Re: ASA5505 Config Assistance

bed082571 · ‎03-04-2020

The organization I work for took over management of a network with ASA's which I have almost no experience with unfortunately. What's also unfortunate is this host isn't covered by a SMARTnet contract (yet). I'll boil the topology down to the two hosts where I believe the problem is, a 2911 and a 5505. There is a VPN between these two hosts which they've been using for years. All I'm trying to accomplish is sourcing a ping from a 2911 interface, 63.236.240.138 to a 5505 interface, 192.168.23.254 and eventually SSH to/from same.

I've attached the config of the 5505 and I can provide the 2911 config too but I think suspect the problem is on the 5505 side.

The first changes I made was adjusting the interesting traffic on both sides of the VPN. Here is what I've added to the 5505:

access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138

Both sides of the VPN look good after generating an ICMP echo from 63.236.240.138 to 192.168.23.254. I see encaps on the 2911 and decaps on the 5505 however no encaps on the 5505 or decaps on the 2911. At this point I believe the problem is firewall ruleset related so I made the below changes to allow this traffic but have little confidence aside from it didn't resolve the problem.

object-group protocol MY_SERVICES
protocol-object ip
protocol-object icmp

object network KWD_NAT
host 63.236.240.138

object-group network MY_PREFIXES
network-object object KWD_NAT

object network CLIENT_LAN
subnet 192.168.23.0 255.255.255.0

access-list FIBER_access_in extended permit object-group MY_SERVICES object-group MY_PREFIXES object CLIENT_LAN

After some research I found these devices have a pretty handy tool to help isolate traffic drop issues so I executed the following with the drop specific section.

packet-tracer input FIBER icmp 63.236.240.138 8 0 192.168.23.254 detailed

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcce0a860, priority=70, domain=ipsec-tunnel-flow, deny=false
      hits=3, user_data=0x8123c, cs_id=0xc84f4bd0, reverse, flags=0x0, protocol=1
      src ip/id=63.236.240.138, mask=255.255.255.255, icmp-type=0, tag=0
      dst ip/id=192.168.23.0, mask=255.255.255.0, icmp-code=0, tag=0, dscp=0x0
      input_ifc=FIBER, output_ifc=any

After some additional reading I found some comments this tool isn't reliable when attempting to isolate VPN drops so I'm not sure if there is any value in the above.

I can't say with certainty but I'm suspicious of the ruleset. I feel like the rule I created is wrong. On other zone-based firewalls there would be a VPN zone with something like VPN_access_in instead of FIBER_access_in.

I'll take whatever help anyone can offer and can put me out of my misery. I've spent so many hours researching this and I feel like it's a simple solution but I really don't like pulling over and asking for directions.

Thank you in advance.

Rob Ingram · ‎03-04-2020

Hi,

I imagine your outbound traffic is being natted, try adding a NAT exempt rule, e.g.

nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static KWD_NAT KWD_NAT

Ensure this rule is above your default NAT rule. If still a problem, please provide the output of "show nat detail"

HTH

bed082571 · ‎03-04-2020

Doesn't the NAT below cover the same traffic your NAT does, this one is using a group object instead? By the way, I've tried this with and without the no-proxy-arp.

nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp

show nat detail output:

Manual NAT Policies (Section 1)
1 (inside) to (FIBER) source static ND_SERVER ND_SERVER destination static FIS_NETWORK FIS_NETWORK
     translate_hits = 0, untranslate_hits = 0
     Source - Origin: 192.168.23.1/32, Translated: 192.168.23.1/32
     Destination - Origin: 216.189.226.41/32, Translated: 216.189.226.41/32
2 (inside) to (FIBER) source static obj-192.168.23.0 obj-192.168.23.0 destination static DATA_CENTER DATA_CENTER
     translate_hits = 4514181, untranslate_hits = 4538069
     Source - Origin: 192.168.23.0/24, Translated: 192.168.23.0/24
     Destination - Origin: 10.160.0.0/12, Translated: 10.160.0.0/12
3 (inside) to (FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp
     translate_hits = 9, untranslate_hits = 5913
     Source - Origin: 192.168.23.0/24, Translated: 192.168.23.0/24
     Destination - Origin: 63.236.240.138/32, Translated: 63.236.240.138/32
4 (inside) to (FIBER) source dynamic obj-192.168.23.0 interface
     translate_hits = 2276390, untranslate_hits = 545045
     Source - Origin: 192.168.23.0/24, Translated: 72.23.219.228/28

FWIW, the translate_hits increase with each new ICMP echo.

Rob Ingram · ‎03-04-2020

Yeah, you are right. Can you provide the output of "show crypto ipsec sa"

Run this packet-tracer twice and provide the full output of the second.
"packet-tracer input inside icmp 192.168.23.24 8 0 63.236.240.138 detailed"

bed082571 · ‎03-04-2020

show crypto ipsec sa output:

interface: FIBER
    Crypto map tag: NDistricts2AMIS, seq num: 20, local addr: 72.23.219.228

      access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 10.160.0.0 255.240.0.0 
      local ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.160.0.0/255.240.0.0/0/0)
      current_peer: 209.166.156.66


      #pkts encaps: 22019729, #pkts encrypt: 22019729, #pkts digest: 22019729
      #pkts decaps: 28933345, #pkts decrypt: 28933345, #pkts verify: 28933345
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 22019729, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 72.23.219.228/0, remote crypto endpt.: 209.166.156.66/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 4DDECC83
      current inbound spi : 9EB56910

    inbound esp sas:
      spi: 0x9EB56910 (2662689040)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4366344/1479)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x4DDECC83 (1306446979)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4368152/1479)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: NDistricts2AMIS, seq num: 20, local addr: 72.23.219.228

      access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138 
      local ident (addr/mask/prot): (192.168.23.0/255.255.255.0/1)
      remote ident (addr/mask/prot): (63.236.240.138/255.255.255.255/1)
      current_peer: 209.166.156.66


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4719, #pkts decrypt: 4719, #pkts verify: 4719
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 72.23.219.228/0, remote crypto endpt.: 209.166.156.66/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 16CDB35F
      current inbound spi : 89470D1A

    inbound esp sas:
      spi: 0x89470D1A (2303135002)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4373857/1823)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x16CDB35F (382579551)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4374000/1823)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

output of second packet-tracer:

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp
Additional Information:
NAT divert to egress interface FIBER
Untranslate 63.236.240.138/0 to 63.236.240.138/0

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp
Additional Information:
Static translate 192.168.23.24/0 to 192.168.23.24/0
 Forward Flow based lookup yields rule:
 in  id=0xcc607d20, priority=6, domain=nat, deny=false
	hits=1, user_data=0xcc80feb0, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=192.168.23.0, mask=255.255.255.0, port=0, tag=0
	dst ip/id=63.236.240.138, mask=255.255.255.255, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=FIBER

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb9f8778, priority=0, domain=nat-per-session, deny=true
	hits=1791170, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc06adf0, priority=0, domain=inspect-ip-options, deny=true
	hits=6868606, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any
              
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc4e6788, priority=70, domain=inspect-icmp, deny=false
	hits=72857, user_data=0xcc4e5cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc4edf30, priority=70, domain=inspect-icmp-error, deny=false
	hits=72857, user_data=0xcc4ed460, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcbc92ee8, priority=0, domain=host-limit, deny=false
	hits=3434166, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcc078ec0, priority=70, domain=encrypt, deny=false
	hits=3, user_data=0xbdb1c, cs_id=0xc84f4bd0, reverse, flags=0x0, protocol=1
	src ip/id=192.168.23.0, mask=255.255.255.0, icmp-type=0, tag=0
	dst ip/id=63.236.240.138, mask=255.255.255.255, icmp-code=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=FIBER

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcc3f4c10, priority=6, domain=nat-reverse, deny=false
	hits=2, user_data=0xcc8ea478, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=192.168.23.0, mask=255.255.255.0, port=0, tag=0
	dst ip/id=63.236.240.138, mask=255.255.255.255, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=FIBER

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcc6b1de0, priority=70, domain=ipsec-tunnel-flow, deny=false
	hits=3, user_data=0xc5a1c, cs_id=0xc84f4bd0, reverse, flags=0x0, protocol=1
	src ip/id=63.236.240.138, mask=255.255.255.255, icmp-type=0, tag=0
	dst ip/id=192.168.23.0, mask=255.255.255.0, icmp-code=0, tag=0, dscp=0x0
	input_ifc=FIBER, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcb9f8778, priority=0, domain=nat-per-session, deny=true
	hits=1791172, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcc0c1570, priority=0, domain=inspect-ip-options, deny=true
	hits=6996850, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=FIBER, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 6993445, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: FIBER
output-status: up
output-line-status: up
Action: allow

Rob Ingram · ‎03-04-2020

Apply this

"no access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138"

What is the output of "show run all sysopt" - this would not be in your earlier output.

bed082571 · ‎03-04-2020

The VPN_TRAFFIC_ENCRYPTED ACL is used by the NDistricts2AMIS crypto map. Wont applying this remove the interesting traffic?

no access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138

I applied it anyway, cleared out the ipsec sa and no joy but no ipsec sa afterwards either. I've put this ACE back.

show run all sysopt output:

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp FIBER

Rob Ingram · ‎03-04-2020

In your configuration you had 2 ACE, you don't need the first if you are permitting IP in the second.

access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138

Other than packet-tracer how are you generating traffic?

bed082571 · ‎03-04-2020

I removed that ACE and re-tested and I verified phase 2 did complete without it. I don't know what I did last time but you're right, it isn't needed so I'm leaving it out.

I'm testing by generating icmp-echo's from 63.236.240.138.

Cristian Matei · ‎03-04-2020

Hi,

How does your ASA route for 63.236.240.138 ?

Regards,

Cristian Matei.

bed082571 · ‎03-04-2020

This host only has a default route.

route FIBER 0.0.0.0 0.0.0.0 72.23.219.225 1

I'm expecting the crypto map to encrypt traffic as it egresses the FIBER interface but this isn't happening based on the encap counter from the ipsec sa output.

crypto map NDistricts2AMIS interface FIBER

rypto map NDistricts2AMIS 20 match address VPN_TRAFFIC_ENCRYPTED
crypto map NDistricts2AMIS 20 set pfs 
crypto map NDistricts2AMIS 20 set peer 209.166.156.66 
crypto map NDistricts2AMIS 20 set ikev1 transform-set MySecurityWithAES

access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 10.160.0.0 255.240.0.0 
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip host 192.168.23.1 host 216.189.226.41 
access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138 
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138

But the ACL hit counter is increasing.

access-list VPN_TRAFFIC_ENCRYPTED line 3 extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138 (hitcnt=

So I'm pretty comfortable with believing the traffic is making it to the ASA and an echo-reply was generated and hits the VPN_TRAFFIC_ENCRYPTED ACL but based on the encap counters it isn't getting encrypted even though it's hitting the ACL.

bed082571 · ‎03-05-2020

Any additional thoughts?

Cristian Matei · ‎03-15-2020

Hi,

Post your entire ASA configuration and specify what IP traffic (which source/destination) you want to work and it's not working.

Regards,

Cristian Matei.

bed082571 · ‎03-16-2020

Thank you for responding Christian. Attached should be the config file. I'm trying to accomplish two things:

Source icmp-echo from 63.236.240.138 to 192.168.23.254.
Source ssh from 63.236.240.138 to 192.168.23.254.

I'm hoping accomplishing step 2 will be fairly obvious once I can understand why step 1 is failing.

Cristian Matei · ‎03-19-2020

Hi,

You're trying to manage the ASA through a VPN tunnel, and not on the interface the VPN tunnel is terminated on, but on another one, the inside one; for this to work, you need to configure "management-access inside". Additionally, ensure the ACL used to define the encryption domain is in perfect sync between the ASA and Router, i've cleaned up the config:

ASA:

access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 10.160.0.0 255.240.0.0
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip host 192.168.23.1 host 216.189.226.41
no access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138

ROUTER:

access-list XXX permit ip 10.160.0.0 255.240.0.0 192.168.23.0 255.255.255.0
access-list XXX permit ip host 216.189.226.41 host 192.168.23.1
access-list XXX permit ip host 63.236.240.138 192.168.23.0 255.255.255.0

Regards,

Cristian Matei.