Solved: Re: Cisco ASA 5520 through ISR2901 to the internet

phillh1974 · ‎08-15-2020

Hi All.

I now have my SG500 and ISR1841 in production running my home network, all after your previous help so thank you.

To further my training I've now added an ISR2901 and ASA5520 into my home lab, I'm working my way through with the basic configurations and I'm almost there.

For information I've attached my configurations for both the 2901 and 5520 along with the network topology and ping results.

For testing purposes I have a laptop directly connected to the ASA G0/2 on subnet 192.168.1.0 but will eventually have an L2/L3 switch connected on the same subnet.

From the laptop I can ping all the way through to the ISR 2901 WAN interface (Gi0/0), I receive a response from the assigned ISP DHCP IP but not the ISP DHCP Gateway IP, I don't get a ping response from the ASA outside interface but I think this is to be expected.

From the ASA I can ping IP's from the Laptop to the 2901 WAN interface but not out to the internet.

From the 2901 I can ping from the 2901 LAN interface (Gi0/1) 192.168.10.101 and out to the internet but no response form the ASA directly connected outside interface and onwards into the LAN.

To me it looks like

Missing configurations on the ASA which is stopping ping responses reaching the LAN
Missing configurations on the 2901 allowing traffic out to the internet

I also have the firewall on the laptop disabled while testing.

As always any advise you can give will be much appreciated, configurations as below and attached.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.08.15 10:38:40 =~=~=~=~=~=~=~=~=~=~=~=

Cisco ISR 2901

Current configuration : 1853 bytes
!
! Last configuration change at 09:41:11 UTC Sat Aug 15 2020
! NVRAM config last updated at 01:00:31 UTC Sat Aug 15 2020
! NVRAM config last updated at 01:00:31 UTC Sat Aug 15 2020
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Ratchet
!
boot-start-marker
boot-end-marker
!
!
enable password xxxxxxxxxxxx
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FGL153025VP
license accept end user agreement
hw-module pvdm 0/0
!
!
!
vtp mode transparent
!
redundancy
!
!
!
!
! 
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN Link DHCP Assigned
 ip address dhcp
 duplex full
 speed 1000
!
interface GigabitEthernet0/1
 description ASA5520 Link Gi0-0
 ip address 192.168.10.101 255.255.255.0
 duplex full
 speed 1000
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface BRI0/1/0
 no ip address
 encapsulation hdlc
 shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 192.168.1.0 255.255.255.0 192.168.10.100
ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0 dhcp
!
!
!
!
!
!
!
control-plane
!
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/3/0
!
voice-port 0/3/1
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
 shutdown
!
!
!
line con 0
 exec-timeout 60 0
 password xxxxxxxxxxxx
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login
 transport input all
!
scheduler allocate 20000 1000
end

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.08.15 10:31:25 =~=~=~=~=~=~=~=~=~=~=~=

ASA Version 9.1(2) 
!
hostname Sonic
enable password Pza1yI/X7Fkpc.iJ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description Link to ISR2901 G0-1
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address 192.168.10.100 255.255.255.0 
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.4
 description Home Network
 vlan 4
 nameif inside1
 security-level 100
 ip address 192.168.4.1 255.255.255.0 
!
interface GigabitEthernet0/1.5
 description Guest Network
 vlan 5
 nameif inside2
 security-level 100
 ip address 192.168.5.1 255.255.255.0 
!
interface GigabitEthernet0/2
 description Test-Port
 speed 100
 duplex full
 nameif inside3
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network inside1_LAN
 subnet 192.168.4.0 255.255.255.0
object network inside2_LAN
 subnet 192.168.5.0 255.255.255.0
object network inside3_LAN
 subnet 192.168.1.0 255.255.255.0
access-list OUT extended permit icmp any any 
pager lines 24
mtu inside1 1500
mtu inside2 1500
mtu outside 1500
mtu inside3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside1_LAN
 nat (inside1,outside) static interface
object network inside2_LAN
 nat (inside2,outside) static interface
object network inside3_LAN
 nat (inside3,outside) dynamic interface
access-group OUT in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.101 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.4.50-192.168.4.200 inside1
dhcpd enable inside1
!
dhcpd address 192.168.5.50-192.168.5.200 inside2
dhcpd enable inside2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7e63c751971204e3a26120f8009a3b36
: end

Thank you.

Phill

Rob Ingram · ‎08-16-2020

Remove the ACL on the ASA "no access-group OUT in interface outside", without it all traffic will be permitted.

Run packet-tracer on the ASA from the CLI "packet-tracer input inside3 tcp 192.168.1.5 3000 8.8.8.8 80" and provide the output for review.

Is the router learning the default route via DHCP? Provide the output of "show ip route" from the router.
Generate some traffic and provide the output of "show ip nat translations" from the router.

Your NAT_ACL on the router doesn't include all of your internal ASA networks, you would need to add them aswell.

View solution in original post

Rob Ingram · ‎08-15-2020

Hi,
If your router can ping the internet but the ASA cannot, you would need to configure NAT on your router to NAT all traffic sourced from the ASA.

Example:-

ip access-list standard ACL_NAT
 permit 192.168.10.0 0.0.0.255

interface GigabitEthernet0/0
 ip nat outside
interface GigabitEthernet0/1
 ip nat inside

ip nat inside source list ACL_NAT interface GigabitEthernet0/0 overload

HTH

phillh1974 · ‎08-15-2020

Hi Rob.

Thank you for the quick reply.

Is it ok to perform NAT on the ASA and the 2901? I was avoiding the nat inside/outside commands on the router so not to double NAT.

Thanks

Phill

Rob Ingram · ‎08-15-2020

Hi Phil,
If you don't NAT on the router the internet will not know how to return the traffic for the ASA networks. You'll have to NAT on the router as it has the public IP address (unless you have an upstream router, but that probably won't know about the ASA networks). So you will need NAT somewhere.

If you don't wish to double NAT, remove the NAT configuration on the ASA and add routes (static/dynamic) on the router for each of the ASA's internal networks (192.168.1.0/24, 192.168.4.0/24 and 192.168.5.0/24).

HTH

phillh1974 · ‎08-15-2020

Hi Rob.

I can ping the WAN port from both the Laptop and ASA so it is passing through router, just not getting a response from the ISP DG and outwards to 8.8.8.8 or google.com.

From the router I can only ping outside. I don't understand why I'm not getting a ping response from the ASA outside interface which is directly connected to the router. Is there any further static routing or ACL's required on the ASA to allow ICMP messages through and onwards to 192.168.1.1?

Thank you for any advise.

Phill

Rob Ingram · ‎08-15-2020

Your ISP modem will probably only know of the DHCP ip address assigned to the router, it won't know how to route back to your ASA's outside interface or the ASA's internal networks. Hence why you will need to NAT behind the router's outside interface.

phillh1974 · ‎08-15-2020

Hi Rob

Thank you for your explanation.

I've removed the natting from the ASA and will perform the natting from the router. I've updated the router config and also changed the ASA default route to static routes for the subnets.

The router can now ping all the way through the LAN to the laptop.

I'll test the Internet connectivity as soon as I can and update the post.

Thanks again

Phill

phillh1974 · ‎08-16-2020

Hi Rob.

I've removed the NAT configs from the ASA and provided a default route to 192.168.10.101.

NAT and ACL has been configured on the 2901 router with static routes for 192.168.1.0, 192.168.4.0 & 192.168.5.0 pointing to 192.168.10.100.

With NAT now taking place on the router I'm thinking I can now remove the ip route 192.168.10.0 255.255.255.0 Gi0/0 dhcp config?

The router is able to ping out to the internet and all the way through the LAN to the laptop 192.168.1.5.

I am still unable to ping from the laptop and ASA any further than the router LAN interface Gi0/1 (192.168.10.101).

I have attached my latest configs.

Thank you for any further advise you can offer.

Phill

Rob Ingram · ‎08-16-2020

Remove the ACL on the ASA "no access-group OUT in interface outside", without it all traffic will be permitted.

Run packet-tracer on the ASA from the CLI "packet-tracer input inside3 tcp 192.168.1.5 3000 8.8.8.8 80" and provide the output for review.

Is the router learning the default route via DHCP? Provide the output of "show ip route" from the router.
Generate some traffic and provide the output of "show ip nat translations" from the router.

Your NAT_ACL on the router doesn't include all of your internal ASA networks, you would need to add them aswell.

phillh1974 · ‎08-16-2020

Hi Rob.

Yes, the router learns the default route via DHCP as seen in the ip route file.

I've removed the ACL and I can ping 8.8.8.8 and load web pages.

I've run the tests you have suggested just in case you spot something else amis, please see attached.

Thanks for the ACL_NAT observation, I'll add those in once I receive and attach my switch to the ASA.

Thanks

Phill

Rob Ingram · ‎08-16-2020

Ok, the packet-tracer looks fine, it sounds like the issue is resolved?

HTH

phillh1974 · ‎08-16-2020

Hi Rob.

I'm happy the issue has been resolved, thank you for your help. I'll mark as resolved.

Although the removal of the ICMP ACL has opened up traffic flow outbound, I'm struggling to understand why I could not ping to the internet when the ACL was applied to allow this?

I've received my book on the fundamentals of ASA 5500 series, time to read up on ACLs :-)

Thanks again

Phill

Asemmoqbel · ‎09-02-2020

Hi, phill,

To make ICMP ACL work that you wonder about, first remove the following lines from ASA configuration

icmp permit any echo inside1
icmp permit any echo-reply inside1
icmp permit any echo inside2
icmp permit any echo-reply inside2
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside3
icmp permit any echo-reply inside3

then Add the following lines

access-list OUT extended permit icmp any any echo
access-list OUT extended permit icmp any any echo-reply

Also bind ACL to the interface with this line

access-group OUT in interface outside

Give it a try and let me know what you get.

Cheers.