02-02-2013 09:42 AM - edited 03-11-2019 05:55 PM
Hi all,
i got my first asa and start playing with it and get it to work on my home network with virgin super hub.
i had uploaded my current scenario:
I have dhcp disabled on superhub, so when clients conect got dhcp from asa 192.168.1.0/25 subnet
i also configured nat from INSIDE to OUTSIDE and OUTSIDE to INSIDE
packet tracer from 192.168.1.20 (client) to 192.168.1.250(superhub) shows as allowed and vice versa
i have created
unfortunetelly my pc cannot ping superhub or anything on internet .... please find my config below:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password x encrypted
passwd x encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.240 255.255.255.128
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network INSIDE_HOSTS
subnet 192.168.1.0 255.255.255.128
object network OUTSIDE_RANGE
range 192.168.1.135 192.168.1.160
object network OUTSIDE_X
subnet 192.168.1.128 255.255.255.128
object network INSIDE_X
range 192.168.1.120 192.168.1.125
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE
nat (outside,inside) source dynamic OUTSIDE_X INSIDE_X
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.90 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password x encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:416678c2173edeb085474ff18788b36f
: end
can you please help get this to work i dont even know if this is possible
thank you
02-02-2013 09:48 AM
you cannot ping because icmp inspection is disabled. To enable it do this:
policy-map global_policy
class inspection_default
inspect icmp
02-02-2013 10:59 AM
Hi Andrew,
Thanks for quick update, config applid but still no pings to 192.168.1.250
i am a bit concern about my eth0/1 going back to wifi router as OUTSIDE and having vlan tag 2, i thnk my wifi router will not recognise vlan tags and drop packets ??
02-02-2013 11:19 AM
Please do :
packet-tracer input inside icmp 192.168.1.10 8 0 192.168.1.250 detail
Let us know the whole output
02-02-2013 11:41 AM
Hi jcarvaja,
Please find below:
ciscoasa# packet-tracer input inside icmp 192.168.1.10 8 0 192.168.1.250 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.128 255.255.255.128 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad0effc8, priority=13, domain=permit, deny=false
hits=640, user_data=0xaa90c850, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
<--- More --->
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE
Additional Information:
Dynamic translate 192.168.1.10/0 to 192.168.1.157/0
Forward Flow based lookup yields rule:
in id=0xacd360a0, priority=6, domain=nat, deny=false
hits=281, user_data=0xacd36230, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.128, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac655b60, priority=0, domain=nat-per-session, deny=true
hits=1119, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
<--- More --->
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2bcc30, priority=0, domain=inspect-ip-options, deny=true
hits=1142, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
<--- More --->
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacf13100, priority=70, domain=inspect-icmp, deny=false
hits=426, user_data=0xacd07c18, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2c6330, priority=66, domain=inspect-icmp-error, deny=false
hits=439, user_data=0xacd318f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
<--- More --->
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac59a0e8, priority=6, domain=nat-reverse, deny=false
hits=282, user_data=0xa8f37550, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.128, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac655b60, priority=0, domain=nat-per-session, deny=true
hits=1121, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
<--- More --->
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xacd0bf18, priority=0, domain=inspect-ip-options, deny=true
hits=628, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1798, packet dispatched to next module
Module information for forward flow ...
<--- More --->
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
<--- More --->
Action: allow
also i attached my config
ciscoasa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password x encrypted
passwd x encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
<--- More --->
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.240 255.255.255.128
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network INSIDE_HOSTS
subnet 192.168.1.0 255.255.255.128
object network OUTSIDE_RANGE
range 192.168.1.135 192.168.1.160
object network OUTSIDE_X
subnet 192.168.1.128 255.255.255.128
object network INSIDE_X
range 192.168.1.120 192.168.1.125
object network pat_outside
host 192.168.1.240
<--- More --->
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE
nat (outside,inside) source dynamic OUTSIDE_X INSIDE_X
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.90 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
<--- More --->
no threat-detection statistics tcp-intercept
username x password x encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
<--- More --->
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b31197126d60f6d0220f03abfd269dcf
: end
ciscoasa#
Thank you for looking into my problem!
02-02-2013 01:20 PM
looks like enabling
"enable traffic between two or more interfaces" fixed the ping but i cannont open web config of superhub.
syslog
http://i50.tinypic.com/34g6p1f.jpg
looks like routing loop?
can you connect asa inside and outside interfaces to the same "home wifi router" ? or i have to buy seperate AP ?
02-03-2013 03:40 AM
This indicates that you are running in asymmetrical routing issue, that is some TCP traffic bypass the ASA, thus the ASA doesn't establish a valid TCP connection.
If so, you need to fix the routing issue, or enable TCP state bypass using MPF.
----------
Mashal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide