07-18-2018 03:47 PM - edited 02-21-2020 08:00 AM
Been a while since I configured an ASA. it's a
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)
I got the outside configured ok. I can ping out. I can ping switches internal. I have anyconnect working and can get to internal switches. but I can not get to the internet from inside, it doesn't even ping outside from the internal interface. I'm sure I must have something wrong in the NAT rules, but I guess I'm missing it. below is what I think is relevant. attached is the full config. Any help would be appreciated.
access-list split-acl remark split tunnel for anyconnect
access-list split-acl standard permit 10.69.138.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list dmz_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
!
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.69.10.0_25 NETWORK_OBJ_10.69.10.0_25 no-proxy-arp route-lookup
nat (any,any) source static any any inactive description default nat
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj_dmz
nat (dmz,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
router ospf 1
network 10.69.138.0 255.255.255.0 area 0
area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Solved! Go to Solution.
08-01-2018 05:32 AM - edited 08-01-2018 05:32 AM
Glad to hear it Wayne,
I see the rules you posted are:
access-list outside_access_in extended permit icmp any any access-list dmz_access_in extended permit icmp any any
These rules affect ICMP packets going through the device but not to the device.
If you want to allow ICMP pings that terminate at the ASA interface, you would need to use the global command ICMP.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html
Hope that helps!
-A
07-24-2018 03:30 AM
Config looks ok as far as I can tell.
Can you post the output from the following command ?
packet-tracer input inside icmp 10.69.138.10 8 0 8.8.8.8
HTH
Bogdan
07-24-2018 06:43 AM
packet-tracer input inside icmp 10.69.138.10 8 0 8.8.8.8
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 205.251.151.225 using egress ifc outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.69.138.10/0 to 205.251.151.226/33560
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 17291, packet dispatched to next module
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.69.138.10/0 to 205.251.151.226/33560
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 205.251.151.225 using egress ifc outside
Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 8875.563c.e8c0 hits 2 reference 2
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
07-24-2018 07:55 AM
Can you turn on your buffered logging and then show log after attempting an outbound ping from an inside server?
show asp drop
might also reveal some answers for you.
07-25-2018 08:45 AM
tcts-FW-01# sho asp drop
Frame drop:
NAT-T keepalive message (natt-keepalive) 50
Invalid TCP Length (invalid-tcp-hdr-length) 1
No route to host (no-route) 13483
Flow is denied by configured rule (acl-drop) 16427
No same-security-traffic configured (no-same-security-traffic) 108
First TCP packet not SYN (tcp-not-syn) 25269
TCP failed 3 way handshake (tcp-3whs-failed) 69
TCP RST/FIN out of order (tcp-rstfin-ooo) 122
TCP RST/SYN in window (tcp-rst-syn-in-win) 85
CTM returned error (ctm-error) 4
FP L2 rule drop (l2_acl) 5
Interface is down (interface-down) 3
Dropped pending packets in a closed socket (np-socket-closed) 8
Last clearing: Never
Flow drop:
NAT reverse path failed (nat-rpf-failed) 50
Inspection failure (inspect-fail) 98
SSL bad record detected (ssl-bad-record-detect) 53
SSL handshake failed (ssl-handshake-failed) 37
Last clearing: Never
tcts-FW-01#
07-24-2018 08:13 AM
Based on the packet-tracer output ping it should work.
Are you testing from a host connected to inside ?
To confirm that the asa is actually sending out the packets you could also do a capture:
capture CAP interface outside match icmp host 205.251.151.226 host 8.8.8.8
ping 8.8.8.8 from inside host
sh capture CAP ! to view the packets
no capture CAP ! to disable the capture
07-30-2018 05:26 PM
Okay, I was able to get to a host on the inside for testing.
I am able to get to the internet from the host, so I guess Nat is working.
So, I'm guessing my ping from the ASA inside is being blocked, although the rule to allow is there.
08-01-2018 05:32 AM - edited 08-01-2018 05:32 AM
Glad to hear it Wayne,
I see the rules you posted are:
access-list outside_access_in extended permit icmp any any access-list dmz_access_in extended permit icmp any any
These rules affect ICMP packets going through the device but not to the device.
If you want to allow ICMP pings that terminate at the ASA interface, you would need to use the global command ICMP.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html
Hope that helps!
-A
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide