Solved: Can't seem to get ASA 5505 to react to any packets?

ryanlrussell · ‎01-09-2015

I have tried many troubleshooting steps I've seen in this forum, hoping someone has an idea.

I have a Cisco ASA 5505 running 8.2(5), with a Base license. I have a lab setup, and I'm basically trying to get it to pass packets from inside to outside. I don't need NAT, but I have it on at the moment as a test, since most of the example configs I see are using NAT. I have tried with and without ACLs, with and without NAT, have verified packets are hitting the interface, have tried tracing. Let me throw some examples at you:

cisco-asa-5505# show run

: Saved

:

ASA Version 8.2(5)

!

terminal width 511

hostname cisco-asa-5505

enable password xxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

description to Catalyst FastEthernet 0/18 (10.18.2.x/24 untagged)

switchport access vlan 182

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

description to Catalyst FastEthernet 0/34 (10.19.2.x/24 untagged)

switchport access vlan 192

!

interface Vlan182

description 10.18.2.x/24

nameif inside

security-level 100

ip address 10.18.2.2 255.255.255.0

!

interface Vlan192

description 10.19.2.x/24

nameif outside

security-level 0

ip address 10.19.2.2 255.255.255.0

!

no ftp mode passive

pager lines 24

logging enable

logging timestamp

logging buffer-size 1048576

logging trap notifications

logging history critical

logging device-id hostname

logging host inside 10.16.0.100 6/1470

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.19.2.3

nat (inside) 1 10.17.2.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.19.2.1 1

route inside 10.8.0.0 255.255.0.0 10.18.2.1 1

route inside 10.10.0.0 255.255.0.0 10.18.2.1 1

route inside 10.11.0.0 255.255.0.0 10.18.2.1 1

route inside 10.16.0.0 255.254.0.0 10.18.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 30

console timeout 0

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:dad29feb197cd7defb2298e103a95426

: end

While I have this config loaded, I have a constant ping running in the background on a host that is addressed as 10.17.2.100, who is one hop down from 10.18.2.1, on the inside interface. I know the packets are arriving:

cisco-asa-5505# capture test interface inside match icmp any any

cisco-asa-5505# show capture test

25 packets captured

1: 02:38:32.025618 802.1Q vlan#182 P0 10.17.2.100 > 10.19.2.1: icmp: echo request

2: 02:38:32.737068 802.1Q vlan#182 P0 10.18.2.1 > 10.18.2.2: icmp: echo request

3: 02:38:32.737281 802.1Q vlan#182 P0 10.18.2.2 > 10.18.2.1: icmp: echo reply

4: 02:38:33.025496 802.1Q vlan#182 P0 10.17.2.100 > 10.19.2.1: icmp: echo request

5: 02:38:33.749183 802.1Q vlan#182 P0 10.18.2.1 > 10.18.2.2: icmp: echo request

6: 02:38:33.749427 802.1Q vlan#182 P0 10.18.2.2 > 10.18.2.1: icmp: echo reply

7: 02:38:34.025389 802.1Q vlan#182 P0 10.17.2.100 > 10.19.2.1: icmp: echo request

8: 02:38:34.758826 802.1Q vlan#182 P0 10.18.2.1 > 10.18.2.2: icmp: echo request

9: 02:38:34.759070 802.1Q vlan#182 P0 10.18.2.2 > 10.18.2.1: icmp: echo reply

10: 02:38:35.025526 802.1Q vlan#182 P0 10.17.2.100 > 10.19.2.1: icmp: echo request

And this mirrors the actual results on the wire:

cisco-asa-5505# packet-tracer input inside icmp 10.17.2.100 8 0 10.19.2.1

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.19.2.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

NAT doesn't seem to be happening either:

cisco-asa-5505# show nat

NAT policies on Interface inside:

match ip inside 10.17.2.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside 10.17.2.0 255.255.255.0 _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside 10.17.2.0 255.255.255.0 outside any

dynamic translation to pool 1 (10.19.2.3)

translate_hits = 0, untranslate_hits = 0

And I have no ACLs:

cisco-asa-5505# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

cisco-asa-5505#

Would love more ideas to try! Thanks in advance.

Marvin Rhoads · ‎01-11-2015

Thanks for the resolution to your own post. :)

I've not done the TCP syslogging (with or without permit-hostdown) but there have been a few threads reporting this option as problematic.

See for example this one:

https://supportforums.cisco.com/discussion/11545266/cisco-asa-5585-x-ssp-20-842-tcp-syslog-problem

View solution in original post

ryanlrussell · ‎01-10-2015

Wow. Ok, I managed to figure this out myself.

Turns out that I had configured a TCP syslog server that wasn't reachable. And it seems when the syslog server isn't reachable, the ASA just stops all connections. I just happened to stumble on the set of clues that let me determine this. I found a troubleshooting document here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71871-asa-pix-troubleshooting.html

That led me to turn on debug logging. Looking through the logs, I see this:

Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-3-414003: TCP Syslog Server inside:10.16.0.100/1470 not responding, New connections are denied based on logging permit-hostdown policy

Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-7-609001: Built local-host inside:10.16.0.100

Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-6-302013: Built outbound TCP connection 124354 for inside:10.16.0.100/1470 (10.16.0.100/1470) to identity:10.18.2.2/61625 (10.18.2.2/61625)

Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0

Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-6-302021: Teardown ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0

Jan 01 2008 17:03:00 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.

Jan 01 2008 17:03:01 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.

Jan 01 2008 17:03:01 cisco-asa-5505 : %ASA-5-111008: User 'enable_15' executed the 'logging permit-hostdown' command.

Jan 01 2008 17:03:02 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.

Jan 01 2008 17:03:02 cisco-asa-5505 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0

Jan 01 2008 17:03:02 cisco-asa-5505 : %ASA-6-302021: Teardown ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0

Jan 01 2008 17:03:03 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.

Jan 01 2008 17:03:04 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.

Jan 01 2008 17:03:05 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.

Jan 01 2008 17:03:06 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.

(I'll fix the date on the ASA shortly.)

I google up the error, which sounds like it could be related, and find this:

https://supportforums.cisco.com/discussion/12268926/asa-5510-disallowing-new-connections

Yeah. If logging doesn't work, disallow all new connections.

Why do we even have that lever?

I'm a security guy, I understand that you might want to not allow connections if you can't log them. Might. But that really seems like a bad default.

And shouldn't it log that a lot more proactively? Maybe when I'm doing a trace, show that as the reason? Trace works fine now that I have disabled it, by the way.

And if you are paying particularly close attention to the log I posted, you'll see I used the "logging permit-hostdown" config option, which is supposed to fix this problem, but it did not. Not that I gave it much time before removing the logging host entirely.

I'm just going to assume this area already works much better in newer versions of the software.

Marvin Rhoads · ‎01-11-2015

Thanks for the resolution to your own post. :)

I've not done the TCP syslogging (with or without permit-hostdown) but there have been a few threads reporting this option as problematic.

See for example this one:

https://supportforums.cisco.com/discussion/11545266/cisco-asa-5585-x-ssp-20-842-tcp-syslog-problem