asa on virgin super hub

piesio.marcin · ‎02-02-2013

Hi all,

i got my first asa and start playing with it and get it to work on my home network with virgin super hub.

i had uploaded my current scenario:

I have dhcp disabled on superhub, so when clients conect got dhcp from asa 192.168.1.0/25 subnet

i also configured nat from INSIDE to OUTSIDE and OUTSIDE to INSIDE

packet tracer from 192.168.1.20 (client) to 192.168.1.250(superhub) shows as allowed and vice versa

i have created

unfortunetelly my pc cannot ping superhub or anything on internet .... please find my config below:

ASA Version 9.1(1)

!

hostname ciscoasa

enable password x encrypted

passwd x encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.240 255.255.255.128

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network INSIDE_HOSTS

subnet 192.168.1.0 255.255.255.128

object network OUTSIDE_RANGE

range 192.168.1.135 192.168.1.160

object network OUTSIDE_X

subnet 192.168.1.128 255.255.255.128

object network INSIDE_X

range 192.168.1.120 192.168.1.125

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE

nat (outside,inside) source dynamic OUTSIDE_X INSIDE_X

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.20-192.168.1.90 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password x encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:416678c2173edeb085474ff18788b36f

: end

can you please help get this to work i dont even know if this is possible

thank you

Andrew Phirsov · ‎02-02-2013

you cannot ping because icmp inspection is disabled. To enable it do this:

policy-map global_policy

class inspection_default

inspect icmp

piesio.marcin · ‎02-02-2013

Hi Andrew,

Thanks for quick update, config applid but still no pings to 192.168.1.250

i am a bit concern about my eth0/1 going back to wifi router as OUTSIDE and having vlan tag 2, i thnk my wifi router will not recognise vlan tags and drop packets ??

Julio Carvajal · ‎02-02-2013

Please do :

packet-tracer input inside icmp 192.168.1.10 8 0 192.168.1.250 detail

Let us know the whole output

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

piesio.marcin · ‎02-02-2013

Hi jcarvaja,

Please find below:

ciscoasa# packet-tracer input inside icmp 192.168.1.10 8 0 192.168.1.250 detail

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.128 255.255.255.128 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad0effc8, priority=13, domain=permit, deny=false

hits=640, user_data=0xaa90c850, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 3

<--- More --->

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE

Additional Information:

Dynamic translate 192.168.1.10/0 to 192.168.1.157/0

Forward Flow based lookup yields rule:

in id=0xacd360a0, priority=6, domain=nat, deny=false

hits=281, user_data=0xacd36230, cs_id=0x0, flags=0x0, protocol=0

src ip/id=192.168.1.0, mask=255.255.255.128, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac655b60, priority=0, domain=nat-per-session, deny=true

hits=1119, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

<--- More --->

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad2bcc30, priority=0, domain=inspect-ip-options, deny=true

hits=1142, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

<--- More --->

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacf13100, priority=70, domain=inspect-icmp, deny=false

hits=426, user_data=0xacd07c18, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad2c6330, priority=66, domain=inspect-icmp-error, deny=false

hits=439, user_data=0xacd318f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=any

<--- More --->

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac59a0e8, priority=6, domain=nat-reverse, deny=false

hits=282, user_data=0xa8f37550, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=192.168.1.0, mask=255.255.255.128, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xac655b60, priority=0, domain=nat-per-session, deny=true

hits=1121, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

<--- More --->

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=any, output_ifc=any

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xacd0bf18, priority=0, domain=inspect-ip-options, deny=true

hits=628, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1798, packet dispatched to next module

Module information for forward flow ...

<--- More --->

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

<--- More --->

Action: allow

also i attached my config

ciscoasa# sh run

: Saved

:

ASA Version 9.1(1)

!

hostname ciscoasa

enable password x encrypted

passwd x encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

<--- More --->

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.240 255.255.255.128

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network INSIDE_HOSTS

subnet 192.168.1.0 255.255.255.128

object network OUTSIDE_RANGE

range 192.168.1.135 192.168.1.160

object network OUTSIDE_X

subnet 192.168.1.128 255.255.255.128

object network INSIDE_X

range 192.168.1.120 192.168.1.125

object network pat_outside

host 192.168.1.240

<--- More --->

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic INSIDE_HOSTS OUTSIDE_RANGE

nat (outside,inside) source dynamic OUTSIDE_X INSIDE_X

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

<--- More --->

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.20-192.168.1.90 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

<--- More --->

no threat-detection statistics tcp-intercept

username x password x encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

<--- More --->

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b31197126d60f6d0220f03abfd269dcf

: end

ciscoasa#

Thank you for looking into my problem!

piesio.marcin · ‎02-02-2013

looks like enabling

"enable traffic between two or more interfaces" fixed the ping but i cannont open web config of superhub.

syslog

http://i50.tinypic.com/34g6p1f.jpg

looks like routing loop?

can you connect asa inside and outside interfaces to the same "home wifi router" ? or i have to buy seperate AP ?

malshbou · ‎02-03-2013

This indicates that you are running in asymmetrical routing issue, that is some TCP traffic bypass the ASA, thus the ASA doesn't establish a valid TCP connection.

If so, you need to fix the routing issue, or enable TCP state bypass using MPF.

----------

Mashal

------------------ Mashal Shboul