Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
8
Replies

ASA Basics: v8.6 not passing traffic

Go to solution
S.Srivas_2
Level 1
Level 1

‎04-19-2013 05:10 AM - edited ‎03-11-2019 06:31 PM

Access-list ALL IP any any

Access-list all ICMP any any

access-group ALL applied to all interfaces, in and out

traffic not passing through

from ASA ping external IPs work via some interfaces and not other

Need your help to get the traffic through the ASA.

Any instrctions required?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to S.Srivas_2

‎04-19-2013 10:15 AM

Can you specify what is not working as there was multiple things that were not working.

If the ASA outside and the PC on outside are in the same subnet they should be able to see eachother directly. Are you sure the PC itself isnt preventing the ICMP? It wouldnt be anything uncommon if the PC has firewall settings preventing this.

On the ASA you can naturally use the "show arp" command which should list all the host that the ASA sees in directly connected network. If you dont see some host directly connected you can always ping those IP addresses and then re-issue the command "show arp".

If you mean that also the connection to the router behind that ASA doesnt work then can you share the NAT configuration you made for it?

Also seems you have not added the ICMP inspection

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-19-2013 05:26 AM

Hi,

Are you sure you have configured NAT for all users?

Can you share the ASA configuraitons?

- Jouni

0 Helpful

Go to solution
S.Srivas_2
Level 1
Level 1
In response to Jouni Forss

‎04-19-2013 05:59 AM

Please find listed is the config below

ciscoasa# sh runn
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password /Omn2PFOBnGlk6iW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 10
ip address XXX.44.38.44 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif OUTSIDE_notyet
security-level 99
no ip address
!
interface GigabitEthernet0/2
nameif INSIDE_SIT
security-level 0
ip address 10.112.64.1 255.255.248.0
!
<--- More --->
             
interface GigabitEthernet0/3
shutdown
nameif INSIDE_UAT_notyet
security-level 1
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif NetMGT
security-level 50
ip address 192.168.1.1 255.255.255.0
management-only
!
<--- More --->
             
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
object network obj-Switch-10.98.74.2
host 10.98.74.2
object network obj-HMC-1-10.74.132.22
host 10.74.132.22
object network obj-CSM-10.74.132.21
host 10.74.132.21
access-list ALL extended permit ip any any
access-list ALL extended permit icmp any any
access-list ALL extended permit tcp any any
access-list ALL extended permit udp any any
access-list ALL extended permit icmp any any echo
access-list ALL extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu OUTSIDE_notyet 1500
mtu INSIDE_SIT 1500
mtu INSIDE_UAT_notyet 1500
mtu NetMGT 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
<--- More --->
             
arp timeout 14400
!
object network obj-Switch-10.98.74.2
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.8
object network obj-HMC-1-10.74.132.22
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.9
object network obj-CSM-10.74.132.21
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.10
access-group ALL in interface OUTSIDE
access-group ALL out interface OUTSIDE
access-group ALL in interface INSIDE_SIT
access-group ALL out interface INSIDE_SIT
access-group ALL in interface NetMGT
access-group ALL out interface NetMGT
route OUTSIDE 0.0.0.0 0.0.0.0 XXX.44.38.41 1
route INSIDE_SIT 10.74.132.0 255.255.255.0 10.112.64.222 1
route INSIDE_SIT YYY.111.27.0 255.255.255.248 10.112.64.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
             
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 NetMGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 NetMGT
dhcpd enable NetMGT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
<--- More --->
             
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
<--- More --->
             
Cryptochecksum:b1ec95bb23b2a7fbc3177b8774527f15
: end

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 7 mins 35 secs

Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
            ASA: 2048 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0014
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0014
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


0: Int: Internal-Data0/0    : address is b0fa.eb97.fc1e, irq 11
1: Ext: GigabitEthernet0/0  : address is b0fa.eb97.fc22, irq 10
<--- More --->
             
2: Ext: GigabitEthernet0/1  : address is b0fa.eb97.fc1f, irq 10
3: Ext: GigabitEthernet0/2  : address is b0fa.eb97.fc23, irq 5
4: Ext: GigabitEthernet0/3  : address is b0fa.eb97.fc20, irq 5
5: Ext: GigabitEthernet0/4  : address is b0fa.eb97.fc24, irq 10
6: Ext: GigabitEthernet0/5  : address is b0fa.eb97.fc21, irq 10
7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is b0fa.eb97.fc1e, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
<--- More --->
             
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has a Base license.

Serial Number: FCH1705J532
Running Permanent Activation Key: 0x3705fa5d 0xa8b89a15 0xa5a1f9dc 0xede83004 0x8137d49b
Configuration register is 0x1
Configuration has not been modified since last system restart.

ciscoasa# 

ciscoasa#

ciscoasa#

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to S.Srivas_2

‎04-19-2013 06:21 AM

Hi,

The are some oddities/problems with the configurations.

First I would suggest changing the "security-level" values to something more basic

interface GigabitEthernet0/0

security-level 0

interface GigabitEthernet0/2

security-level 100

Also it seems to me that you are lacking some NAT configurations.

For example the Dynamic PAT for basic Internet access for the LAN networks

object-group network DEFAULT-PAT-SOURCE

network-object 10.74.132.0 255.255.255.0

network-object 10.112.64.0 255.255.248.0

nat (INSIDE_SIT,OUTSIDE) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Also you have some "object" and "nat" configurations for a local address that I dont see in your "route" commands or interface network ranges. Specifically this one

object network obj-Switch-10.98.74.2

host 10.98.74.2

nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.8

I can't see a network including the address 10.98.72.2 anywhere on the above ASA configurations? There is no route for it and there is no interface configured which has that address space.

Also even though you have opened all traffic I would suggest the following configuration

fixup protocol icmp

I would also recomend removing these ACL. Partly because they are not needed, partly because they pose a security risk.

no access-group ALL in interface OUTSIDE

no access-group ALL out interface OUTSIDE

no access-group ALL out interface INSIDE_SIT

- Jouni

0 Helpful

Go to solution
S.Srivas_2
Level 1
Level 1
In response to Jouni Forss

‎04-19-2013 07:05 AM

Thank you for the above.

I changed the security levels. For now I am interested in passing traffic through and will look at the static NAT later.

The problem I have at the moment, if I ping from outside PC (gatewway) via interface inside-sit local link to router 10.112.64.222, it does not work, telnet does not work too.

PC(xxx.44.38.41)-----(outside XXX.44.38.44)------>ASA------(inside_SIT 10.112.64.1)---------->router (10.112.64.222)

Strangely, I can ping from the outside pc (.41) to outside interface (.44) but ASA cannot ping the outside PC (.41)!

The new config listing is given below. Appreciate your help on this.

sh runn
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password /Omn2PFOBnGlk6iW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address XXX.44.38.44 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif OUTSIDE_notyet
security-level 5
no ip address
!
interface GigabitEthernet0/2
nameif INSIDE_SIT
security-level 100
ip address 10.112.64.1 255.255.248.0
!
<--- More --->
             
interface GigabitEthernet0/3
shutdown
nameif INSIDE_UAT_notyet
security-level 95
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
security-level 90
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif NetMGT
security-level 50
ip address 192.168.1.1 255.255.255.0
management-only
!
<--- More --->
             
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
object network obj-Switch-10.98.74.2
host 10.98.74.2
object network obj-HMC-1-10.74.132.22
host 10.74.132.22
object network obj-CSM-10.74.132.21
host 10.74.132.21
object-group network DEFAULT-PAT-SOURCE
network-object 10.74.132.0 255.255.255.0
network-object 10.112.64.0 255.255.248.0
access-list ALL extended permit ip any any
access-list ALL extended permit icmp any any
access-list ALL extended permit tcp any any
access-list ALL extended permit udp any any
access-list ALL extended permit icmp any any echo
access-list ALL extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu OUTSIDE_notyet 1500
mtu INSIDE_SIT 1500
mtu INSIDE_UAT_notyet 1500
mtu NetMGT 1500
<--- More --->
             
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
!
object network obj-Switch-10.98.74.2
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.8
object network obj-HMC-1-10.74.132.22
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.9
object network obj-CSM-10.74.132.21
nat (INSIDE_SIT,OUTSIDE) static YYY.111.27.10
!
nat (INSIDE_SIT,OUTSIDE) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ALL in interface OUTSIDE
access-group ALL out interface OUTSIDE
access-group ALL in interface INSIDE_SIT
access-group ALL out interface INSIDE_SIT
access-group ALL in interface NetMGT
access-group ALL out interface NetMGT
route OUTSIDE 0.0.0.0 0.0.0.0 XXX.44.38.41 1
route INSIDE_SIT 10.74.132.0 255.255.255.0 10.112.64.222 1
route INSIDE_SIT 10.98.74.0 255.255.255.0 10.112.64.222 1
route INSIDE_SIT YYY.111.27.0 255.255.255.248 10.112.64.222 1
timeout xlate 3:00:00
<--- More --->
             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 NetMGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 NetMGT
dhcpd enable NetMGT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
<--- More --->
             
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
<--- More --->
             
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e5787db25a923493187605b7393efe70
: end

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa#

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to S.Srivas_2

‎04-19-2013 07:13 AM

Hi,

Try to configure this

icmp permit xxx.44.38.44 255.255.255.248 OUTSIDE

Naturaly replace the "x" with the actual public network address. After this try the ICMP from the ASA to the outside PC.

To be able to ICMP/PING the Router behind the ASA from the Public network you would need a Static NAT for the Router.

Provided you have a public IP address to spare for this you could configure

object network STATIC-ROUTER

host 10.112.64.222

nat (INSIDE_SIT,OUTSIDE) static

- Jouni

0 Helpful

Go to solution
S.Srivas_2
Level 1
Level 1
In response to Jouni Forss

‎04-19-2013 07:39 AM

Hi Jouni,

We have just tried that, but still not working.

Any other suggestion?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to S.Srivas_2

‎04-19-2013 10:15 AM

Can you specify what is not working as there was multiple things that were not working.

If the ASA outside and the PC on outside are in the same subnet they should be able to see eachother directly. Are you sure the PC itself isnt preventing the ICMP? It wouldnt be anything uncommon if the PC has firewall settings preventing this.

On the ASA you can naturally use the "show arp" command which should list all the host that the ASA sees in directly connected network. If you dont see some host directly connected you can always ping those IP addresses and then re-issue the command "show arp".

If you mean that also the connection to the router behind that ASA doesnt work then can you share the NAT configuration you made for it?

Also seems you have not added the ICMP inspection

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

0 Helpful

Go to solution
S.Srivas_2
Level 1
Level 1
In response to Jouni Forss

‎04-22-2013 12:49 PM

It works.

The config was OK. The end stations (Laptop and Switch/Router) routing was not accurate. It is now fied.

Thank you Jouni Foress for all the help..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card