Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
0
Helpful
6
Replies

how to allow a subnet for a number of hosts to surf internet and ping from inside and outside in ASA in GNS3?

martlee2
Cisco Employee
Cisco Employee

‎01-11-2015 07:30 PM - last edited on ‎03-25-2019 05:54 PM by Community Manager

after tried to setup access list, it return drop in packet tracer and can not ping outside router too

is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?

assume all works in GNS3, expect initial network setup too

                                            inside                                                                 outside
router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3

ASA version: 8.42 


when i try the following command,
 
ASA
 
 
conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
no shut
end
 
 
conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 100
ip address 192.168.1.4 255.255.255.0
no shut
end


conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
 
conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end
 
Router A
 
 
conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end
 
 
Router B
 
 
conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end
 
 
ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
 
 
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside
 
 
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2015 01:18 AM

Hi,

 

The first problem with the above pasted configurations is that you are using the same subnet on 2 interfaces. This is probably some configuration that is not applied as a networking device should not even accept those commands. So start by configuring different subnets on the interfaces.

 

The "packet-tracer" fails because you are using an ASA interface IP address as the source. (Destination also seems to be an ASA interface IP address). This will never go through. If you are trying to simulate a user connection going through the ASA then you should use some other source IP address from the subnet 192.168.1.0/24 and also use some different destination IP address than the ASA interface IP address.

 

I would also like to note that the ASA  has a built in limitation that prevents connections from behind an interface to the IP address of another interface. So for example user behind INSIDE can not connect to the interface IP address of OUTSIDE.

 

I would also suggest that you change your "security-level" value on the INSIDE interface to 100 and to 0 on the interface OUTSIDE. While this value does not matter when using interface ACLs its still more logical to use the mentioned values as INSIDE is more secure than OUTSIDE.

 

- Jouni

 

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to Jouni Forss

‎01-12-2015 06:00 AM

still can not ping between router A and router B

and packet tracer failed

 

Router A#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/221/1024 ms

 

Router A#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

Router B#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Router B#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.01.12 21:51:27 =~=~=~=~=~=~=~=~=~=~=~=
packet-tracer input inside tcp 192.168.1.2 1 192.168.1.3 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
              
Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->
              


ASA-1# 

 

 

                        inside                                    outside
192.168.1.2 router   ---switch--- 192.168.1.1  ASA 192.168.1.4 ---switch---- 192.168.1.3 router 

ASA

conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
end

conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 0
ip address 192.168.1.4 255.255.255.0
no shut
end

Router A

conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut 
end

Router B

conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut 
end

conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end

conf t
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
end

ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.1.3 1

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to martlee2

‎01-12-2015 06:09 AM

Hi,

 

You CAN NOT have the same subnet 192.168.1.0/24 on 2 different interfaces. The traffic simply can not go through in this situation.

 

You will have to use different subnet on "inside" and "outside" to make this work. For example leave the subnet 192.168.1.0/24 on the "inside" and configure subnet 192.168.2.0/24 on the "outside".

 

As you can see from the output of the "packet-tracer" the ASA attempts to forward the traffic from "inside" to "inside". This is because you have configured the subnet 192.168.1.0/24. The mask /24 means that all addresses from 192.168.1.1 to 192.168.1.255 are found behind "inside" and therefore they can not be located behind "outside". I am not sure how the same subnet could even be configured on the ASA interfaces.

 

- Jouni

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to Jouni Forss

‎01-12-2015 07:30 AM

packet tracer allow all

but real ping in Router A and Router B failed

what are missing?

 

                        inside                                                                    outside
192.168.1.2 router   ---switch--- 192.168.1.1  ASA 192.168.3.4 ---switch---- 192.168.3.3 router 

ASA

conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
end

conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
no shut
end

Router A

conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut 
end

Router B

conf t
int fastEthernet 0/0
ip address 192.168.3.3 255.255.255.0
no shut 
end

conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end

conf t
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
end

packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1

 

ESW1#ping 192.168.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ESW2#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

                        inside                                                                      outside
192.168.1.2 router   ---switch--- 192.168.1.1  ASA 192.168.3.4 ---switch---- 192.168.3.3 router 

 

ASA-1# ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/234/1110 ms

 

ASA-1# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/20 ms

ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.3.0     255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group USERSLIST in interface inside
access-list USERSLIST extended permit ip 192.168.1.0 255.255.255.0 any 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

<--- More --->
              
Phase: 4
<--- More --->
              
Type: NAT
<--- More --->
              
Subtype: 
<--- More --->
              
Result: ALLOW
<--- More --->
              
Config:
<--- More --->
              
object network DYNAMIC-PAT
<--- More --->
              
 nat (inside,outside) dynamic interface
<--- More --->
              
Additional Information:
<--- More --->
              
Dynamic translate 192.168.1.2/1 to 192.168.3.4/255
<--- More --->
              

<--- More --->
              
Phase: 5
<--- More --->
              
Type: IP-OPTIONS
<--- More --->
              
Subtype: 
<--- More --->
              
Result: ALLOW
<--- More --->
              
Config:
<--- More --->
              
Additional Information:
<--- More --->
              

<--- More --->
              
Phase: 6
<--- More --->
              
Type: FLOW-CREATION
<--- More --->
              
Subtype: 
<--- More --->
              
Result: ALLOW
<--- More --->
              
Config:
<--- More --->
              
Additional Information:
<--- More --->
              
New flow created with id 6, packet dispatched to next module
<--- More --->
              

<--- More --->
              
Result:
<--- More --->
              
input-interface: inside
<--- More --->
              
input-status: up
<--- More --->
              
input-line-status: up
<--- More --->
              
output-interface: outside
<--- More --->
              
output-status: up
<--- More --->
              
output-line-status: up
<--- More --->
              
Action: allow
<--- More --->
              


ASA-1# 

ASA-1# 

ASA-1# 

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to Jouni Forss

‎01-12-2015 09:45 AM

current config can not ping, one of packet tracer allow all, another packet tracer drop

can not ping between Router A and Router B


ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.3.0     255.255.255.0   outside

Phase: 2
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network DYNAMIC-PAT
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
<--- More --->
              

<--- More --->
              
Phase: 4
<--- More --->
              
Type: IP-OPTIONS
<--- More --->
              
Subtype: 
<--- More --->
              
Result: ALLOW
<--- More --->
              
Config:
<--- More --->
              
Additional Information:
<--- More --->
              

<--- More --->
              
Phase: 5
<--- More --->
              
Type: FLOW-CREATION
<--- More --->
              
Subtype: 
<--- More --->
              
Result: ALLOW
<--- More --->
              
Config:
<--- More --->
              
Additional Information:
<--- More --->
              
New flow created with id 14, packet dispatched to next module
<--- More --->
              

<--- More --->
              
Result:
<--- More --->
              
input-interface: inside
<--- More --->
              
input-status: up
<--- More --->
              
input-line-status: up
<--- More --->
              
output-interface: outside
<--- More --->
              
output-status: up
<--- More --->
              
output-line-status: up
<--- More --->
              
Action: allow
<--- More --->
              


ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
              
Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->
              


ASA-1# 

 

ASA-1# sh run |    
: Saved
:
ASA Version 8.4(2) 
!
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 description INSIDE
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1
 description OUTSIDE
 nameif outside
 security-level 0
 ip address 192.168.3.4 255.255.255.0 
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
<--- More --->
              
 no ip address
<--- More --->
              
!
<--- More --->
              
ftp mode passive
<--- More --->
              
object network DYNAMIC-PAT
<--- More --->
              
 subnet 192.168.1.0 255.255.255.0
<--- More --->
              
access-list 101 extended permit icmp any any echo-reply 
<--- More --->
              
access-list 101 extended permit icmp any any source-quench 
<--- More --->
              
access-list 101 extended permit icmp any any unreachable 
<--- More --->
              
access-list 101 extended permit icmp any any time-exceeded 
<--- More --->
              
access-list ACL-OUTSIDE extended permit icmp any any 
<--- More --->
              
pager lines 24
<--- More --->
              
mtu inside 1500
<--- More --->
              
mtu outside 1500
<--- More --->
              
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
              
no asdm history enable
<--- More --->
              
arp timeout 14400
<--- More --->
              
!
<--- More --->
              
object network DYNAMIC-PAT
<--- More --->
              
 nat (inside,outside) dynamic interface
<--- More --->
              
access-group ACL-OUTSIDE in interface outside
<--- More --->
              
timeout xlate 3:00:00
<--- More --->
              
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
              
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
              
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
              
timeout floating-conn 0:00:00
<--- More --->
              
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
              
user-identity default-domain LOCAL
<--- More --->
              
no snmp-server location
<--- More --->
              
no snmp-server contact
<--- More --->
              
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
              
telnet timeout 5
<--- More --->
              
ssh timeout 5
<--- More --->
              
console timeout 0
<--- More --->
              
threat-detection basic-threat
<--- More --->
              
threat-detection statistics access-list
<--- More --->
              
no threat-detection statistics tcp-intercept
<--- More --->
              
!
<--- More --->
              
!
<--- More --->
              
prompt hostname context 
<--- More --->
              
no call-home reporting anonymous
<--- More --->
              
call-home
<--- More --->
              
 profile CiscoTAC-1
<--- More --->
              
  no active
<--- More --->
              
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->
              
  destination address email callhome@cisco.com
<--- More --->
              
  destination transport-method http
<--- More --->
              
  subscribe-to-alert-group diagnostic
<--- More --->
              
  subscribe-to-alert-group environment
<--- More --->
              
  subscribe-to-alert-group inventory periodic monthly
<--- More --->
              
  subscribe-to-alert-group configuration periodic monthly
<--- More --->
              
  subscribe-to-alert-group telemetry periodic daily
<--- More --->
              
crashinfo save disable
<--- More --->
              
Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
<--- More --->
              
: end

ASA-1# 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to martlee2

‎01-13-2015 03:12 AM

Hi,

 

One problem is that you have only allowed "icmp" in the ACL attached to "outside" interface. This is causes the "packet-tracer" to fail as you are simulating a TCP packet with source port of 1 and destination port of 1.


If you wanted that traffic to pass then you would need an ACL line (if you want to be really specific)

 

access-list ACL-OUTSIDE permit tcp 192.168.3.0 255.255.255.0eq 1 192.168.1.0 255.255.255.0 eq 1

 

Though I assume that you want to allow something else perhaps so allow the traffic you need on the ACL and test with those ports when using "packet-tracer" command.

 

Another problem is that you have Dynamic PAT configured from "inside" to "outside". This means that connections can only be initiated from "inside" to "outside". The connection attempt from "outside" to "inside" will initially not match any NAT but the reverse check that the ASA does will match the Dynamic PAT and will drop the connection.

 

If you want to avoid doing NAT between these subnets you can either remove all NAT configurations from the device. If you need the Dynamic PAT for something then you would need the following configurations

 

object network SUBNET-192.168.1.0-24
 subnet 192.168.1.0 255.255.255.0

 

object network SUBNET-192.168.3.0-24
 subnet 192.168.3.0 255.255.255.0

 

nat (INSIDE,OUTSIDE) source static SUBNET-192.168.1.0-24 SUBNET-192.168.1.0-24 destination static SUBNET-192.168.3.0-24 SUBNET-192.168.3.0-24

 

This should prevent NAT from being done for traffic directly between these subnets.

 

If you are going to copy/paste some outputs from the device, can you please clean it up a little as its really hard to make sense of a text that is ridled with "<--- More --->" and unnecesary spaces in between.

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card