09-11-2019 04:35 AM
Hi experts. I recently got a 5516-X as an upgrade over our existing ASA 5510. I have configured everything on the 5516-X as per the 5510 ie NATs, static routes, access list implemented on the outside interface for allowing access to servers on specific ports, andeverything else I can think of. The issue is that 5516-X still does not permit any inward access ie I cannot access our Exchange server from outside using browser. On the ASA 5510 it works perfectly with the same configuration. Is there any new hardened security on the 5516-X or do I need to add any additional configuration to make it work. Just banging my head really as I am out of ideas as to why it wont allow inward. Outwards access eg users browsing the Interent and all our VPN access both ways is working fine.
Many thanks for your input.
Solved! Go to Solution.
09-11-2019 05:26 AM
09-11-2019 04:56 AM
Off the top of my head and just something to check. Is the Firewall sending traffic to a firepower module with default config?
What is output from
Sh run policy-map
09-11-2019 05:01 AM
Thanks GRANT3779. How would I know if the firewall is sending traffic to the Firepower module? It has the same route outside static route for default and route inside routes for our inside servers.
Here is the output from sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
class CM-HTTPS-TIMEOUT
set connection timeout half-closed 0:30:00
!
09-11-2019 05:07 AM
09-11-2019 05:18 AM
GRANT3779: It is running ASA ver 9.8 and I was using 9.2 before so the NAT commands are the same. Interfaces yes I have changed accordingly and it wasnt a copy and paste job.
I am copying some relevant information (changed some values) so hope that can give some insight. If you need any other particular configuration then please let me know.
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 100.1.1.1 255.0.0.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.16.1.2 255.255.255.240
!
object network obj_any
nat (inside,outside) dynamic interface
object network EXG-SER
nat (inside,outside) static 100.1.1.15
access-list access_in extended permit tcp any4 object EXG-SER eq https
access-list access_in extended permit tcp any4 object EXG-SER eq 995
access-list access_in extended permit tcp any4 object EXG-SER eq 587
access-list access_in extended permit tcp any4 object EXG-SER eq pop3
access-list access_in extended permit tcp any4 object EXG-SER eq www
access-group access_in in interface outside
09-11-2019 05:26 AM
09-11-2019 05:43 AM
Yes it was the matter of switching the old ASA off and put in the inside and outside cables in to the new one and switch it on. And boom no inwards access works. We have an ISP router at our premises to which the outside cable goes to but I don not have any admin acces to it. So do you think restarting it would clear the ARP cache and just make things work?
09-18-2019 10:42 AM
As promised - updating on this issue. Yes it was indeed the ARP cache that needed clearing. I ended up power cycling the connecting switches and upstream ISP router and inward access and NAT started working. 👍😁😜
Thanks a lot GRANT3779 and bhargavdesai for your assistance.
09-11-2019 04:58 AM
With lack of configuration details for NAT and Access-list I would say run "packet-tracer" to find out where the traffic is blocking.
HTH
09-11-2019 05:04 AM
Thanks bhargavdesai. I have run packet-tracer with source interface outside and a random public IP and destination IP as the public IP of our Natted server. That all turns out to be allowed.
09-11-2019 05:40 AM
If Packet-Tracer is showing allowed so
HTH
09-11-2019 05:48 AM
Thanks. So the sequence of natting is
At top I have the no-nat configurations for VPN tunnels.
Then there is the PAT for all Internet traffic.
then there is the server specifin NAT.
This is how I had it configured previously as well.
Eg
nat (inside,outside) source static subnet1 subnet1 destination static subnet2 subnet2 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network EXG-SVR
nat (inside,outside) static 100.1.1.20
I need to schedule a downtime for restarting the ISP router to clear the ARP cache but just want to know if there is anything else that could be causing this.
Thansk a lot
09-11-2019 05:55 AM
You can also check that "sh nat" and "sh access-list" has any hit count or not.
Furthermore, Have checked that the traffic is reaching to the ASA by looking at logs?
Even your server is receiving it and responding to it.
I would go like this,
Am I getting request for my server on the ASA?
Does it hit the right access list?
Does it hit the right NAT rule?
Does it forward it to the server?
Does my server receive the request?
Does my server respond to the request?
HTH
09-11-2019 06:05 AM
Thanks. I will try these in the next scheduled downtime and update.
09-11-2019 06:31 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide