ASA 9.12 Can't connect out from inside interface...

djhillssc · ‎04-25-2022

I'm upgrading an old (OLD) Cisco PIX to a newer ASA unit. Of course when I migrated the config (via CLI), it didn't like some of the old NAT commands and I had to modify appropriately. I have 2 interfaces configured (inside 100 and outside 0). I have a test PC plugged in via crossover cable to each of the 2 physical interfaces. Both can ping their respective sides of the ASA. I am able to get traffic IN (from outside to inside) via configured ACLs to allow http, RDP, etc. However...I can't get ANYTHING to go from inside to outside.

Outside test PC/server 169.160.35.70

Outside interface IP 169.160.35.94

Inside interface IP 10.1.1.1

Inside test PC/server 10.1.1.22

(defined with static nat to 169.160.35.80 on outside interface)

I have no ACLs on my inside interface (only outside, for inbound traffic). I have static NAT configured. Packet tracer shows no issues sending traffic from the inside host to the outside host...but I can't hit the website on the outside host, FTP to it, or anything else.

Also, interesting...I cannot FTP to the inside host from the outside. While packet tracer shows no issue with it, and logging shows an FTP connection built and torn down, the client always times out (from both outside to inside and inside to outside).

I believe I must be missing something having to do with routing traffic from inside to outside interface (non ACL related as far as I can tell, and according to packet tracer). I've read and read and searched and am not finding what it is. Hoping somebody here more familiar with ASA can take a quick look through my config point out something that makes the difference! Thanks in advance!

Here is my running config:

: Saved

:
: Serial Number: FCH1714J7GB
: Hardware: ASA5515, 4096 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
: Written by enable_15 at 22:53:56.989 UTC Mon Apr 25 2022
!
ASA Version 9.12(2)9
!
hostname ciscoasa
domain-name djhill.com
enable password ***** pbkdf2
names
no mac-address auto
ip local pool vpn_addresses 10.1.2.2-10.1.2.20

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 169.160.35.94 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.224
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name djhill.com
object network ip_22
host 10.1.1.22
access-list outside_access_in extended permit tcp any object ip_22 eq www
access-list outside_access_in extended permit tcp any object ip_22 eq https
access-list outside_access_in extended permit tcp any object ip_22 eq 3389
access-list outside_access_in extended permit tcp any object ip_22 eq ftp
access-list outside_access_in extended permit tcp any host 169.160.35.80 eq ftp
access-list outside_access_in extended permit tcp any host 10.1.1.22 eq ftp
pager lines 24
logging enable
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network ip_22
nat (inside,outside) static 169.160.35.80
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 169.160.35.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set trans esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set trans mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyno 10 set ikev1 transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpngroup internal
group-policy vpngroup attributes
vpn-tunnel-protocol l2tp-ipsec
dynamic-access-policy-record DfltAccessPolicy
username djhillvpn password ***** nt-encrypted
username djhillssc password ***** pbkdf2
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_addresses
default-group-policy vpngroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

MHM Cisco World · ‎04-25-2022

https://www.auvik.com/franklyit/blog/migrating-cisco-asa-firewall-configuration/

you need PAT for Inside Client to Outside Public IP.

djhillssc · ‎04-25-2022

I looked at that article @MHM Cisco World but it looks like I've done all it said. Can you see something from that article that my config is missing? Thanks!

Dan

MHM Cisco World · ‎04-25-2022

object network PAT-0_0_0_0
  subnet 0.0.0.0 0.0.0.0
  nat (inside,outside) dynamic interface

djhillssc · ‎04-25-2022

My understanding of that (based on that article) is it's used to do dynamic NAT. For static nat, it's what I have (which is what that article seems to me to explain). Am I misunderstanding?

Dan

MHM Cisco World · ‎04-25-2022

You mean that this asa is serve only one host 10.1.1.22?

If yes then your config is ok no need dynamic nat

djhillssc · ‎04-25-2022

Ultimately the ASA (when I get the config sorted out) will have a dozen hosts on the inside interface, but all are servers that will all have static NAT configured, each with a dedicated IP for NAT.

I did add the dynamic nat as that article shows just to test it, but now connection attempts inside->outside don't even show a connection being built/torn down at all...guessing it's creating a conflict with the static nat for that host.

Dan

Flavio Miranda · ‎04-25-2022

I would take a look in inspect. I saw you have some inspect entries, but I'd try to look at it as a possibility.

I saw in the past some weird situation like this where nothing seemed to make sense and inspection was the reason.

djhillssc · ‎04-25-2022

Can you say more about that @Flavio Miranda ? I have the global policy set to inspect FTP (which Cisco shows in their article on setting up FTP access), but nothing else regarding FTP inspection enabled.

Flavio Miranda · ‎04-25-2022

https://www.ciscopress.com/articles/article.asp?p=2104954#:~:text=When%20many%20people%20think%20of,make%20the%20protocol%20work%20better.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.htmlhttps://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.html

djhillssc · ‎04-25-2022

Thanks. In order to test if FTP inspection was causing a problem, I disabled FTP inspection (no inspect ftp on the global policy)...still FTP can't connect. Same deal...packet-tracer shows no issues (not being blocked by ACL), logging shows TCP connection built when the FTP client makes connection request...request times out and ASA tears down the connection...

Log on FTP server doesn't show any attempt to connect at all...

Anymore ideas? I'm out of them lol

Dan

djhillssc · ‎04-25-2022

BTW - update for @MHM Cisco World and @Flavio Miranda - I now can access http etc from inside -> outside. (Still no luck with FTP). Felt like an idiot when I discovered why nothing at all was going through inside->outside (test PC on inside was multi-homed and routing metric was causing it to try to route all traffic intended for outside interface through it's wireless connection...turned off wireless connection and now can get everything...EXCEPT FTP to work)

Packet tracer finds no issue routing FTP requests

FTP connection attempts from outside or inside show connection being built/torn down, but FTP client times out after 30 seconds from either side (FTP is known to work on both machines, when not connected through the ASA - just on a switch, connections fire right up in only milliseconds...so FTP timeouts on either side can't be the issue).

I know I can turn off FTP inspection, but then (if I understand correctly) ACTIVE mode FTP will no longer work (though none are working now, so maybe that's an upgrade lol)

Dan

MHM Cisco World · ‎04-26-2022

I send you link how you adjust the embryonic timeout ,
SYN timeout meaning the link is low speed and 3-way handshake can not complete within this time increase it to be at least 1.5 min.