Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1089
Views
10
Helpful
8
Replies
Highlighted
dvargas@nwfcu.org
Beginner
Beginner
‎01-02-2018 08:10 PM
‎01-02-2018 08:10 PM

ASA 5520 Flow is Denied by Configured Rule "INSIDE to OUSDIE"

I purchased a 5520 with an SSM20. Since day one the configuration "Default" has been blocking traffic from INSIDE to OUTSIDE>. After doing some reasearch i thought that i was getting blocked by the SSM20 but that has been cleared and HW-module module 1 shutdown. So technically  nothing should be block the traffic. 

For now i have a verizon router with a static route to point the INSIDE Network off of the outside IP address within the ASA. However, I can see that traffic is flowing and being reset but cant figure out what is blocking the traffic.

 

Can sombody give me a hand... I've been on this for a month now and yet learned a lot with this troublesome ASA.

**Config***

ASAPower# sho run
: Saved
:
: Serial Number: JMX1432L1MR
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)11
!
hostname ASAPower
domain-name lsvrgs.us
enable password hFn6Jz3JWey3cK1i encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description out to verizon
nameif OUTSIDE
security-level 0
ip address 192.168.101.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif MGMT
security-level 100
ip address 192.168.201.1 255.255.255.0
!
banner login ***********************************************
banner login ***********************************************
banner login ***********************************************
banner login *** Authorized users only. Otherwise go away!! ***
banner login ***********************************************
banner login ***********************************************
banner login ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm *** Authorized users only. Otherwise go away!! ***
banner asdm ***********************************************
banner asdm ***********************************************
banner asdm ***********************************************
boot system disk0:/asa917-11-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name lsvrgs.us
same-security-traffic permit inter-interface
object network User_Segment_192.168.200.0
subnet 192.168.200.0 255.255.255.0
description User_Segment_192.168.200.0
object network Verizon_Network
subnet 192.168.1.0 255.255.255.0
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended permit ip 192.168.200.0 255.255.255.0 any inactive
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MGMT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.101.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.100 255.255.255.255 INSIDE
http 192.168.201.100 255.255.255.255 MGMT
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.200.100 255.255.255.255 INSIDE
ssh 192.168.201.100 255.255.255.255 MGMT
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access MGMT
dhcp-client update dns server both
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username dihegov password hKOfIhD0/o1ygjAI encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2dea02eaf9833fe05f0025f7670eb80e
: end
ASAPower#

 

**END***

 

Labels:
0 Helpful
Reply
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to dvargas@nwfcu.org
‎01-03-2018 04:48 AM
‎01-03-2018 04:48 AM

It could be that the Verizon router is not configured to do any NAT for your inside subnets.

 

That would explain that it replies to ping from the inside subnet natively - the ASA and the static route all working as intended.

 

If traffic from the inside subnet to the Internet is coming from a network that the Verizon router isn't NATting, it will hit the public Internet with its native RFC 1918 address and not be forwarded.

View solution in original post

Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to Jon Marshall
‎01-03-2018 04:50 AM
‎01-03-2018 04:50 AM

Ha - Jon you posted that while I was writing the same thing!

View solution in original post

0 Helpful
Reply
8 REPLIES 8
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
‎01-02-2018 09:43 PM
‎01-02-2018 09:43 PM

What is the source and destination of traffic you are testing with?

 

Have you tried running packet-tracer? e.g.:

 

packet-tracer input OUTSIDE tcp 8.8.8.8 1025 192.168.200.2 80

(addresses and source/destination ports shown are examples - adjust to suit).

 

Also your ACL "access-list INSIDE_access_in"and associated access-group command aren't necessary.

 

 

0 Helpful
Reply
Highlighted
dvargas@nwfcu.org
Beginner
Beginner
In response to Marvin Rhoads
‎01-03-2018 04:36 AM
‎01-03-2018 04:36 AM

Yes, and it appears that the flow is accepted. I'm wondering if the static route i have in the Verizon router is not being granted.

Verizon static route: 192.168.200.0 255.255.255.0 192.168.101.101

From Pc:
C:\Users\dgo>ping 192.168.101.1 -S 192.168.200.100

Pinging 192.168.101.1 from 192.168.200.100 with 32 bytes of data:
Reply from 192.168.101.1: bytes=32 time=1ms TTL=64
Reply from 192.168.101.1: bytes=32 time<1ms TTL=64
Reply from 192.168.101.1: bytes=32 time<1ms TTL=64
Reply from 192.168.101.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.101.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Users\dgo>ping 8.8.8.8 -S 192.168.200.100

Pinging 8.8.8.8 from 192.168.200.100 with 32 bytes of data:
Request timed out.

Ping statistics for 8.8.8.8:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C

From ASA:
Packet-tracer provided does go through all Phases and being allowed.
What i dont understand is that why may i being able to ping from the host to the gateway but not the internet. Again i'm wondering if the verizon router is not playing nice w/ routing the traffic back but if ping works then it does.

the ssm 20 is powered down and dont have any service policy rules in place either...
0 Helpful
Reply
Highlighted
Jon Marshall
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to dvargas@nwfcu.org
‎01-03-2018 04:45 AM
‎01-03-2018 04:45 AM

Without wishing to state the obvious the router is setup to NAT the source IPs isn't it ?

 

Jon

Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to Jon Marshall
‎01-03-2018 04:50 AM
‎01-03-2018 04:50 AM

Ha - Jon you posted that while I was writing the same thing!

View solution in original post

0 Helpful
Reply
Highlighted
Jon Marshall
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to Marvin Rhoads
‎01-03-2018 05:21 AM
‎01-03-2018 05:21 AM

Hi Marvin 

 

No problem, glad we said same thing :) 

 

Jon

0 Helpful
Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to dvargas@nwfcu.org
‎01-03-2018 04:48 AM
‎01-03-2018 04:48 AM

It could be that the Verizon router is not configured to do any NAT for your inside subnets.

 

That would explain that it replies to ping from the inside subnet natively - the ASA and the static route all working as intended.

 

If traffic from the inside subnet to the Internet is coming from a network that the Verizon router isn't NATting, it will hit the public Internet with its native RFC 1918 address and not be forwarded.

View solution in original post

Reply
Highlighted
dvargas@nwfcu.org
Beginner
Beginner
In response to Marvin Rhoads
‎01-03-2018 07:12 PM
‎01-03-2018 07:12 PM

Marvin & John.

Thank you for your solution but well... not with this particular Verizon router but i have done this setup in the past and has worked as it is. I'm not an expert with NAT but wouldnt/shouldn't that traffic be NAT'ed as well?

Are you suggesting that I should run NAT from the ASA on my OUTISDE interface?
0 Helpful
Reply
Highlighted
dvargas@nwfcu.org
Beginner
Beginner
In response to Marvin Rhoads
‎01-03-2018 07:39 PM
‎01-03-2018 07:39 PM

Yes, it appears that my old Verizon router is not properly NATing my traffic from the INSIDE network. After doing dynamic "PAT" NATing on the ASA i was successfully able to reach the internet.

Which is a good reason why i got the ASA... to learn it is def' a different beast than the SRX

0 Helpful
Reply
Latest Contents
SecureX Frequently Asked Questions
Created by adisanka on 03-01-2021 08:33 AM
0
10
0
10
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the SecureX regio... view more
Bridge the security gap with Cisco Remote Secure Worker
Created by Kelli Glass on 02-26-2021 04:37 PM
0
0
0
0
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use. Learn about Cisco Remote Secure Worker solutions that verify workers, secu... view more
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
219
11
219
  GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the Secur... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Content for Community-Ad