Cannot get packets from NAT'ed int to Internet!

gregdzurinda · ‎09-01-2011

I have an ASA firewall (IOS 8.2) on which I am trying to configure an additional NAT'ed interface off the management port. Frowned upon, I know, but I have removed the management-only option, and I know this can and has worked in other environments

interface management 0/0 ("VLAN60") is the interface through which I am trying to move traffic out the "outside" interface and to the Internet. It can ping the servers behind the "Admin" interface (those are support servers- DNS, etc.).

interface "inside" is working, and it is how employees access the Internet now.

I expected interface "VLAN60" to work the same way as "inside." Why is this not the case?! (Banging my head against the wall...)

When I ping an outside IP address, I see my IP (172.31.0.1) in the xlate table, AND I see this in the log:

%ASA-6-302020: Built outbound ICMP connection for faddr 66.161.x.x/0 gaddr x.x.246.200/26927 laddr 172.31.0.1/1

Config attached...

Jennifer Halim · ‎09-01-2011

Config looks perfect as advised.

You might want to add the following icmp inspection if you test with ping:

policy-map global_policy

class inspection_default

inspect icmp

Are you able to test with any other application? maybe telnet, http, ftp from VLAN60 interface outbound to the Internet?

gregdzurinda · ‎09-01-2011

I should add that- that will be a start. However, why is it that 10.0.0.0 on interface "inside" is able to ping and get replies from outside? I thought there must be something I am missing/stepping on in the NAT config or that the access-lists aren't applied properly. I had suspected that ICMP was getting out but the reply packets were not returning. Are you sure everything looks good with NAT? Seems pretty straight forward to me- I just tried to mimic how translation was being done for the 10.0.0.0 network with necessary adjustments of course.

Jennifer Halim · ‎09-01-2011

From the log output, it looks to be correctly NATed to "gaddr x.x.246.200", so NAT is correct.

You do have NAT exemption configured for VLAN60 and NAT exemption takes precedence over the dynamic NAT, but I don't see that the access-list matches the traffic that you are trying to send to the internet. Please double check as the full subnet was not provided so i can't check.

nat (VLAN60) 0 access-list nonat-management

access-list nonat-management extended permit ip 172.31.0.0 255.255.0.0 x.x.227.0 255.255.255.0

access-list nonat-management extended permit ip x.x.246.0 255.255.254.0 any

gregdzurinda · ‎09-01-2011

and one thing I don't understand...(I am an integrator stepping in to this, so most of these configs were already in the fw when I stepped in) is these statements:

nat-control

global (outside) 1 x.x.246.200

nat (admin) 2 x.x.227.0 255.255.255.0

nat (admin) 3 x.x.246.0 255.255.254.0

nat (admin) 1 10.0.0.0 255.0.0.0

nat (VLAN60) 0 access-list nonat-management

nat (VLAN60) 1 172.31.0.0 255.255.0.0

nat (inside) 0 access-list nonat-employee

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Admin2) 0 access-list nonat-employee

nat (Admin2) 1 0.0.0.0 0.0.0.0

nat-control

global (outside) 1 x.x.246.200

nat (admin) 2 x.x.227.0 255.255.255.0

nat (admin) 3 x.x.246.0 255.255.254.0

nat (admin) 1 10.0.0.0 255.0.0.0

nat (VLAN60) 0 access-list nonat-management

nat (VLAN60) 1 172.31.0.0 255.255.0.0

nat (inside) 0 access-list nonat-employee

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Admin2) 0 access-list nonat-employee

nat (Admin2) 1 0.0.0.0 0.0.0.0

why is the NAT source in the above statements interface "admin"? Only the .227 is configured on the "Admin" interface. The 10.0.0.0 is assigned to "inside", and the .246 net is assigned to the "admin2" interface. I suspect the (admin) translations for the 246 and 227 subnets aren't even getting hits since the NAT ID doesn't match the global. But they are not RFC 1918 addresses, so they get through the outside interface.

Jennifer Halim · ‎09-01-2011

Yes, that seems to be misconfiguration, and even .227 that has been correctly identified on "Admin" interface will not work because the NAT identifier is "2", and there is no matching global identifier "2". So none of the NAT on the "admin" interface will work at this stage.

The following is clearly incorrect as you mention:

nat (admin) 3 x.x.246.0 255.255.254.0

nat (admin) 1 10.0.0.0 255.0.0.0

And the following:

nat (admin) 2 x.x.227.0 255.255.255.0

needs to be changed to:

nat (admin) 1 x.x.227.0 255.255.255.0

gregdzurinda · ‎09-01-2011

I did forget to mention that the 227 and 246.0/23 are routable IP's. That's why I was thinking those configs aren't doing anything. I can probably cut these 3 statements out:

nat (admin) 2 x.x.227.0 255.255.255.0

nat (admin) 3 x.x.246.0 255.255.254.0

nat (admin) 1 10.0.0.0 255.0.0.0 #### redundant since another entry matching global NAT ID a few lines down.

Still, those don't have any bearing on why 172.31. has no access to the Internet.

I need to add ICMP inspect for sure.

I may need to step through the access-lists and add a permit ip any any to the interface "VLAN60" - but which direction?- out? and I being that the security-level of this "VLAN60" interface is 100, I should be able to RDP with no issues, correct? x.x.227.0 servers can RDP to outside servers with no problem.

gregdzurinda · ‎09-01-2011

I definitely double-checked that one Jennifer. Thanks for your replies by the way. The exemption definitely does not include the scope or traffic I do want NAT'ed.

Jennifer Halim · ‎09-01-2011

Great, thanks for the update.

Is ping working now from VLAN60?

Try to ping the outside interface next hop and see if that replies.

Otherwise, run a packet capture on the outside interface and see if the ASA is getting a reply.

gregdzurinda · ‎09-01-2011

Sadly, I have to wait until tomorrow morning to add ICMP to the inspect policy.

gregdzurinda · ‎09-15-2011

Update: I returned to work the next day and added ICMP to the inpect policy. No ICMP packets returned. I did find something interesting- in a test to a server my buddy hosts, I attempted several RDP connections, and asked him to check his logs. HE SAW THE CONNECTION REQUESTS HIT HIS SERVER! Also, after learning about packet-trace, I saw that ICMP creates a flow, gets past the ACL's and picks up the global address, so ICMP IS GETTING OUT. I made a lame attempt at packet capture. I could see the return packets return to the outside interface but no egress match- weird. For that, I believe I had just set up the capture incorrectly. But odd that the packets were hitting the outside interface on the return.

Before I left for the day, I had stripped the IP set up for the management interface, as it was only syncing at half duplex and 100 Mb/s. I returned to the original sub-interface set up I had. AND, I tested that I was seeing the same condition with this set up- packets outbound good but no return packets to my host. How can I see where exactly the packet is dropped in the firewall or if it's getting that far (maybe the router in front of the ASA is blocking it)? New config attached...

===================================================================================

svc-ASA# sho config

: Saved

: Written by enable_15 at 13:29:35.636 EDT Thu Sep 1 2011

!

ASA Version 8.2(1)

!

hostname svc-ASA

domain-name dns.domain.com

enable password yB8aikWYtWXF7HR/ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 69.147.114.210

www.yahoo.com

dns-guard

!

interface GigabitEthernet0/0

description Ethernet to 3825 router (internet gateway)

speed 1000

duplex full

nameif outside

security-level 0

ip address x.x.244.50 255.255.255.248

!

interface GigabitEthernet0/1

description ADMIN servers

speed 1000

duplex full

nameif admin

security-level 96

ip address x.x.227.1 255.255.255.0

!

interface GigabitEthernet0/1.60

vlan 60

nameif VLAN60

security-level 100

ip address 172.31.1.10 255.255.0.0

!

interface GigabitEthernet0/2

description Employee access

speed 1000

duplex full

nameif inside

security-level 75

ip address 10.0.0.10 255.0.0.0

!

interface GigabitEthernet0/3

description Routable IP pool

speed 1000

duplex full

nameif Admin2

security-level 98

ip address x.x.246.1 255.255.254.0

!

interface Management0/0

speed 100

duplex half

no nameif

security-level 100

no ip address

management-only

!

boot system disk0:/asa821-k8.bin

boot system disk0:/asdm-623.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name dns.domain.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object udp

protocol-object tcp

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object udp

protocol-object tcp

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object tcp

access-list employee_inbound extended permit ip any host x.x.227.9

access-list employee_inbound extended permit ip any host x.x.227.10

access-list employee_inbound extended permit ip any host x.x.227.221

access-list employee_inbound extended permit ip any host x.x.227.108

access-list employee_inbound extended permit tcp any any eq www

access-list employee_inbound extended permit ip any any

access-list employee_inbound extended permit ip any host x.x.227.29

access-list employee_inbound extended permit ip any host x.x.227.215

access-list employee_inbound extended permit ip any host x.x.227.223

access-list employee_inbound extended permit ip any host x.x.227.224

access-list employee_inbound extended permit ip any host x.x.227.8

access-list employee_inbound extended permit ip any host x.x.246.112

access-list employee_inbound extended permit tcp any any eq 3389

access-list employee_inbound remark New Wireless Admin permit to Wired Admin

access-list employee_inbound extended permit object-group DM_INLINE_PROTOCOL_2 Admin_172_Network 255.255.0.0 x.x.227.0 255.255.255.0

access-list employee_inbound extended permit tcp any any eq ldaps

access-list employee_inbound extended permit tcp any any eq smtp

access-list employee_inbound extended permit ip any host x.x.246.214

access-list employee_inbound extended permit ip any host x.x.227.13

access-list employee_inbound extended permit ip any host x.x.227.90

access-list employee_inbound extended permit ip any host x.x.227.7

access-list employee_inbound extended permit ip any host x.x.227.101

access-list employee_inbound extended permit tcp any any eq ssh

access-list employee_inbound extended permit ip any host x.x.244.49

access-list employee_inbound extended permit ip any host x.x.227.22

access-list employee_inbound extended permit ip any host x.x.244.51

access-list employee_inbound extended permit ip any host x.x.227.140

access-list employee_inbound extended permit tcp any any eq pop3

access-list employee_inbound extended permit ip any host x.x.227.37

access-list employee_inbound extended permit tcp any any eq 123

access-list employee_inbound extended permit tcp any any eq 3689

access-list employee_inbound extended permit udp any any eq 5353

access-list employee_inbound extended permit ip any host x.x.227.178

access-list employee_inbound extended permit ip any host x.x.246.44

access-list employee_inbound extended permit ip any host x.x.227.174

access-list employee_inbound extended permit ip any host x.x.246.33

access-list employee_inbound extended permit ip any host x.x.246.111

access-list employee_inbound extended permit tcp any any eq domain

access-list employee_inbound extended permit udp any any eq domain

access-list employee_inbound extended permit udp any any eq ntp

access-list employee_inbound extended permit tcp any any eq sip

access-list employee_inbound extended permit udp any any eq sip

access-list employee_inbound extended permit tcp any any eq 465

access-list employee_inbound extended permit ip any host x.x.227.49

access-list employee_inbound extended permit ip any host x.x.246.63

access-list employee_inbound extended permit ip any host x.x.246.110

access-list employee_inbound extended permit ip any host x.x.227.121

access-list employee_inbound extended permit tcp any any eq netbios-ssn

access-list employee_inbound extended permit tcp any any eq 445

access-list employee_inbound extended permit ip any host x.x.227.154

access-list employee_inbound extended permit ip any host 10.0.2.3

access-list employee_inbound extended permit ip any host x.x.227.41

access-list employee_inbound extended permit tcp any any eq pptp

access-list employee_inbound extended permit ip any host x.x.246.59

access-list employee_inbound extended deny ip any host 200.23.34.33

access-list employee_inbound extended permit ip any host x.x.227.217

access-list employee_inbound extended permit ip any host x.x.227.56

access-list employee_inbound extended permit ip any host x.x.227.156

access-list employee_inbound extended permit ip any host x.x.246.66

access-list employee_inbound extended permit ip any host x.x.227.30

access-list outside_inbound extended permit udp any host x.x.227.10 eq domain

access-list outside_inbound extended permit tcp any host x.x.227.221 eq www

access-list outside_inbound extended permit ip any host x.x.227.18

access-list outside_inbound extended permit icmp any any

access-list outside_inbound extended permit ip any host x.x.227.17

access-list outside_inbound extended permit ip any host x.x.227.220

access-list outside_inbound extended permit ip any host x.x.227.222

access-list outside_inbound extended permit ip any host x.x.227.223

access-list outside_inbound extended permit ip any host x.x.227.225

access-list outside_inbound extended permit ip any host x.x.227.253

access-list outside_inbound extended permit ip any host x.x.227.45

access-list outside_inbound extended permit ip any host x.x.227.46

access-list outside_inbound extended permit ip any host x.x.227.47

access-list outside_inbound extended permit ip any host x.x.227.48

access-list outside_inbound extended permit ip any host x.x.227.49

access-list outside_inbound extended permit ip any host x.x.227.50

access-list outside_inbound extended permit ip any host x.x.227.51

access-list outside_inbound extended permit ip any host x.x.227.52

access-list outside_inbound extended permit ip any host x.x.227.53

access-list outside_inbound extended permit ip any host x.x.227.54

access-list outside_inbound extended permit ip any host x.x.227.55

access-list outside_inbound extended permit ip any host x.x.227.56

access-list outside_inbound extended permit ip any host x.x.227.57

access-list outside_inbound extended permit ip any host x.x.227.58

access-list outside_inbound extended permit ip any host x.x.227.59

access-list outside_inbound extended permit ip any host x.x.227.60

access-list outside_inbound extended permit ip any host x.x.227.61

access-list outside_inbound extended permit ip any host x.x.227.62

access-list outside_inbound extended permit ip any host x.x.227.63

access-list outside_inbound extended permit ip any host x.x.227.64

access-list outside_inbound extended permit ip any host x.x.227.65

access-list outside_inbound extended permit ip any host x.x.227.202

access-list outside_inbound extended permit ip any host x.x.227.108

access-list outside_inbound extended permit tcp any any eq ftp

access-list outside_inbound extended permit ip any host x.x.227.5

access-list outside_inbound extended permit tcp any any eq ftp-data

access-list outside_inbound extended permit ip any host x.x.227.130

access-list outside_inbound extended permit udp any any eq 3389

access-list outside_inbound extended permit tcp any any eq 3128

access-list outside_inbound extended permit udp any any eq 3128

access-list outside_inbound extended permit ip any host x.x.227.8

access-list outside_inbound extended permit ip any host x.x.227.169

access-list outside_inbound extended permit tcp any any eq domain

access-list outside_inbound extended permit ip any host x.x.246.20

access-list outside_inbound extended permit ip any host x.x.227.215

access-list outside_inbound extended permit tcp any any eq https

access-list outside_inbound extended permit ip any host x.x.227.29

access-list outside_inbound extended permit tcp any any eq 5900

access-list outside_inbound extended permit tcp any any eq 5800

access-list outside_inbound extended permit tcp any any eq pcanywhere-data

access-list outside_inbound extended permit ip any host x.x.227.195

access-list outside_inbound extended permit tcp any any eq 2048

access-list outside_inbound extended permit ip any host x.x.246.112

access-list outside_inbound extended permit tcp any any eq 1688

access-list outside_inbound extended permit tcp any any eq pptp

access-list outside_inbound extended permit ip any host x.x.227.110

access-list outside_inbound extended permit ip any host x.x.227.167

access-list outside_inbound extended permit ip any host x.x.227.193

access-list outside_inbound extended permit ip any host x.x.227.188

access-list outside_inbound extended permit ip any host x.x.227.83

access-list outside_inbound extended permit ip any host x.x.227.89

access-list outside_inbound extended permit ip any host x.x.227.95

access-list outside_inbound extended permit ip any host x.x.227.153

access-list outside_inbound extended permit ip any host x.x.227.200

access-list outside_inbound extended deny tcp any any eq 7171

access-list outside_inbound extended permit ip any host x.x.227.138

access-list outside_inbound extended deny ip host 195.225.204.227 any

access-list outside_inbound extended deny ip host 195.225.205.97 any

access-list outside_inbound extended deny ip host 195.13.58.57 any

access-list outside_inbound extended deny ip host 193.13.58.57 any

access-list outside_inbound extended deny ip host 93.182.130.12 any

access-list outside_inbound extended permit tcp any any eq 135

access-list outside_inbound extended permit tcp any any eq ldaps

access-list outside_inbound extended permit ip any host x.x.227.98

access-list outside_inbound extended permit tcp any any eq smtp

access-list outside_inbound extended permit tcp any any eq ldap

access-list outside_inbound extended permit ip any host x.x.246.214

access-list outside_inbound extended permit ip any host x.x.227.13

access-list outside_inbound extended permit ip any host x.x.227.197

access-list outside_inbound extended permit ip any host x.x.227.90

access-list outside_inbound extended permit tcp any any eq 9101

access-list outside_inbound extended permit ip any host x.x.244.49

access-list outside_inbound extended permit tcp any any eq ssh

access-list outside_inbound extended permit ip any host x.x.227.22

access-list outside_inbound extended permit ip any host x.x.244.51

access-list outside_inbound extended permit ip any host x.x.227.140

access-list outside_inbound extended permit tcp any any eq pop3

access-list outside_inbound extended permit ip any host x.x.227.221

access-list outside_inbound extended permit ip any host x.x.227.37

access-list outside_inbound extended permit tcp any any eq 123

access-list outside_inbound extended permit tcp any any eq 3689

access-list outside_inbound extended permit udp any any eq 5353

access-list outside_inbound extended permit ip any host x.x.227.178

access-list outside_inbound extended permit ip any host x.x.246.44

access-list outside_inbound extended permit ip any host x.x.227.174

access-list outside_inbound extended permit ip any host x.x.246.33

access-list outside_inbound extended permit object-group DM_INLINE_PROTOCOL_3 any host x.x.246.111

access-list outside_inbound extended permit udp any any eq domain

access-list outside_inbound extended permit udp any any eq ntp

access-list outside_inbound extended permit tcp any any eq sip

access-list outside_inbound extended permit udp any any eq sip

access-list outside_inbound extended permit tcp any any eq 465

access-list outside_inbound extended permit ip any host x.x.246.63

access-list outside_inbound extended permit ip any host x.x.246.110

access-list outside_inbound extended permit ip any host x.x.227.121

access-list outside_inbound extended permit tcp any any eq netbios-ssn

access-list outside_inbound extended permit tcp any any eq 445

access-list outside_inbound extended permit ip any host x.x.226.154

access-list outside_inbound extended permit ip any host 10.0.2.3

access-list outside_inbound extended permit ip any host x.x.227.41

access-list outside_inbound extended permit ip any host x.x.246.59

access-list outside_inbound extended deny ip any host 200.23.34.33

access-list outside_inbound extended permit ip any host x.x.227.217

access-list outside_inbound extended permit ip any host x.x.227.156

access-list outside_inbound extended permit ip any host x.x.246.66

access-list outside_inbound extended permit ip any host x.x.227.30

access-list cap extended permit ip x.x.0.0 255.255.0.0 host x.x.227.18

access-list cap extended permit ip host x.x.227.18 x.x.0.0 255.255.0.0

access-list nonat-employee extended permit ip 10.0.0.0 255.0.0.0 x.x.227.0 255.255.255.0

access-list nonat-employee extended permit ip x.x.246.0 255.255.254.0 any

access-list check-ftp extended permit tcp any any eq ftp

access-list check-ftp extended permit ip any any

access-list check-ftp remark Permit from Wired Admin to Wireless Admin

access-list check-ftp extended permit object-group DM_INLINE_PROTOCOL_1 x.x.227.0 255.255.255.0 Admin_172_Network 255.255.0.0

access-list employee-inbound extended permit tcp any any eq 135

access-list nonat-management extended permit ip 172.31.0.0 255.255.0.0 x.x.227.0 255.255.255.0

access-list nonat-management extended permit ip x.x.246.0 255.255.254.0 any

access-list VLAN60_access extended permit ip any any

access-list testcap extended permit ip host host x.x.246.200

access-list testcap_ingress extended permit ip any host

pager lines 24

logging enable...

nat-control

global (outside) 1 x.x.246.200

nat (admin) 2 x.x.227.0 255.255.255.0

nat (admin) 3 x.x.246.0 255.255.254.0

nat (admin) 1 10.0.0.0 255.0.0.0

nat (inside) 0 access-list nonat-employee

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Admin2) 0 access-list nonat-employee

nat (Admin2) 1 0.0.0.0 0.0.0.0

nat (VLAN60) 0 access-list nonat-management

nat (VLAN60) 1 172.31.0.0 255.255.0.0

static (admin,outside) x.x.227.0 x.x.227.0 netmask 255.255.255.0

static (admin,inside) x.x.227.10 x.x.227.10 netmask 255.255.255.255

static (admin,inside) x.x.227.9 x.x.227.9 netmask 255.255.255.255

static (admin,inside) x.x.227.221 x.x.227.221 netmask 255.255.255.255

static (admin,inside) x.x.227.17 x.x.227.17 netmask 255.255.255.255

static (admin,inside) x.x.227.55 x.x.227.55 netmask 255.255.255.255

static (admin,inside) x.x.227.11 x.x.227.11 netmask 255.255.255.255

static (admin,inside) x.x.227.134 x.x.227.134 netmask 255.255.255.255

static (admin,inside) x.x.227.160 x.x.227.160 netmask 255.255.255.255

static (admin,inside) x.x.227.169 x.x.227.169 netmask 255.255.255.255

static (admin,inside) x.x.227.148 x.x.227.148 netmask 255.255.255.255

static (admin,inside) x.x.227.40 x.x.227.40 netmask 255.255.255.255

static (admin,inside) x.x.227.91 x.x.227.91 netmask 255.255.255.255

static (admin,inside) x.x.227.19 x.x.227.19 netmask 255.255.255.255

static (admin,inside) x.x.227.220 x.x.227.220 netmask 255.255.255.255

static (admin,inside) x.x.227.222 x.x.227.222 netmask 255.255.255.255

static (admin,inside) x.x.227.223 x.x.227.223 netmask 255.255.255.255

static (admin,inside) x.x.227.225 x.x.227.225 netmask 255.255.255.255

static (admin,inside) x.x.227.253 x.x.227.253 netmask 255.255.255.255

static (admin,inside) x.x.227.45 x.x.227.45 netmask 255.255.255.255

static (admin,inside) x.x.227.46 x.x.227.46 netmask 255.255.255.255

static (admin,inside) x.x.227.47 x.x.227.47 netmask 255.255.255.255

static (admin,inside) x.x.227.48 x.x.227.48 netmask 255.255.255.255

static (admin,inside) x.x.227.49 x.x.227.49 netmask 255.255.255.255

static (admin,inside) x.x.227.50 x.x.227.50 netmask 255.255.255.255

static (admin,inside) x.x.227.51 x.x.227.51 netmask 255.255.255.255

static (admin,inside) x.x.227.52 x.x.227.52 netmask 255.255.255.255

static (admin,inside) x.x.227.53 x.x.227.53 netmask 255.255.255.255

static (admin,inside) x.x.227.54 x.x.227.54 netmask 255.255.255.255

static (admin,inside) x.x.227.56 x.x.227.56 netmask 255.255.255.255

static (admin,inside) x.x.227.57 x.x.227.57 netmask 255.255.255.255

static (admin,inside) x.x.227.58 x.x.227.58 netmask 255.255.255.255

static (admin,inside) x.x.227.59 x.x.227.59 netmask 255.255.255.255

static (admin,inside) x.x.227.60 x.x.227.60 netmask 255.255.255.255

static (admin,inside) x.x.227.61 x.x.227.61 netmask 255.255.255.255

static (admin,inside) x.x.227.62 x.x.227.62 netmask 255.255.255.255

static (admin,inside) x.x.227.63 x.x.227.63 netmask 255.255.255.255

static (admin,inside) x.x.227.64 x.x.227.64 netmask 255.255.255.255

static (admin,inside) x.x.227.65 x.x.227.65 netmask 255.255.255.255

static (admin,inside) x.x.227.12 x.x.227.12 netmask 255.255.255.255

static (admin,inside) x.x.227.13 x.x.227.13 netmask 255.255.255.255

static (admin,inside) x.x.227.8 x.x.227.8 netmask 255.255.255.255

static (admin,inside) x.x.227.130 x.x.227.130 netmask 255.255.255.255

static (admin,inside) x.x.227.29 x.x.227.29 netmask 255.255.255.255

static (admin,inside) x.x.227.215 x.x.227.215 netmask 255.255.255.255

static (admin,inside) x.x.227.224 x.x.227.224 netmask 255.255.255.255

static (admin,inside) x.x.246.112 x.x.246.112 netmask 255.255.255.255

static (admin,inside) x.x.227.195 x.x.227.195 netmask 255.255.255.255

static (admin,inside) x.x.227.153 x.x.227.153 netmask 255.255.255.255

static (admin,inside) x.x.227.214 x.x.227.214 netmask 255.255.255.255

static (admin,inside) x.x.227.7 x.x.227.7 netmask 255.255.255.255

static (admin,inside) x.x.227.179 x.x.227.179 netmask 255.255.255.255

static (admin,inside) 10.0.2.2 10.0.2.2 netmask 255.255.255.255

static (admin,inside) x.x.227.98 x.x.227.98 netmask 255.255.255.255

static (admin,inside) x.x.227.140 x.x.227.140 netmask 255.255.255.255

static (admin,inside) x.x.246.214 x.x.246.214 netmask 255.255.255.255

static (admin,inside) x.x.227.90 x.x.227.90 netmask 255.255.255.255

static (admin,inside) x.x.227.101 x.x.227.101 netmask 255.255.255.255

static (admin,inside) x.x.244.49 x.x.244.49 netmask 255.255.255.255

static (admin,inside) x.x.227.22 x.x.227.22 netmask 255.255.255.255

static (admin,inside) x.x.244.51 x.x.244.51 netmask 255.255.255.255

static (admin,inside) x.x.227.37 x.x.227.37 netmask 255.255.255.255

static (admin,inside) x.x.227.178 x.x.227.178 netmask 255.255.255.255

static (admin,inside) x.x.224.111 x.x.226.111 netmask 255.255.255.255

static (admin,inside) x.x.246.44 x.x.246.44 netmask 255.255.255.255

static (admin,inside) x.x.227.174 x.x.227.174 netmask 255.255.255.255

static (admin,inside) x.x.246.33 x.x.246.33 netmask 255.255.255.255

static (admin,inside) x.x.246.111 x.x.246.111 netmask 255.255.255.255

static (admin,inside) x.x.227.121 x.x.227.121 netmask 255.255.255.255

static (admin,inside) x.x.227.154 x.x.227.154 netmask 255.255.255.255

static (admin,inside) x.x.227.41 x.x.227.41 netmask 255.255.255.255

static (admin,inside) x.x.246.59 x.x.246.59 netmask 255.255.255.255

static (admin,inside) x.x.227.217 x.x.227.217 netmask 255.255.255.255

static (admin,inside) x.x.227.156 x.x.227.156 netmask 255.255.255.255

static (admin,inside) x.x.246.66 x.x.246.66 netmask 255.255.255.255

static (admin,inside) x.x.227.30 x.x.227.30 netmask 255.255.255.255

access-group outside_inbound in interface outside

access-group check-ftp in interface admin

access-group employee_inbound in interface inside

access-group VLAN60_access in interface VLAN60

route outside 0.0.0.0 0.0.0.0 x.x.244.51 1

bunch of stuff about telnet, http, blah blah...

console timeout 0

management-access outside

!

class-map inspection_default

match default-inspection-traffic

class-map csc

match access-list csc

!

policy-map global_policy

class inspection_default

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

class csc

csc fail-open

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7072c6d2d3de5da86a940965d975df79

Jennifer Halim · ‎09-15-2011

What is the ASA g0/1 connected to? I assume it is a trunk port and vlan 60 is allowed through the trunk port? Also what is the native vlan configured on the switch for that trunk port?

It is also not recommended to mix physical and subinterface settings on 1 interface as configured.

I would suggest that you move the current physical interface settings on g0/1, to a subinterface and leave the physical interface settings unconfigured.

Also, your last config doesn't seem to have "inspect icmp" enabled.

gregdzurinda · ‎09-15-2011

Sorry about that- somehow I missed that line in the "scrubbing." It is in the configs though- I verified it. It is most certainly a trunk port to which the firewall is conected (Cisco 4507), but I don't recall if the native VLAN is 60.

I know about that physical and sub-interface best practice. I have been told though, that this can be done. Also, you may remember, I was working at getting the mgmt interface up for this, and never could make it happen. Seems to be a common theme- something I am missing in the configs to allow the return packets on any int I try to get up!

Jennifer Halim · ‎09-15-2011

Can you please share the output of packet tracer that you perform. That would give an indication if ASA is dropping anything.