I purchased a 5520 with an SSM20. Since day one the configuration "Default" has been blocking traffic from INSIDE to OUTSIDE>. After doing some reasearch i thought that i was getting blocked by the SSM20 but that has been cleared and HW-module module 1 shutdown. So technically nothing should be block the traffic.
For now i have a verizon router with a static route to point the INSIDE Network off of the outside IP address within the ASA. However, I can see that traffic is flowing and being reset but cant figure out what is blocking the traffic.
Can sombody give me a hand... I've been on this for a month now and yet learned a lot with this troublesome ASA.
**Config***
ASAPower# sho run
: Saved
:
: Serial Number: JMX1432L1MR
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)11
!
hostname ASAPower
domain-name lsvrgs.us
enable password hFn6Jz3JWey3cK1i encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description out to verizon
nameif OUTSIDE
security-level 0
ip address 192.168.101.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif MGMT
security-level 100
ip address 192.168.201.1 255.255.255.0
!
banner login ***********************************************
banner login ***********************************************
banner login ***********************************************
banner login *** Authorized users only. Otherwise go away!! ***
banner login ***********************************************
banner login ***********************************************
banner login ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm *** Authorized users only. Otherwise go away!! ***
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
boot system disk0:/asa917-11-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name lsvrgs.us
same-security-traffic permit inter-interface
object network User_Segment_192.168.200.0
subnet 192.168.200.0 255.255.255.0
description User_Segment_192.168.200.0
object network Verizon_Network
subnet 192.168.1.0 255.255.255.0
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended permit ip 192.168.200.0 255.255.255.0 any inactive
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MGMT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.101.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.100 255.255.255.255 INSIDE
http 192.168.201.100 255.255.255.255 MGMT
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.200.100 255.255.255.255 INSIDE
ssh 192.168.201.100 255.255.255.255 MGMT
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access MGMT
dhcp-client update dns server both
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username dihegov password hKOfIhD0/o1ygjAI encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2dea02eaf9833fe05f0025f7670eb80e
: end
ASAPower#
**END***
Solved! Go to Solution.
It could be that the Verizon router is not configured to do any NAT for your inside subnets.
That would explain that it replies to ping from the inside subnet natively - the ASA and the static route all working as intended.
If traffic from the inside subnet to the Internet is coming from a network that the Verizon router isn't NATting, it will hit the public Internet with its native RFC 1918 address and not be forwarded.
Ha - Jon you posted that while I was writing the same thing!
What is the source and destination of traffic you are testing with?
Have you tried running packet-tracer? e.g.:
packet-tracer input OUTSIDE tcp 8.8.8.8 1025 192.168.200.2 80
(addresses and source/destination ports shown are examples - adjust to suit).
Also your ACL "access-list INSIDE_access_in"and associated access-group command aren't necessary.
Without wishing to state the obvious the router is setup to NAT the source IPs isn't it ?
Jon
Ha - Jon you posted that while I was writing the same thing!
Hi Marvin
No problem, glad we said same thing :)
Jon
It could be that the Verizon router is not configured to do any NAT for your inside subnets.
That would explain that it replies to ping from the inside subnet natively - the ASA and the static route all working as intended.
If traffic from the inside subnet to the Internet is coming from a network that the Verizon router isn't NATting, it will hit the public Internet with its native RFC 1918 address and not be forwarded.
Yes, it appears that my old Verizon router is not properly NATing my traffic from the INSIDE network. After doing dynamic "PAT" NATing on the ASA i was successfully able to reach the internet.
Which is a good reason why i got the ASA... to learn it is def' a different beast than the SRX