Solved: Cisco ASA 5500 routing issue

bluemookie · ‎07-19-2011

Hello,

I am fairly new to the networking world, and I set up a web server that connects from the internal network, to the outside world. This functionality works, but something surpriseing appears to happen. I am unable to ping the server from the computers on the same network. Also I am unable to go to the website on the outside from the internal network. I am using the cisco asdm 6.2 interface to make the changes. If there is any advice you may be able to provide, I would greatly appreciate it. I suspect its a nat rule but I could be wrong, below I have a copy/paste of running config.

Clarifying: On other networks other then ours we can reach facilehr.com, but trying to access it via the web url, or internal IP we are unabel to access it.

Domain: http://facilehr.com

Internal IP: 192.168.1.186 Port forward to 81

internal network 192.168.1.0/24

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(2)

!

names

name 192.168.1.25 ACCMX-INT

name 192.168.1.44 ACCSUN-INT

name 192.168.1.28 ACCIRON-INT

name 69.130.7.116 ACCIRON-EXT

name 69.130.7.115 ACCMX-EXT

name 69.130.7.117 ACCSUN-EXT

name 69.130.7.118 FacileHR-EXT

name 69.130.7.120 NRIYP-EXT

name 69.130.7.126 ADDON-EXT

name 192.168.1.26 ADDON-INT

name 192.168.1.21 Kyle

name 192.168.1.30 NRIYP-INT

name 192.168.1.186 FacileHR-INT

!

interface Vlan1

description LAN [INSIDE INTERFACE]

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description T1 LINE [EXTERNAL INTERFACE]

nameif outside

security-level 0

ip address 69.130.7.114 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name aim-cc.com

object-group service aptela udp

description for Aptela Phones

port-object range 10000 20000

port-object range sip 5061

object-group service RDP tcp-udp

port-object range 3389 3389

object-group network BLACKLIST

network-object host 190.18.107.140

network-object host 121.244.106.2

network-object host 187.11.194.28

network-object host 188.2.237.199

network-object host 190.48.38.184

network-object host 201.47.229.72

network-object host 207.155.250.20

network-object host 209.85.160.56

network-object host 209.85.222.199

network-object host 63.246.10.50

network-object host 66.77.56.84

network-object host 83.168.1.28

network-object host 124.121.68.190

network-object host 174.35.12.35

network-object host 174.37.81.160

network-object host 188.192.97.110

network-object host 188.38.164.31

network-object host 208.75.123.162

network-object host 41.131.81.19

network-object host 65.168.1.28

network-object host 74.125.83.174

network-object host 74.125.83.184

network-object host 74.208.4.191

network-object host 82.230.100.32

network-object host 89.173.0.9

network-object host 89.228.129.126

network-object host 93.86.217.140

network-object host 123.21.107.67

network-object host 178.92.126.228

network-object host 189.10.192.107

network-object host 189.55.158.40

network-object host 189.70.186.225

network-object host 201.11.0.98

network-object host 207.250.58.8

network-object host 208.75.123.163

network-object host 208.75.123.226

network-object host 209.85.211.156

network-object host 209.85.221.146

network-object host 209.85.222.159

network-object host 211.170.114.154

network-object host 24.38.18.233

network-object host 64.49.82.68

network-object host 64.50.170.80

network-object host 65.217.159.98

network-object host 68.200.154.75

network-object host 74.208.4.195

network-object host 75.146.94.187

network-object host 80.14.122.109

network-object host 92.84.207.252

network-object host 93.153.0.155

network-object host 93.73.179.61

network-object host 96.252.6.79

network-object host 99.174.113.44

network-object host 117.6.64.137

network-object host 178.93.144.158

network-object host 190.245.171.12

network-object host 195.174.128.15

network-object host 199.238.178.138

network-object host 208.75.123.228

network-object host 209.85.217.193

network-object host 24.103.215.120

network-object host 74.208.4.194

network-object host 84.24.253.217

network-object host 98.117.251.114

network-object host 12.164.54.36

network-object host 160.75.192.3

network-object host 186.87.3.225

network-object host 190.174.208.57

network-object host 190.59.189.71

network-object host 201.4.160.18

network-object host 207.155.248.47

network-object host 208.111.169.150

network-object host 208.89.132.145

network-object host 209.85.160.46

network-object host 209.85.210.163

network-object host 62.248.88.175

network-object host 64.202.189.25

network-object host 66.165.70.198

network-object host 67.132.93.114

network-object host 69.174.244.158

network-object host 69.67.52.156

network-object host 69.74.142.209

network-object host 74.125.92.25

network-object host 74.203.196.51

network-object host 79.110.128.212

network-object host 87.70.217.30

network-object host 88.146.41.234

network-object host 88.76.127.77

network-object host 93.86.37.241

network-object host 94.70.115.94

network-object host 95.168.100.87

network-object host 123.201.69.230

network-object host 186.9.50.90

network-object host 189.73.235.78

network-object host 195.2.236.11

network-object host 202.63.105.220

network-object host 205.178.146.55

network-object host 205.178.146.57

network-object host 205.178.146.58

network-object host 205.178.146.61

network-object host 209.85.160.184

network-object host 209.85.221.171

network-object host 218.147.37.219

network-object host 64.120.250.82

network-object host 66.227.62.183

network-object host 67.228.227.25

network-object host 87.109.179.247

network-object host 87.163.5.34

network-object host 89.78.170.200

network-object host 89.78.3.139

network-object host 92.29.204.146

network-object host 94.189.180.81

network-object host 95.180.64.244

network-object host 122.169.182.129

network-object host 122.169.182.213

network-object host 111.224.250.131

network-object host 115.184.136.110

network-object host 123.176.39.134

network-object host 123.237.6.173

network-object host 209.250.243.135

network-object host 216.87.164.19

network-object host 217.23.15.143

network-object host 61.49.36.166

network-object host 67.138.108.151

network-object host 67.138.109.158

network-object host 111.118.156.170

network-object host 111.224.250.132

network-object host 111.224.250.133

network-object host 117.96.18.118

network-object host 121.151.149.220

network-object host 121.183.243.205

network-object host 123.19.170.237

network-object host 125.176.14.67

network-object host 183.107.94.151

network-object host 183.97.35.5

network-object host 186.104.230.5

network-object host 187.52.232.152

network-object host 189.211.159.220

network-object host 190.102.239.219

network-object host 190.235.13.233

network-object host 190.35.206.68

network-object host 190.7.109.65

network-object host 200.87.116.58

network-object host 204.188.223.222

network-object host 204.45.2.197

network-object host 208.83.232.3

network-object host 209.250.243.107

network-object host 209.250.243.15

network-object host 209.250.243.83

network-object host 212.200.197.62

network-object host 216.1.203.94

network-object host 220.227.80.226

network-object host 41.186.0.212

network-object host 41.249.114.143

network-object host 58.26.151.196

network-object host 62.19.51.5

network-object host 64.212.196.228

network-object host 67.138.109.68

network-object host 67.138.110.68

network-object host 68.142.134.126

network-object host 70.98.204.112

network-object host 70.98.205.140

network-object host 70.98.205.165

network-object host 74.63.107.46

network-object host 78.97.189.115

network-object host 79.106.2.46

network-object host 84.22.56.50

network-object host 89.123.211.42

network-object host 89.46.84.214

network-object host 90.169.74.53

network-object host 90.185.163.176

network-object host 95.35.16.79

network-object host 95.65.253.179

object-group service SMTP-587 tcp

description SMTP 587

port-object eq 587

object-group service smtp-587 tcp

description smtp 587

port-object eq 587

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service SMTP-465 tcp

port-object eq 465

object-group service TCP-993 tcp

port-object eq 993

object-group service TCP-995 tcp

port-object eq 995

object-group service TCP-7071 tcp

port-object eq 7071

object-group service TCP-10000 tcp

port-object eq 10000

object-group service TCP-8080 tcp

port-object eq 8080

object-group service TCP-8443 tcp

port-object eq 8443

object-group service TCP-23781 tcp

port-object eq 23781

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

access-list outside_in_inside extended permit tcp any host FacileHR-EXT eq www

access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive

access-list outside_in_inside extended permit ip any host ACCSUN-EXT

access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www

access-list outside_in_inside extended permit ip any host FacileHR-EXT

access-list outside_in_inside extended permit ip any host ACCSUN-INT

access-list outside_in_inside extended permit ip any host FacileHR-INT

access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www

access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www

access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh

access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh

access-list outside_in_inside extended permit ip any host ACCMX-EXT

access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www

access-list outside_in_inside extended permit ip any host ADDON-EXT

access-list outside_in_inside extended permit ip any host ACCIRON-EXT

access-list outside_in_inside extended permit ip any host NRIYP-EXT

access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www

access-list outside_in_inside extended permit udp any any object-group aptela

access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive

access-list outside_in_inside extended deny ip host 216.101.194.154 any

access-list outside_in_inside extended deny tcp host 216.101.194.154 any

access-list outside_in_inside extended deny udp host 216.101.194.154 any

access-list outside_in_inside extended permit tcp any any eq 15250

access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389

access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781

access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive

access-list outside_in_inside extended deny ip any host 192.168.1.188

access-list outside_in_inside extended deny tcp any host 192.168.1.188

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp

access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4

access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000

access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443

access-list outside_in_inside extended permit tcp any any eq pptp

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended deny ip host 216.101.194.154 any

access-list inside_access_in extended deny tcp host 216.101.194.154 any

access-list inside_access_in extended deny udp host 216.101.194.154 any

access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071

access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000

access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080

access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781

access-list inside_access_in extended permit tcp any any eq pptp

access-list inside_access_in extended permit object-group TCPUDP host FacileHR-INT any

access-list inside_access_in extended permit ip any host FacileHR-INT

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host FacileHR-INT eq www

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 host FacileHR-EXT eq www

access-list inside_access_out extended permit tcp any any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit udp any any

access-list inside_access_out extended permit tcp any eq 3389 any eq 3389

access-list inside_access_out extended permit tcp any eq domain any eq domain

access-list inside_access_out extended permit udp any eq domain any eq domain

access-list inside_access_out extended permit tcp any eq www any eq www

access-list inside_access_out extended permit udp any eq www any eq www

access-list inside_access_out extended permit tcp any eq https any eq https

access-list inside_access_out extended permit udp any eq 443 any eq 443

access-list inside_access_out extended permit tcp any eq smtp any eq smtp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool new 192.168.1.45-192.168.1.50 mask 255.255.255.255

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-625.bin

no asdm history enable

arp inside 192.168.1.43 0019.d137.8533

arp outside 192.168.1.43 0019.d137.8533

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255

static (inside,outside) tcp FacileHR-INT 81 FacileHR-EXT www netmask 255.255.255.255

static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255

static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255

static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255

static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255

static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255

static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255

static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255

static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_in_inside in interface outside

route outside 0.0.0.0 0.0.0.0 69.130.7.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server location AIM Computer Consulting - Closet

snmp-server contact Red Level Networks - support@redlevelnetworks.com

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp policy 10

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

dhcpd dns ADDON-INT

dhcpd domain aim-cc.com

!

dhcpd address 192.168.1.150-192.168.1.250 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.1.189 192.168.1.26

dns-server value 192.168.1.189 192.168.1.26

vpn-tunnel-protocol l2tp-ipsec

default-domain value Addon

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value 192.168.1.189 192.168.1.26

vpn-tunnel-protocol l2tp-ipsec

default-domain value Addon

group-policy addonusa internal

group-policy addonusa attributes

wins-server value 192.168.1.189 192.168.1.26

dns-server value 192.168.1.189 192.168.1.26

vpn-tunnel-protocol IPSec

default-domain value Addon

username Patrick.Addon nopassword privilege 0

username Patrick.Addon attributes

vpn-group-policy addonusa

username redlevel password OqxvfJhMsUFUOSg7 encrypted privilege 15

username aimfwadm password a87SLutMml8bG8MZ encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool new

default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group addonusa type remote-access

tunnel-group addonusa general-attributes

default-group-policy addonusa

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

policy-map global-policy

class inspection_default

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:20abefdb02ddf76a4c8656fa30da43cd

: end

varrao · ‎07-19-2011

Hi Kyle,

Make sure you ping the public ip of your server, you would not be able to ping the real ip, you should try:

ping 69.130.7.118

otherwise it wont work, the static has been put in place so that internal users can access serevr only on public ip.

Before trying again, do " clear logging buffer"

and then try and ping and collect the captures and logs again.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎07-19-2011

Hi Kyle,

What you are trying to do on the ASA is called u-turning, you would need the following config for it:

global (inside) 1 interface

static (inside,inside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255

same-security-traffic permit intra-interface

Try adding these commands, and ping after that. If it still doesn'y ping, paste the config(the one after making the changes) , i'll have a look at it.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

bluemookie · ‎07-19-2011

Varun,

Thank you by the way for your help, it is greatly appreciated. I entered the commands, but I am still unable to ping/access.

below I have a copy/paste of the config again.