cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
748
Views
0
Helpful
5
Replies

ASA 5512x - interface routing

Sean Haynes
Level 1
Level 1

Evening people - looking for some help with an ASA that no longer wants to pass traffic over interfaces, or more specifically to the outside interface.

Background.

I work in a school, not ASA savvy - our ISP was the local authority, the ASA was setup some times ago and we used dynamic PAT to forward traffic onto the County WAN. All has worked lovely until recently.

We have changed our ISP using a 100Mb connection over a 1Gb bearer. We are now behind their firewall which provides NATing. Bear with me....when we migrated to the new ISP some 4 weeks ago I did not remove the Dynamic PAT on our end with a view to doing it later as I want to reconfigure the internal IP schemes.

2 days ago as some of you may know BT was hit with a Data Centre outage which had ramifications for many ISPs, ours included so we lost connectivity.

By the end of the day the ISP claimed our link was up as they could remote into their router and ping the outside interface of our firewall - however, even after a reboot we were no longer able to access the internet. No changes have been made to the ASA so I am completely lost.

Where as before I was able from a LAN PC to ping the firewall interfaces and the ISPs router I am no longer able to. If I run packet traces from within the ASDM software it shows no errors or blocks.

Data seems not to be able to travers the firewall between the interfaces anymore and I can't figure out what it is.

To ensure the ISP router was working I plugged my laptop directly into the interface and was able to access the net without issues so it's definitely not their end.

I would really appreciate one of you guru's help - please remember I'm not ASA savvy!! Many thanks

Running Config:

ASA5512-X# sho run
: Saved
:
ASA Version 8.6(1)2
!
hostname ASA5512-X
names
dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 172.19.53.54 255.255.255.252
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif Inside
 security-level 90
 ip address 10.5.107.134 255.255.255.248
!
interface GigabitEthernet0/2
 speed 1000
 duplex full 
 nameif Apple_Network
 security-level 40
 ip address 192.168.201.254 255.255.255.0
!
interface GigabitEthernet0/3
 speed 1000
 duplex full
 nameif Wireless
 security-level 40
 ip address 172.20.255.254 255.255.0.0
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.105 255.255.255.0
 management-only
!
!
time-range Presto_Wireless_Access_Times
 periodic daily 6:00 to 20:00
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup Apple_Network
dns domain-lookup Wireless
dns server-group DefaultDNS
 domain-name Sch4455.somerset.gov.uk
dns server-group Preston_School_DNS_Servers
 name-server 10.5.107.253
 name-server 10.5.107.250
dns-group Preston_School_DNS_Servers
same-security-traffic permit intra-interface
object network 10.80.11.110
 host 10.80.11.110
object network 10.80.11.111
 host 10.80.11.111
object network 10.80.11.112
 host 10.80.11.112
object network 10.80.11.113
 host 10.80.11.113
object network 10.80.11.114
 host 10.80.11.114
object network 10.80.11.115
 host 10.80.11.115
object network Capita_VPN
 host 213.129.90.233
object network VLE_Server
 host 10.5.107.248
 description Moodle Server
object network SQL4455
 host 10.5.107.252
 description SIMS Server
object network Terminal_Server
 host 10.5.107.245
 description Terminal server for remote services
object network Print_Server
 host 10.5.107.244
 description Print Server
object network NAP_Server_SDC
 host 10.5.107.250
 description Microsoft Network Access Protection Server
object network Dynamic_PAT_Pool
 host 10.5.107.129
 description Port Address Translation IP
object network Inside_Wired_Network
 subnet 10.5.107.128 255.255.255.248
 description ASA Inside Interface Network
object network Wireless_NAT
 subnet 172.20.0.0 255.255.0.0
 description Wireless NAT to Outside Interface
object network Apple_NAT
 subnet 192.168.201.0 255.255.255.0
 description Apple NAT to Outside Interface
object network RDC4455
 host 10.5.107.253
 description Primary DNS
object network SDC4455
 host 10.5.107.250
 description Secondary DNS
object network NETWORK_OBJ_10.5.107.136_29
 subnet 10.5.107.136 255.255.255.248
object network WLC_1
 host 172.20.255.201
 description Primary Wireless LAN Controller
object network WLC_2
 host 172.20.255.202
 description Secondary Wireless LAN Controller
object network WLC_to_RADIUS
 host 172.20.255.201
object network RDC_NAP_Server
 host 10.5.107.253
 description RDC
object network SDC_NAP_Server
 host 10.5.107.250
 description SDC
object service GC
 service tcp destination eq 3268
 description Global Catalogue
object service Kpassword
 service tcp destination eq 464
object network Server_VLAN
 range 10.5.107.195 10.5.107.240
object network Tech_PC_01
 fqdn v4 Tech01.sch4455.somerset.gov.uk
object network Tech_PC_02
 fqdn v4 Tech02.sch4455.somerset.gov.uk
object network Apple_Server
 host 192.168.201.253
object network Imaging_Network
 subnet 192.168.160.0 255.255.255.0
object network Imaging_VLAN_Internet
 subnet 192.168.160.0 255.255.255.0
 description Internet Access
object service Apple_Keberos_Port
 service udp destination eq 88
 description Apple Keberos Port
object service Apple_Keberos_Port_TCP
 service tcp destination eq 88
 description Apple Keberos Port TCP
object service kPassword_UDP
 service udp destination eq 464
 description kPassowrd UDP
object-group network County_SLG_Access
 description Allow SLG update requests from the local SIMS server
 network-object object 10.80.11.110
 network-object object 10.80.11.111
 network-object object 10.80.11.112
 network-object object 10.80.11.113
 network-object object 10.80.11.114
 network-object object 10.80.11.115
object-group service Capita udp
 description Capita VPN Circuit
 port-object eq 1194
object-group service Remote_Desktop tcp
 port-object eq 3389
object-group service Somerset_Learning_Gateway tcp
 description SLG Update Service
 port-object eq 120
 port-object eq 121
 port-object eq 1435
 port-object eq 3829
 port-object eq 90
object-group service NAP_Access udp
 port-object eq 1812
 port-object eq 1813
 port-object eq radius
 port-object eq radius-acct
 port-object eq 32768
object-group network Apple_Network_Group
 network-object 192.168.201.0 255.255.255.0
object-group network DNS_Servers
 network-object object RDC4455
 network-object object SDC4455
object-group service Exchange tcp
 description Exchange Listening Port
 port-object eq 993
object-group service Apple_Push_Notification_service tcp
 description Apple Push notification service
 port-object eq 5223
object-group service SSL_SMTP tcp
 description SSL SMTP
 port-object eq 465
object-group service Apple_Facetime udp
 description Apple Facetime Port Group
 port-object eq 16384
 port-object eq 16385
 port-object eq 16386
object-group service Proxy_Settings tcp
 description Proxy Port
 port-object eq 8080
 port-object eq 9443
object-group service Android_Market tcp
 description Android Market Place
 port-object eq 5228
object-group service Print_Server_Ports tcp
 description Print Server Ports
 port-object eq www
 port-object eq 48111
 port-object eq https
object-group network RADIUS_Servers
 network-object object RDC4455
 network-object object SDC4455
object-group network WLAN_Controllers
 description Wireless LAN Controllers
 network-object object WLC_1
 network-object object WLC_2
object-group network NAP_Servers1
 description Allow RADIUS authentication traffic from wireless clients
 network-object object RDC_NAP_Server
 network-object object SDC_NAP_Server
object-group service MirrorOpTCP tcp
 port-object eq 3268
 port-object eq ldap
object-group network Domain_Controllers
 description SCH4455 Controllers
 network-object object RDC4455
 network-object object SDC4455
object-group service Kebros
 description authentication Ports
 service-object tcp destination eq kerberos
 service-object udp destination eq kerberos
 service-object object GC
 service-object object Kpassword
 service-object tcp destination eq ldap
object-group network Server_and_Tech_VLAN
 network-object object Server_VLAN
 network-object object Tech_PC_01
 network-object object Tech_PC_02
object-group service VNC_Viewer tcp
 port-object eq 6900
 port-object eq 6901
 port-object eq 6902
 port-object eq 6903
 port-object eq 6904
 port-object eq 6905
 port-object eq 6906
 port-object eq 6907
 port-object eq 6908
 port-object eq 6909
object-group service Apple_Bind
 description Ports to allow
 service-object object GC
 service-object object Kpassword
 service-object tcp-udp destination eq kerberos
 service-object tcp destination eq kerberos
 service-object tcp destination eq ldap
 service-object object Apple_Keberos_Port
 service-object object Apple_Keberos_Port_TCP
 service-object object kPassword_UDP
access-list Wireless_access_in remark Deny traffic to the Moodle Server via HTTPS only.
access-list Wireless_access_in extended deny tcp 172.20.0.0 255.255.0.0 object VLE_Server eq https inactive
access-list Wireless_access_in extended permit tcp any object Inside_Wired_Network object-group MirrorOpTCP inactive
access-list Wireless_access_in extended permit tcp any any object-group Proxy_Settings
access-list Wireless_access_in remark Permit the sending of data to be printed.
access-list Wireless_access_in extended permit tcp any object Print_Server object-group Print_Server_Ports
access-list Wireless_access_in remark Allow RADIUS authentication traffic from wirless clients to the NAP RADIUS Server
access-list Wireless_access_in extended permit udp any object-group NAP_Servers1 object-group NAP_Access
access-list Wireless_access_in extended permit udp any object NAP_Server_SDC object-group NAP_Access inactive
access-list Wireless_access_in extended permit tcp any any eq www
access-list Wireless_access_in extended permit udp any any eq domain
access-list Wireless_access_in extended permit tcp any any eq https
access-list Wireless_access_in extended permit tcp any any object-group Exchange
access-list Wireless_access_in extended permit tcp any any object-group Apple_Push_Notification_service
access-list Wireless_access_in extended permit udp any any object-group Apple_Facetime
access-list Wireless_access_in extended permit tcp any any object-group SSL_SMTP
access-list Wireless_access_in extended permit tcp any any object-group Android_Market
access-list Wireless_access_in remark NetBIOS Naming Serivce
access-list Wireless_access_in extended permit udp any any eq netbios-ns
access-list Wireless_access_in remark Network time Protocol Port
access-list Wireless_access_in extended permit udp any any eq ntp
access-list Wireless_access_in extended permit udp any any eq bootps
access-list Wireless_access_in extended deny icmp any any
access-list Wireless_access_in extended deny ip any any
access-list Outside_access_in extended permit ip any any inactive
access-list Outside_access_in remark Permit Internet access to the Moodle Server via HTTPS only.
access-list Outside_access_in extended permit tcp any object VLE_Server eq https
access-list Outside_access_in extended permit tcp any object Terminal_Server eq 3389
access-list Outside_access_in remark County Access to the SQL Server for SLG synch and updates
access-list Outside_access_in extended permit tcp object-group County_SLG_Access object SQL4455 object-group Somerset_Learning_Gateway
access-list Outside_access_in extended permit udp object Capita_VPN object SQL4455 object-group Capita
access-list Outside_access_in extended permit icmp any any
access-list Apple_Network_access_in remark Kebbros Authentication - Apple to AD
access-list Apple_Network_access_in extended permit object-group Apple_Bind 192.168.201.0 255.255.255.0 object-group Domain_Controllers inactive
access-list Apple_Network_access_in extended permit tcp any any eq telnet inactive
access-list Apple_Network_access_in remark Permit traffic to the Moodle Server via HTTPS only.
access-list Apple_Network_access_in extended permit tcp 192.168.201.0 255.255.255.0 object VLE_Server eq https
access-list Apple_Network_access_in extended permit udp any any eq domain
access-list Apple_Network_access_in extended permit tcp any any eq domain inactive
access-list Apple_Network_access_in extended permit tcp any any object-group Proxy_Settings
access-list Apple_Network_access_in extended permit tcp any any eq https
access-list Apple_Network_access_in extended permit udp any any eq ntp
access-list Apple_Network_access_in extended permit tcp any any eq www
access-list Apple_Network_access_in extended permit tcp object-group Server_and_Tech_VLAN object Apple_Server object-group VNC_Viewer
access-list Apple_Network_access_in extended deny icmp any any
access-list Apple_Network_access_in extended deny ip any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit tcp any any
access-list global_access extended permit ip any any
access-list global_access extended permit tcp any any
access-list global_access extended permit icmp any any
access-list Inside_mpc remark Allow HTTPs traffice to the VLE.
access-list Inside_mpc extended permit tcp 172.20.0.0 255.255.0.0 object VLE_Server eq https
access-list Inside_mpc extended permit tcp 172.20.0.0 255.255.0.0 object Print_Server object-group Print_Server_Ports
access-list Inside_mpc extended permit udp object-group WLAN_Controllers object-group RADIUS_Servers object-group NAP_Access inactive
access-list Apple_Network_access_out extended permit icmp any any
access-list Apple_Network_access_out extended permit tcp object-group Server_and_Tech_VLAN object-group VNC_Viewer object Apple_Server object-group VNC_Viewer
access-list Apple_Network_access_out extended permit ip object-group Server_and_Tech_VLAN object Apple_Server
access-list Apple_Network_access_out extended deny ip any any
access-list Test_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
logging host management 192.168.1.200
mtu Outside 1500
mtu Inside 1500
mtu Apple_Network 1500
mtu Wireless 1500
mtu management 1500
ip local pool Staff_VPN_DHCP_Pool 10.5.107.137-10.5.107.141 mask 255.255.255.248
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static Inside_Wired_Network Inside_Wired_Network destination static NETWORK_OBJ_10.5.107.136_29 NETWORK_OBJ_10.5.107.136_29 no-proxy-arp route-lookup
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group Apple_Network_access_in in interface Apple_Network
access-group Apple_Network_access_out out interface Apple_Network
access-group Wireless_access_in in interface Wireless
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 172.19.53.54 1
route Inside 10.5.104.0 255.255.252.0 10.5.107.131 1
route Inside 192.168.160.0 255.255.255.0 10.5.107.131 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NPS protocol radius
aaa-server NPS (Inside) host 10.5.107.250
 timeout 5
 key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server location Server Room
no snmp-server contact
snmp-server community *****

 lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
dhcpd dns 10.80.11.235
!
dhcprelay server 10.5.107.253 Inside
dhcprelay enable Wireless
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.5.107.253 source Inside prefer
tftp-server management 192.168.1.200 /
ssl encryption aes128-sha1 3des-sha1
webvpn
group-policy StaffVPN internal
group-policy StaffVPN attributes
 dns-server value 10.5.107.253 10.5.107.250
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 default-domain value Sch4455.somerset.gov.uk
username sysadmin password S6VzqkQ7Jv+nx3sv5VbFXg== nt-encrypted privilege 15
tunnel-group StaffVPN type remote-access
tunnel-group StaffVPN general-attributes
 address-pool Staff_VPN_DHCP_Pool
 authentication-server-group NPS
 default-group-policy StaffVPN
tunnel-group StaffVPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
class-map Inside-class
 match access-list Inside_mpc
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map Inside-policy
 description Allow Access through the firewall to the RADIUS Servers
 class Inside-class
  set connection advanced-options tcp-state-bypass
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
 class class-default
  user-statistics accounting
policy-map type inspect http Wireless_to_Printserver
 description HTTP inspection
 parameters
  protocol-violation action drop-connection
!            
service-policy global_policy global
service-policy Inside-policy interface Inside
prompt hostname context
no call-home reporting anonymous
hpm topN enable

5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

Is your outside interface plugged into your new ISP?  Are you meant to be using the IP address 172.19.53.54 (or are you meant to be using DHCP)?

Also your default route is pointing to your own IP address.  This needs to be removed and pointed to whatever IP address your ISP has on their router.

route Outside 0.0.0.0 0.0.0.0 172.19.53.54 1

I can't see anything to NAT traffic to your Outside IP address.  You'll need something like:

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (any,Outside) dynamic interface

Thank you, yes the outside interface is plugged directly into their router. I'll check this when back in work.

jaysoo
Level 1
Level 1

How is it that your default route points to your outside interface IP?

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 172.19.53.54 255.255.255.252

route Outside 0.0.0.0 0.0.0.0 172.19.53.54 1

Normally the ASA wouldn't allow you to do that. Maybe you sanitized the config and made a typo? The default route should be the next hop, the ISPs router probably.

OK I'll check that when I'm back in work - but from memory I'm sure that is actually where it's pointing.

Review Cisco Networking for a $25 gift card