Solved: Cisco ASA 5505 behind Cisco router

JohanKardell · ‎12-30-2010

Hi

I'm trying to set up a Cisco ASA behind a Cisco router which is fronting the internet connection.

The Cisco router is facing the ASA with an adress of 10.10.10.1 (on the Cisco router) and 10.10.10.2 (on the Cisco ASA).

The Cisco ASA can ping the internet connection, no problem there, but when I'm trying to ping from my computer connected to the ASA on an Inside interface (172.16.30.0/24) I seem to get stuck, I can't ping internet (4.2.2.2 which is a DNS, I know) or the 10.10.10.0 network.

On the cisco router I have set up a static route to 172.16.30.0 network.

And If i remove the security level on the Internet (outside) interface of the ASA to match the Lan (inside) interface (sec. lev. 100, on both inside / outside) everything works

With the default (sec. level 0 on outside and 100 on inside) I do however get this message in the Cisco ASA log

3

Dec 30 2010

13:16:24

106014

172.16.30.5

4.2.2.2

Deny inbound icmp src inside:172.16.30.5 dst Internet:4.2.2.2 (type 8, code 0)

2

Dec 30 2010

13:16:22

106007

172.16.30.5

56294

DNS

Deny inbound UDP from 172.16.30.5/56294 to 10.10.10.1/53 due to DNS Query

2

Dec 30 2010

13:16:27

106007

172.16.30.5

60698

DNS

Deny inbound UDP from 172.16.30.5/60698 to 10.10.10.1/53 due to DNS Query

2

Dec 30 2010

13:16:27

106007

172.16.30.5

53920

DNS

Deny inbound UDP from 172.16.30.5/53920 to 10.10.10.1/53 due to DNS Query

I have tried to set up the ACL to permit everything from everything, don't help.. please help me, this is my latest ACL, which I think should work?

I haven't set up any Nat rules on the ASA though, not sure if this is any issue...? (But I'm nating on the Cisco router)

Outprint from my log

THANKS for any help!!!!

Kureli Sankar · ‎01-01-2011

John,

Wish you and all our other readers a Very Happy New Year 2011!

Very glad to hear that. That just made my Jan 1st 2011. First posting for this year.

I think those global (outside) lines that I had you remove were added while you tried to get this to work .

You should be able to go out looking like 172.16.x.x and the router is properly configured to NAT this traffic while going to the internet. Since you said the ASA was able to ping 4.2.2.2 I was 100% sure the 10.10.10.x address is able to go to the internet and gave you steps nat/global to make your inside 172.16.x.x. look like the ASA's outside 10.10.10.2 address.

Regarding the policy map yes you are right. That is to automatically allow icmp replies and in case of ftp to open secondary channels for data.

Excellent. Pls. mark this thread resolved if you think it is resolved and spin a new thread if you run into any other new problems.

-KS

View solution in original post

Jennifer Halim · ‎12-30-2010

Please add "no nat-control" on the ASA, and it will resolve the issue.

JohanKardell · ‎12-30-2010

Thanks for the fast reply!

Still the same problem though :/

3

Dec 30 2010

14:40:09

106014

172.16.30.3

4.2.2.2

Deny inbound icmp src inside:172.16.30.3 dst Internet:4.2.2.2 (type 8, code 0)

2

Dec 30 2010

14:40:09

106007

172.16.30.3

51631

DNS

Deny inbound UDP from 172.16.30.3/51631 to 10.10.10.1/53 due to DNS Query

Seems like there's still a ACL issue according to the log, can't figure out what the problem is though :/

Can't see the command in running or in show nat though, should I be able to see that I have typed in no nat-control?

Thanks

hobbe · ‎12-30-2010

I think this is a perfect opportunity to use the Packet tracer feature.

I see you are using the ASDM to configure the firewall.

It is under one of the menues.

you can use it to se why the packet fails and what rule is causing the problem.

A little tip, check what interface you are sending the packet from everytime you try. the interface might revert back to a default interface.

PS I see you are just a couple of km from me.

so if you still have problems after the packet-tracer, drop me a line.

Good luck

HTH

cadet alain · ‎12-30-2010

Hi,

should I be able to see that I have typed in no nat-control?

yes with show run nat-control

Did you leave levels of 100 and 0 or same levels for 2 interfaces?

But as Hobbe told packet tracer is the tool you need to point out the cause.

Regards.

Alain.

Don't forget to rate helpful posts.

JohanKardell · ‎12-30-2010

Thanks! Still seems to be problem though, I'll post you a message Hobbe, thanks for the help Cadetalain, I still have problems when I'm on diffrent security levels, probably a simple error of some sort, kind of new on Cisco ASA.

Kureli Sankar · ‎12-30-2010

Are inside and Internet the same securit level by any chance?

If so make the Internet lower security then the inside.

From the CLI if you issue

sh nameif

that should show you the security level.

Post the output of

packet-tracer input inside icmp 172.16.30.5 8 0 4.2.2.2 det

-KS

JohanKardell · ‎12-31-2010

Yes, outside is 0 and inside 100 :/ uploading my config ...

This is my output for the packetracer

Firewall01# packet-tracer input inside icmp 172.16.30.5 8 0 4.2.2.2 det

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd49676d8, priority=1, domain=permit, deny=false
    hits=5843, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd496d758, priority=0, domain=permit-ip-option, deny=true
    hits=123, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd496c768, priority=66, domain=inspect-icmp-error, deny=false
    hits=23, user_data=0xd496c698, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd50e30a8, priority=0, domain=host-limit, deny=false
    hits=3, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 123, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...

Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.1 using egress ifc outside
adjacency Active
next-hop mac address 0014.a9c2.1469 hits 441

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

maybe I have missed specifing it somewhere, which interface is which?

This is my setup, sorry for the awful drawing :):

####################

####THE "ISP ROUTER"

####################

hostname InterNetRouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 ABCDEFGIHJKL
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
!
crypto pki trustpoint example
enrollment terminal pem
revocation-check crl
!
crypto pki trustpoint dyndns
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain example
crypto pki certificate chain dyndns
XXXXX
XXXXX
quit
dot11 syslog
ip source-route
!
!
ip cef
ip domain name ABCDEFGIHJKL
ip name-server 4.2.2.2
ip ddns update method dyndns
HTTP
add https://ABCDEFGIHJKL
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
no virtual-template subinterface
!
!
username ABCDEFGIHJKL privilege 15 secret ABCDEFGIHJKL
!
!
!
archive
log config
hidekeys
!
interface FastEthernet0
description *** vlan 10/FE0 to CISCO ASA ***
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description *** Dialer1/FE4 Internet ***
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address pool VPNUSERS
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description *** vlan 10/FE0 to CISCO ASA ***
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description *** Dialer1/FE4 Internet ***
ip ddns update hostname ABCDEFGIHJKL
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username ABCDEFGIHJKL
ppp ipcp route default
!
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 10.10.10.2
ip route 172.16.30.0 255.255.255.0 10.10.10.2
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat source list LAN pool LAN
ip nat inside source list LAN interface Dialer1 overload
ip nat inside source static 10.10.10.1 interface Dialer1
!
ip access-list extended LAN
permit ip 172.16.30.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
!

##############

### THE ASA

##############

:
ASA Version 8.0(3)
!
hostname Firewall01
domain-name default.domain.invalid
enable password ABCDEFGHIJK encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.30.1 255.255.255.0
!
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ABCDEFGHIJK encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip 172.16.30.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Internet_access_in extended permit ip 10.0.0.0 255.255.255.0 172.16.30.0 255.255.255.0
access-list Internet_access_in extended permit ip 172.16.30.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging console notifications
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 101 172.16.30.1-172.16.30.200 netmask 255.255.255.0
global (outside) 1 172.16.30.0 netmask 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
ssh 172.16.30.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd domain DOMAINET.se
!
dhcpd address 172.16.30.2-172.16.30.33 inside
dhcpd dns 10.10.10.1 interface inside
dhcpd lease 432000 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
username admin password ABCDEFGHIJK encrypted privilege 15
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context

THANKS A BUNCH FOR ALL THE HELP !!!!!!!!!!! You're forum is great!

Kureli Sankar · ‎12-31-2010

Few things I found that you do not need:

You can remove the following:

conf t

no global (outside) 101 172.16.30.1-172.16.30.200 netmask 255.255.255.0
no global (outside) 1 172.16.30.0 netmask 255.255.255.0
no global (outside) 1 interface

dhcpd dns 10.10.10.1 interface inside ---> You have configured the outside router as the DNS server address for all inside dhcp clients. Is this correct?

Anyway, since you say the asa is able to ping 4.2.2.2 may be you can translate all the inside hosts to look like the ASA's outside IP

add these commands:

conf t

nat (inside) 1 172.16.30.0 255.255.25.0

global (outside) 1 interface

Also you have the access-lists but they are not applied. You also need to add icmp inspection to automatically allow the replies to come back in.

conf t

policy-map global_policy
class inspection_default
inspect ftp
inspect tftp
inspect icmp
inspect icmp error

exit

service-policy global_policy global

Let us know if this works to ping 4.2.2.2 from an inside host 172.16.30.x

-KS

JohanKardell · ‎01-01-2011

IT WORKS :)!!!! THANK YOU!!!

So I added these commands to get the policy map working, correct right?

So what I've done here is to inspect ftp, tftp, and icmp to global allow it? so the replys can come back? From the lower security level interface?

Firewall01(config)# class-map inspection_default
Firewall01(config-cmap)# match default-inspection-traffic
Firewall01(config-cmap)# exit
Firewall01(config)# policy-map global_policy
Firewall01(config-pmap)# class inspection_default
Firewall01(config-pmap-c)# inspect ftp
Firewall01(config-pmap-c)# inspect tftp
Firewall01(config-pmap-c)# inspect icmp
Firewall01(config-pmap-c)# inspect icmp error
Firewall01(config-pmap-c)# exit
Firewall01(config)# service-policy global_policy global
Firewall01(config)#

Why was the global (outside) 1 interface, and no global (outside) 101 in my config, :/? Is this cause I have mixtured around or do you always have to turn this off (Since I have defined outisde interface I mean..)

THANK YOU FOR YOUR SUPPORT Poonguzhali!!

Kureli Sankar · ‎01-01-2011

John,

Wish you and all our other readers a Very Happy New Year 2011!

Very glad to hear that. That just made my Jan 1st 2011. First posting for this year.

I think those global (outside) lines that I had you remove were added while you tried to get this to work .

You should be able to go out looking like 172.16.x.x and the router is properly configured to NAT this traffic while going to the internet. Since you said the ASA was able to ping 4.2.2.2 I was 100% sure the 10.10.10.x address is able to go to the internet and gave you steps nat/global to make your inside 172.16.x.x. look like the ASA's outside 10.10.10.2 address.

Regarding the policy map yes you are right. That is to automatically allow icmp replies and in case of ftp to open secondary channels for data.

Excellent. Pls. mark this thread resolved if you think it is resolved and spin a new thread if you run into any other new problems.

-KS

JohanKardell · ‎01-02-2011

Yes , once again, thanks!