Solved: ASA 5512-X Vlans Cant Ping from Main Network and No Internet

cogenyk · ‎06-01-2021

Hello All,
My main interface on my ASA can reach the internet and load web pages of my servers on my server vlan and CCTV vlan.
But the CCTV and Server VLAN can not reach the outside network, additionally my servers cant ping back to the main network.
Config Posted as Spoiler Below

: Saved

:
: Serial Number: SANITIZED
: Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
:
ASA Version 9.9(2)
!
hostname ciscoasa
enable password 

!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address dhcp
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.0.0.1 255.255.254.0
!
interface GigabitEthernet0/1.70
 vlan 70
 nameif CCTV
 security-level 100
 ip address 10.0.7.1 255.255.255.0
!
interface GigabitEthernet0/1.100
 vlan 100
 nameif Servers
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns domain-lookup Servers
dns server-group DefaultDNS
 name-server 1.1.1.1 OUTSIDE
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network OBJ_GENERIC_ALL
 subnet 0.0.0.0 0.0.0.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network VLAN100
 subnet 10.0.10.0 255.255.255.0
 description ServerFarm
object network VLAN70
 subnet 10.0.7.0 255.255.255.0
 description CCTV
object network Meraki3
 subnet 209.206.49.0 255.255.255.224
object network 4Meraki3
 subnet 209.206.51.0 255.255.255.224
object network test
object network Test
 subnet 10.0.10.0 255.255.255.0
object-group service allow_internet_tcp tcp
 description allow tcp ports for allowing access internet access
 port-object eq www
 port-object eq https
object-group service allow_internet_udp udp
 description allow udp ports for allowing access internet access
 port-object eq dnsix
object-group network Meraki
 network-object host 209.206.52.203
 network-object host 8.8.8.8
 network-object object 4Meraki3
 network-object object Meraki3
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
 protocol-object udp
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object icmp
 service-object tcp-udp destination eq www
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object icmp
 service-object tcp-udp destination eq www
 service-object tcp destination eq echo
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
 service-object ip
 service-object tcp-udp destination eq domain
 service-object tcp destination eq echo
object-group service DM_INLINE_SERVICE_4
 service-object ip
 service-object icmp
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
 service-object tcp-udp destination eq domain
 service-object tcp destination eq echo
object-group service DM_INLINE_SERVICE_5
 service-object ip
 service-object tcp-udp destination eq domain
 service-object tcp-udp destination eq www
 service-object tcp destination eq https
 service-object tcp-udp destination eq echo
access-list out2in extended permit tcp any any
access-list out2in extended permit ip any any
access-list INSIDE_access_in_1 extended permit ip any any
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_3 object-group Meraki any
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object-group Meraki
access-list INSIDE_access_in_1 extended permit icmp any any
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 10.0.7.0 255.255.255.0 any
access-list INSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_4 10.0.10.0 255.255.255.0 any
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_4 object-group Meraki any
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 any object-group Meraki
access-list OUTSIDE_access_in_1 extended permit icmp any any
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_5 10.0.10.0 255.255.255.0 any
access-list CCTV_access_in extended permit object-group DM_INLINE_SERVICE_1 any 10.0.7.0 255.255.255.0
access-list Servers_access_in extended permit object-group DM_INLINE_SERVICE_3 10.0.0.0 255.255.254.0 any
access-list Servers_access_in extended permit tcp any 10.0.10.0 255.255.255.0 eq domain
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu CCTV 1500
mtu Servers 1500
mtu management 1500
no failover
no monitor-interface CCTV
no monitor-interface Servers
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (INSIDE,OUTSIDE) source dynamic OBJ_GENERIC_ALL interface
!
object network obj_any
 nat (INSIDE,OUTSIDE) dynamic interface
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-group INSIDE_access_in_1 in interface INSIDE
access-group CCTV_access_in in interface CCTV
access-group Servers_access_in in interface Servers
!
route-map A permit 1
 match interface INSIDE

!
route OUTSIDE 0.0.0.0 0.0.0.0 SANITIZE 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 -- SANITIZED REMOVED CERTS --
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.0.0.11-10.0.0.254 INSIDE
dhcpd dns 1.1.1.1 interface INSIDE
dhcpd enable INSIDE
!
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay timeout 60
dhcprelay information trust-all
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
webvpn
 anyconnect-essentials
 cache
  disable
 error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username SANITIZED
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:SANITIZED
: end

Spoiler

Marvin Rhoads · ‎06-01-2021

You appear to have built your access-lists with a misunderstanding of how the ASA stateful firewall works. By default, traffic from higher security (e.g., the "100 level" assigned to all but the outside interface) to lower security (e.g., the "0" level assigned to outside) is allowed, as is the return traffic in those flows - without applying any access-list using the access-group command.

We generally use access-lists to restrict what can initiate traffic to a given resource. So, if you want your CCTV and Servers networks to be able to talk to anything ("initiate") then you don't need any access-list on those respective interfaces. Your OUTSIDE_access_in_1 ACL also has this error. An ACL like that, applied to the outside interface, is generally used to expose certain internal host or networks to communications initiated from the outside.

Your objects DM_INLINE_SERVICE_4 and _5 include all ip and icmp traffic (among others), making it essentially a "permit any any " sort of rule.

View solution in original post

Marvin Rhoads · ‎06-01-2021

You have:

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

...covering traffic from the INSIDE interface but no corresponding NAT rules for your CCTV and Servers interfaces.

Also, the access-lists applied to the CCTV and Servers interfaces have an implicit deny in each that will prevent them from reaching anything other than what's explicitly allowed in their current respective access-lists.

cogenyk · ‎06-01-2021

so for the NAT i would run

nat (CCTV,OUTSIDE) after-auto source dynamic any interface

nat (Server,OUTSIDE) after-auto source dynamic any interface

Marvin Rhoads · ‎06-01-2021

Correct. And also allow the traffic in your two ACLs

access-list CCTV_access_in 
access-list Servers_access_in

Even with the NAT rules in place, those ACLs will deny the traffic.

cogenyk · ‎06-01-2021

I'm having some issues with the ACLs are you able to assist?

Marvin Rhoads · ‎06-01-2021

You appear to have built your access-lists with a misunderstanding of how the ASA stateful firewall works. By default, traffic from higher security (e.g., the "100 level" assigned to all but the outside interface) to lower security (e.g., the "0" level assigned to outside) is allowed, as is the return traffic in those flows - without applying any access-list using the access-group command.

We generally use access-lists to restrict what can initiate traffic to a given resource. So, if you want your CCTV and Servers networks to be able to talk to anything ("initiate") then you don't need any access-list on those respective interfaces. Your OUTSIDE_access_in_1 ACL also has this error. An ACL like that, applied to the outside interface, is generally used to expose certain internal host or networks to communications initiated from the outside.

Your objects DM_INLINE_SERVICE_4 and _5 include all ip and icmp traffic (among others), making it essentially a "permit any any " sort of rule.