Solved: ASA connection between interfaces

Rudy Sanjoko · ‎11-21-2012

Hi guys, I have questions on how to allow connections or in this case just ping, between R1 and R2 with ASA in the middle (R1-g0/0 and R2-g0/3). Below is my setup, this is a simple one but I couldn't make it work, I am just trying to set up the ASA to allow ping from R1 to R2, I have tried some things but still doesn't work, here is my config as well, I would appreciate it if any of you can pinpoint where the steps that I missed. thanks in advance,

R1--------------------------------ASA--------------------------------R2

168.0.2 168.0.1 0.0.1 0.0.2

**IN BOLD is the config that I added to the default config, it's not much.

ASA Version 8.4(5)

!

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

!

interface GigabitEthernet0/3

nameif outside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj192

subnet 192.168.0.0 255.255.255.0

object network obj10

subnet 10.0.0.0 255.255.255.0

access-list allowinside1 extended permit tcp any any

access-list allowinside1 extended permit icmp any any

access-list allowoutside1 extended permit tcp any any

access-list allowoutside1 extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static obj192 obj192 destination static obj10 obj10

access-group allowinside1 in interface inside

access-group allowoutside1 in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1e408f20cf334f131bde6eda1e0566f9

: end

n_schloemer · ‎11-21-2012

Hi Rudy,

Do your routers each have default routes back to the ASA? If they dont have default routes at the very least add a static route for each subnet with a next-hop of the ASA attached interface. Overall your configuration looks ok from a firewall standpoint.

Thanks,

Nick Schloeme

View solution in original post

Riyasat Ali · ‎11-26-2012

none of the router has any static route they just have directly connected route "C". check route on router or paster it here and also give me sh ver of firewall.

View solution in original post

Jouni Forss · ‎11-21-2012

Hi,

It seems you are using atleast 8.3 version or probably one of the latest 8.4 versions on your ASA.

By default you wont have to make ANY NAT configurations between your interfaces unless you specifically need to NAT LAN address ranges to something else. So you can safely remove that NAT configuration you have to keep the NAT configurations to minimum (depending on the scope of the network now and in the future this might help alot with keeping the configuration manageable)

Are you trying to PING/ICMP from the R1 and R2 interfaces directly connected to the ASA? I mean for example using R1 ASA link network interface IP address as source and PINGing/ICMPing the R2 interface IP address connected to the ASA?

I ask this because you have no "route" commands towards the R1 and R2 interfaces. Therefore if you have some other networks other than the link networks between the ASA and the router the PING/ICMP messages wont have a return route to the host PINGing/ICMPing and therefore would get forwarded in a wrong way.

It does seem that otherwise the configurations seems clear. You could ofcourse change the "outside" interface "security-level" back to the default value of 0 that it gets when issuing "nameif outside". Though the "same-security-traffic" commands should already allow the traffic. But the security-level change is something to try out.

Also double check your interface IP configurations, default gateway settings, IP route commands related to routers and ASA

- Jouni

Rudy Sanjoko · ‎11-21-2012

Hi Jouni, I am trying to ping from R1 interface(that is connected directly to ASA) to R2 interface (that is also connected directly to ASA) -> ping from 192.168.0.2(R1) to 10.0.0.2(R2).

Just want to confirm this, on where should I add the route command? only on the ASA or all devices(R1, R2 and ASA)? I did configure the route outside 0.0.0.0 0.0.0.0 10.0.0.2 command on the ASA -> this doesn't help (let me know if i need to add more route command on the ASA)

I've got rid of the nat and changed the security level to 0, also 've set the default gateway on both R1 and R2. These steps don't help either.

Best regards,

Rudy

n_schloemer · ‎11-21-2012

Hi Rudy,

Do your routers each have default routes back to the ASA? If they dont have default routes at the very least add a static route for each subnet with a next-hop of the ASA attached interface. Overall your configuration looks ok from a firewall standpoint.

Thanks,

Nick Schloeme

Rudy Sanjoko · ‎11-22-2012

Hi Nick, I have set the default gateway on both routers back to ASA, I feel that there's something that I am missing on the ASA, otherwise this whole setup wouldn't give me this much trouble.

Best regards,

Rudy

Riyasat Ali · ‎11-25-2012

pls paste the output of the following :-

do "debug icmp trace " on firewall and "debug ip icmp " on router and initiate the traffic. and give the output and also do the following :-

packet-tracer input inside icmp sourceip 8 0 destination ip detailed.

and

show service-policy flow icmp host source ip host destination ip echo

Rudy Sanjoko · ‎11-26-2012

Hi, here is the output from packet tracer command,

NHSFW(config)# packet-tracer input inside icmp 192.168.0.2 8 0 10.0.0.2 detail$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb2563088, priority=1, domain=permit, deny=false

hits=24, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group allowinside1 in interface inside

access-list allowinside1 extended permit icmp any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb25ef278, priority=13, domain=permit, deny=false

hits=0, user_data=0xaf801f00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb258ee88, priority=0, domain=inspect-ip-options, deny=true

hits=21, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb25f4a80, priority=70, domain=inspect-icmp, deny=false

hits=1, user_data=0xb25fd110, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb258ea60, priority=66, domain=inspect-icmp-error, deny=false

hits=20, user_data=0xb258e078, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 7

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb25f1fb8, priority=13, domain=debug-icmp-trace, deny=false

hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 8

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xb21986a0, priority=13, domain=debug-icmp-trace, deny=false

hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xb25d01f0, priority=0, domain=inspect-ip-options, deny=true

hits=14, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 35, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_dbg_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_dbg_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

I don't see any output on both routers even after I enabled the debugging command and initiated the traffic from R1 to R2.

I see below output when I ping from ASA to R2 which is directly connected,

connected_outside_10.0.0.1#

*Nov 26 08:40:36.718: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1

*Nov 26 08:40:36.722: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1

connected_outside_10.0.0.1#

Please advise, thank you,

Best regards,

Rudy

Riyasat Ali · ‎11-26-2012

please apply following capture on firewall.

access-list cap permit icmp any any

cap capin access-list cap interface inside buffer 200000

cap capout access-list interface outside buffer 200000

initiate the traffic and once done , do "sh cap capin" and "sh cap capout" and paste the output and also "sh ip route" output from both the routers. and attach the latest firewall config also.

Rudy Sanjoko · ‎11-26-2012

NHSFW(config)#

NHSFW(config)# access-list cap permit icmp any any

NHSFW(config)# cap capin access-list cap interface inside buffer 200000

NHSFW(config)# cap capout access-list interface outside buffer 200000

^

ERROR: % Invalid input detected at '^' marker.

NHSFW(config)#

NHSFW(config)# cap capout access-list cap interface outside buffer 200000

!!!! initiated traffics from both directions !!!!

NHSFW(config)# show cap capin

0 packet captured

0 packet shown

NHSFW(config)#

NHSFW(config)# show cap capout

0 packet captured

0 packet shown

NHSFW(config)#

NHSFW(config)# show run

: Saved

:

ASA Version 8.4(5)

!

hostname NHSFW

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 0

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 10.0.0.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj192

subnet 192.168.0.0 255.255.255.0

object network obj10

subnet 10.0.0.0 255.255.255.0

access-list cap extended permit icmp any any

access-list allowinside1 extended permit tcp any any

access-list allowinside1 extended permit icmp any any

access-list allowoutside1 extended permit tcp any any

access-list allowoutside1 extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group allowinside1 in interface inside

access-group allowoutside1 in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

-----

Cryptochecksum:d80e43fe98a30209fca62929afeedf71

: end

NHSFW(config)#

R1:

conn_inside_192#

conn_inside_192#ping 10.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

conn_inside_192#

conn_inside_192#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.0.0/24 is directly connected, FastEthernet0/0

conn_inside_192#

R2:

connected_outside_10.0.0.1#

connected_outside_10.0.0.1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, FastEthernet0/0

connected_outside_10.0.0.1#

*Nov 26 10:54:19.037: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1

*Nov 26 10:54:19.041: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1

connected_outside_10.0.0.1#

connected_outside_10.0.0.1#ping 192.168.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

connected_outside_10.0.0.1#

Best regards,

Rudy

Riyasat Ali · ‎11-26-2012

none of the router has any static route they just have directly connected route "C". check route on router or paster it here and also give me sh ver of firewall.

Rudy Sanjoko · ‎11-26-2012

I just added the ip route command on both routers and it works thanks guys, just amazed myself on how something so simple can be missed

Riyasat Ali · ‎11-26-2012

Welcome Anytime,Good luck

Please rate the healpful comments.

Rudy Sanjoko · ‎11-26-2012

don't worry, done that already!! thanks again!