Solved: Re: Help with ASA 5510 Configuration

Catch22_M · ‎09-12-2011

Hi! I'm having a problem configuring an ASA 5510. A previous employee started the config and left abruptly. He established a VPN Tunnel between two of our sites and that's working without an issue. The problem is, the network behind the 5510 at the remote location cannot access the internet. I'm new to the ASA and I've spent a LOT of hours looking at this and I'm almost ready to join the previous guy! I'm sure it's a really simple problem, but I keep over looking it. Any help would be appreciated, the config is as follows…

ASA Version 8.2(1)

!

hostname PH-Firewall

domain-name pleasehelpme.com

enable password HXrQty4kqW8s8yeE encrypted

passwd ucA.qrYJWD9UyIFz encrypted

names

name 67.XXX.XX.XX gateway description default gateway

name 39.105.XX.XX pleasehelp_fw description pleasehelp firewall

name 10.100.1.0 pleasehelp_lan description chicago LAN

name 10.50.40.0 tps_lan description tps LAN

!

interface Ethernet0/0

nameif Public

security-level 0

ip address 67.XXX.XXX.XX 255.255.255.240

!

interface Ethernet0/1

nameif Internal

security-level 100

ip address 10.50.40.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name pleasehelp.com

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

access-list pleasehelp_atl extended permit ip pleasehelp_lan 255.255.255.0 tps_lan 255.255.255.0

access-list pleasehelp_atl extended permit ip tps_lan 255.255.255.0 pleasehelp_lan 255.255.255.0

access-list pleasehelp_atl extended permit icmp tps_lan 255.255.255.0 pleasehelp_lan 255.255.255.0

access-list pleasehelp_atl extended permit icmp pleasehelp_lan 255.255.255.0 tps_lan 255.255.255.0

access-list Public_access_in extended permit object-group DM_INLINE_PROTOCOL_1 pleasehelp_lan 255.255.255.0 tps_lan 255.255.255.0

access-list Public_access_in extended permit ip tps_lan 255.255.255.0 any

access-list Public_access_in extended permit icmp any any echo-reply

access-list inside_nat0_outbound extended permit ip any any

access-list Internal_access_in extended permit ip any any

access-list outside_access_out extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu Public 1500

mtu Internal 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Public) 10 interface

global (Internal) 101 interface

nat (Internal) 0 access-list inside_nat0_outbound

nat (Internal) 101 0.0.0.0 0.0.0.0

access-group Public_access_in in interface Public

access-group Internal_access_in in interface Internal

route Public 0.0.0.0 0.0.0.0 tps_gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http tps_lan 255.255.255.0 Internal

http pleasehelp_fw 255.255.255.255 Public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map pleasehelp_atl 1 match address pleasehelp_atl

crypto map pleasehelp_atl 1 set peer pleasehelp_fw

crypto map pleasehelp_atl 1 set transform-set FirstSet

crypto map pleasehelp_atl interface Public

crypto isakmp enable Public

crypto isakmp enable Internal

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 4320

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh pleasehelp_fw 255.255.255.255 Public

ssh tps_lan 255.255.255.0 Internal

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 30

console timeout 0

management-access Internal

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp authenticate

ntp server 128.138.140.44 source Public

ntp server 64.90.182.55 source Public

ntp server 96.47.67.105 source Public

ntp server 24.56.178.140 source Public prefer

webvpn

vpn-idle-timeout none

tunnel-group 39.105.0.30 type ipsec-l2l

tunnel-group 39.105.0.30 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:4d9389e9520e98a2a0f1fa462739c03f

: end

varrao · ‎09-13-2011

Absolutely, do let us know

-Varun

Thanks,
Varun Rao

View solution in original post

Maykol Rojas · ‎09-13-2011

In order to not break the VPN it would be like this,

access-list inside_nat0_outbound extended permit

no access-list inside_nat0_outbound extended permit ip any any

Then with the changes you previously did with jcarvaja, you should bring your internet up.

Mike

View solution in original post

varrao · ‎09-13-2011

You need to add this asd well:

nat (Internal) 101 0.0.0.0 0.0.0.0

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Julio Carvajal · ‎09-12-2011

Hello Catch22,

Please remove the following:

no global (Internal) 101 interface

no global (Public) 10 interface

and add the following:

global (public) 101 interface

With this you should be able to go out, you were missing the proper Nat and Global command,

Please let me know if this works, if not we can create some captures and packet-tracers but I think this is gonna work.

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Catch22_M · ‎09-13-2011

Still no dice. I removed those lines and added the one you suggested, but I'm still unable to get to the internet from those servers. The ASA hits the internet fine.

varrao · ‎09-13-2011

Just for testing purpose, can you tell me the ip address of one of the PC's from where you are trying to access internet??

Thanks,

Varun

Thanks,
Varun Rao

Maykol Rojas · ‎09-13-2011

Hi,

If we fix it, we will break your L2L tunnel, look at this statement:

nat (Internal) 0 access-list inside_nat0_outbound

Now look at the ACL

access-list inside_nat0_outbound extended permit ip any any

This is saying, Dont do NAT at all, this lines will take precedence on the ones that Jcarvaja gave you. I need to have the following info in order to fix the internet and dont break the VPN:

Source Network for VPN traffic

Destination Network for VPN traffic

Once you have this you can do the following:

access-list inside_nat0_outbound extended permit

That way, it will wont do NAT only if they are going thru the VPN, if not going across the VPN, it will take the lines jcarvaja told you.

Mike

varrao · ‎09-13-2011

Absolutely, I agree with Mike. You need to do as he said, and thats y i needed a test pc ip, If you want to verify whether it is this nat statemnet causing the issue (which I am very sure), lets say you are tesing from ip 10.1.1.1, then add an acl:

access-list inside_nat0_outbound line 1 extended deny ip host 10.1.1.1 any

and test teh internet after that from the PC 10.1.1.1 you would see it connecting.

which means yu have a very open acl and you need to first define the VPN traffic and only create an ACL and nat statement specific for that traffic rather than ip any any.

Thanks,

Varun

Thanks,
Varun Rao

Catch22_M · ‎09-13-2011

Wow! Thanks for the responses, guys! I'm going to try this right now....just so I'm clear....

I need to remove these statements....

nat (Internal) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any any

and add this one...

access-list inside_nat0_outbound extended permit

I'll report back when it's done. Thanks again!!

varrao · ‎09-13-2011

Absolutely, do let us know

-Varun

Thanks,
Varun Rao

Maykol Rojas · ‎09-13-2011

In order to not break the VPN it would be like this,

access-list inside_nat0_outbound extended permit

no access-list inside_nat0_outbound extended permit ip any any

Then with the changes you previously did with jcarvaja, you should bring your internet up.

Mike

Catch22_M · ‎09-13-2011

Still can't hit the internet...here's the revised config with ip info....

ASA Version 8.2(1)

!

hostname fw-1

domain-name pleasehelp.com

enable password HXrQty4kqW8s8yeE encrypted

passwd ucA.qrYJWD9UyIFz encrypted

names

name 75.61.244.81 pts_gateway description pts default gateway

name 59.51.16.30 pleasehelp_fw description pleasehelp firewall

name 10.100.1.0 pleasehelp_lan description Atlanta LAN

name 10.100.20.0 pts_lan description pts LAN

!

interface Ethernet0/0

nameif Public

security-level 0

ip address 75.61.244.84 255.255.255.240

!

interface Ethernet0/1

nameif Internal

security-level 100

ip address 10.100.20.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name pleasehelp.com

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

access-list pleasehelp_atl extended permit ip pleasehelp_lan 255.255.255.0 pts_lan 255.255.255.0

access-list pleasehelp_atl extended permit ip pts_lan 255.255.255.0 pleasehelp_lan 255.255.255.0

access-list pleasehelp_atl extended permit icmp pts_lan 255.255.255.0 pleasehelp_lan 255.255.255.0

access-list pleasehelp_atl extended permit icmp pleasehelp_lan 255.255.255.0 pts_lan 255.255.255.0

access-list Public_access_in extended permit object-group DM_INLINE_PROTOCOL_1 pleasehelp_lan 255.255.255.0 pts_lan 255.255.255.0

access-list Public_access_in extended permit ip pts_lan 255.255.255.0 any

access-list Public_access_in extended permit icmp any any echo-reply

access-list inside_nat0_outbound extended permit tcp pts_lan 255.255.255.0 pleasehelp_lan 255.255.255.0

access-list Internal_access_in extended permit ip any any

access-list outside_access_out extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu Public 1500

mtu Internal 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Public) 101 interface

access-group outside_access_out in interface Public

access-group Internal_access_in in interface Internal

route Public 0.0.0.0 0.0.0.0 pts_gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http pts_lan 255.255.255.0 Internal

http pleasehelp_fw 255.255.255.255 Public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map pleasehelp_atl 1 match address pleasehelp_atl

crypto map pleasehelp_atl 1 set peer pleasehelp_fw

crypto map pleasehelp_atl 1 set transform-set FirstSet

crypto map pleasehelp_atl interface Public

crypto isakmp enable Public

crypto isakmp enable Internal

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 4320

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh pleasehelp_fw 255.255.255.255 Public

ssh pts_lan 255.255.255.0 Internal

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 30

console timeout 0

management-access Internal

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp authenticate

ntp server 128.138.140.44 source Public

ntp server 64.90.182.55 source Public

ntp server 96.47.67.105 source Public

ntp server 24.56.178.140 source Public prefer

webvpn

tunnel-group 59.51.16.30 type ipsec-l2l

tunnel-group 59.51.16.30 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:6782022c779cdee5e7fff215d54570bc

: end

varrao · ‎09-13-2011

You need to add this asd well:

nat (Internal) 101 0.0.0.0 0.0.0.0

Thanks,

Varun

Thanks,
Varun Rao

Catch22_M · ‎09-13-2011

WOOOOO HOOOOO!! That got it! Thanks guys! I owe you all alcohol!!! Thanks again!!

varrao · ‎09-13-2011

No worries

You can mark the thread as answered if everything is resolved and do rate helpful post.

Cheersss

Varun

Thanks,
Varun Rao