ASA connectivity issue driving me nuts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2014 02:43 AM - edited 03-11-2019 08:53 PM
I’m trying to set up an ASA as the main firewall for a charity organisation I volunteer for.
I have been given a /29 address by the ISP and have obscured it just for security, in real life only the last octet is the same. X.x.x.40/29 with the router from the ISP as .46 and my ASA is .41
When I plug in the ASA it won’t ping .46 from its own address of .41. When I give a laptop the .41 address, and plug it directly into the ISP router, everything works and the laptop has full WWW (including DNS) access.
To try and trouble shoot I chose some spare ports in the switch and put these ports into an unused VLAN (VLAN4) I gave VLAN 4 an address of .42. I can ping the ASA and my VLAN interface but can’t ping .46.
Now the really weird bit, I gave my laptop the .43 address and plugged it into VLAN4 port on the switch, I can ping everything including 8.8.8.8 and I have full WWW access from the laptop. Niether Cisco device (ASA and switch) can ping .46 and the ASA can’y ping 8.8.8.8 (or any other web address). This is driving me nuts, I’m really good at this stuff, it’s my job but this has me stumped.
HELP
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2014 02:13 PM
Hi Tim,
If the issue still exists, can you share ASA configuration? ICMP inspection enabled on ASA?
Thx
MS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2014 12:29 AM
Thanks MS,
Here it is, I think it may be an issue with arp response....
ASA Version 8.6(1)2
!
hostname DMZ-ASA
domain-name oooooooooo.local
enable password llllllll encrypted
passwd ppppppppppp encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address xx.xx.186.41 255.255.255.248
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address nn.nn.nn.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address nn.nn.140.221 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name strapheals.local
same-security-traffic permit inter-interface
object network FILESRV01
host mm.mm.0.10
description Main File Server
access-list Outside_access_in remark Catch all
access-list Outside_access_in extended deny ip any any log debugging
access-list DMZ_access_in extended permit ip object FILESRV01 any log debugging
access-list DMZ_access_in remark catch all
access-list DMZ_access_in extended deny ip any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 nn.nn.186.46 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http nn.nn.140.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet nn.nn.140.0 255.255.255.0 management
telnet timeout 5
ssh nn.nn.140.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
username admin password nnnnnnnnnnnnnn encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:999999999999999999999
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2014 03:04 AM
Hi,
1) I don't see any inside interface, are you only using a DMZ or is your management interface the inside one ?
if so then don't forget that the management interface by default doesn't pass data traffic.
2) your inbound ACLs on DMZ and Outside have no permit statement so how can your traffic be forwarded through your ASA ?
3) you still can't ping from Outside to modem/router ? I don't see any obvious things in the ASA config that could be the cause.Which type of modem/router is this,cable or DSL ?
Regards
Alain
Don't forget to rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2014 04:13 AM
You're right Alain,
That was an old config, sorry, this is the current one.
A bit more information, I have tried setting the outside to sec level 0 and the inside to sec level 100. I would like a bit more control than that, hence the current setting of both to 50 and an access list controlling. It also means I can set the debug feature on the rule and watch the packets on the monitor function.
STILL NOT ABLE TO PING router interface nn.nn.186.46 or 8.8.8.8 (or anything)
Tim
______________________________________________________________
ASA Version 8.6(1)2
!
hostname Main-ASA
domain-name mmmmmmmmm.local
enable password ppppppppppp encrypted
passwd ooooooooo encrypted
names
dns-guard
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 50
ip address n.n.186.41 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 50
ip address ppp.ppp.199.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address ppp.ppp.140.221 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name mmmmmm.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network servers
subnet nn.nn.0.0 255.255.255.0
object-group network users
network-object nn.nn.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object nn.nn.199.0 255.255.255.0
network-object object servers
group-object users
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log debugging
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 n.n.186.46 1
route inside xx.xxx.0.0 255.255.255.0 nn.nn.199.254 1
route inside xx.xx.1.0 255.255.255.0 nn.nn.199.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http nn.nn.140.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp management
sysopt noproxyarp outside
sysopt noproxyarp inside
telnet nn.nn.140.0 255.255.255.0 management
telnet timeout 5
ssh nn.nn.140.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password e8gq2.ujS/CECBVS encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b87ebe6cde5db24ba1663f298efeaedc
: end
Main-ASA#
Main-ASA#
Main-ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"
Main-ASA up 1 day 22 hours
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-0014
IPSec microcode : CNPx-MC-IPSEC-MAIN-0014
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 4c4e.3544.e33b, irq 11
1: Ext: GigabitEthernet0/0 : address is 4c4e.3544.e33f, irq 10
2: Ext: GigabitEthernet0/1 : address is 4c4e.3544.e33c, irq 10
3: Ext: GigabitEthernet0/2 : address is 4c4e.3544.e340, irq 5
4: Ext: GigabitEthernet0/3 : address is 4c4e.3544.e33d, irq 5
5: Ext: GigabitEthernet0/4 : address is 4c4e.3544.e341, irq 10
6: Ext: GigabitEthernet0/5 : address is 4c4e.3544.e33e, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is 4c4e.3544.e33b, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
This platform has an ASA 5515 Security Plus license.
Serial Number: FCH1709J0RT
Running Permanent Activation Key: 0xfa2fe370 0xdcc393cd 0x616211b4 0xed48a8c0 0x4c0ecda4
Configuration register is 0x1
Configuration last modified by admin at 11:34:38.546 UTC Wed Mar 5 2014
Main-ASA#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2014 05:20 AM
Little bit more information:
When the ASA wants to send a packet out, it sends an arp request (who is n.n.186.46) .46 is the ISP router, the ASA is .41 . Instead of just responding (n.n.186.46 is at """mac address""), thr ISP router sends its own arp request (who has n.n.186.41, tel 192.168.1.254). Now the ASA has no idea who this 192 address is, has no way of getting to it so the whole negotiation falls down. I have asked the ISP to sort this out and will report back if this solves the issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2014 07:16 AM
So for closure purposes, it is fixed.....Hooray and hussar....
I stuck a wire shark PC on the VLAN I had created and saw that there was an issue with this spurious address (192.168.1.254) I think the router is designed for home use and as that range would suit most homes, I guess it works mostly, HOWEVER, An ASA 5515 aint no piece of home kit and is totally incompatible with this router. What was fooling me was the fact that when I plugged in a PC with the 186.41 address, it worked. I have now set up the ASA to be PPPoE and bypassed the router entirely. It all sprang into life and we are good to go.
Thanks everyone for your suggestions, and as I have cleared this issue myself, I will be awarding me 3 gold stars (or whatever the rating system is now.)
Cheers Guys
Tim
