet.

On the test PC in the guest network please make sure the default gateway should be 10.3.0.1 and you should have a public DNS configured such as 8.8.8.8.

Regards,

Aditya

Please rate helpful posts.

tsheltonuk · ‎03-16-2016

Hi there,

DHCP is being done by the firewall and the gateway and DNS are set as described, but still no internet access.

Aditya Ganjoo · ‎03-16-2016

Hi,

It seems the requests are being sent from the inside interface instead of the Guest.

ICMP echo request from inside:10.3.0.2 to outside:8.8.8.8 ID=43 seq=2 len=72
ICMP echo request translating inside:10.3.0.2 to outside:185.12.137.190

Could you check it why ?

Regards,

Aditya

Aditya Ganjoo · ‎03-16-2016

Hi,

Can you try pinging 8.8.8.8 IP from the Guest PC ?

On the ASA enable debug icmp trace and check if you see the ping requests reaching the ASA.

Use undebug all to turn off the debugs.

Also if you check the ipconfig on the PC what is the default gateway of the PC ?

Regards,

Aditya

Please rate helpful posts.

tsheltonuk · ‎03-16-2016

ABNS-Aptus-Bolton-ASA-01# ICMP echo request from inside:10.3.0.2 to outside:8.8.8.8 ID=43 seq=0 len=72
ICMP echo request translating inside:10.3.0.2 to outside:185.12.137.190
ICMP echo reply from outside:8.8.8.8 to inside:185.12.137.190 ID=43 seq=0 len=72
ICMP echo reply untranslating outside:185.12.137.190 to inside:10.3.0.2
ICMP echo request from inside:10.3.0.2 to outside:8.8.8.8 ID=43 seq=1 len=72
ICMP echo request translating inside:10.3.0.2 to outside:185.12.137.190
ICMP echo reply from outside:8.8.8.8 to inside:185.12.137.190 ID=43 seq=1 len=72
ICMP echo reply untranslating outside:185.12.137.190 to inside:10.3.0.2
ICMP echo request from inside:10.3.0.2 to outside:8.8.8.8 ID=43 seq=2 len=72
ICMP echo request translating inside:10.3.0.2 to outside:185.12.137.190
ICMP echo reply from outside:8.8.8.8 to inside:185.12.137.190 ID=43 seq=2 len=72
ICMP echo reply untranslating outside:185.12.137.190 to inside:10.3.0.2
ICMP echo request from inside:10.3.0.2 to outside:8.8.8.8 ID=43 seq=3 len=72
ICMP echo request translating inside:10.3.0.2 to outside:185.12.137.190
ICMP echo reply from outside:8.8.8.8 to inside:185.12.137.190 ID=43 seq=3 len=72
ICMP echo reply untranslating outside:185.12.137.190 to inside:10.3.0.2
ICMP echo request from inside:10.3.0.2 to outside:8.8.8.8 ID=43 seq=4 len=72
ICMP echo request translating inside:10.3.0.2 to outside:185.12.137.190
ICMP echo reply from outside:8.8.8.8 to inside:185.12.137.190 ID=43 seq=4 len=72
ICMP echo reply untranslating outside:185.12.137.190 to inside:10.3.0.2