Solved: inside to outside

josephschung · ‎03-03-2011

I am setting up a pair of 5520 in A/S mode but the traffice from inside to outside seems blocked somehow.

asa01# sh run

: Saved

:

ASA Version 8.3(1)

!

hostname asa01

enable password LFJ8dTG1HExu/pWQ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.20.2 255.255.255.0 standby 10.10.20.3

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

<--- More --->

interface GigabitEthernet0/3

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone HKST 8

object network 10-10-20-0

subnet 10.10.20.0 255.255.255.0

access-list ICMP standard permit 10.10.20.0 255.255.255.0

access-list ICMP standard permit 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp 10.10.20.0 255.255.255.0 any

access-list global_access extended permit icmp any any

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

<--- More --->

mtu management 1500

failover

failover lan unit primary

failover lan interface folink GigabitEthernet0/3

failover mac address GigabitEthernet0/0 00a0.c969.87c8 00a0.c918.95d8

failover mac address GigabitEthernet0/1 00a0.c969.87c7 00a0.c918.95d7

failover interface ip folink 1.1.1.1 255.255.255.0 standby 1.1.1.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic 10-10-20-0 interface dns

access-group outside_access_in in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

<--- More --->

http 192.168.1.0 255.255.255.0 management

http 10.10.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.10.20.0 255.255.255.0 inside

telnet timeout 5

ssh 10.10.20.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username gzobs password tj5.T4O6TYbatGk2 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

<--- More --->

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

<--- More --->

service-policy global_policy global

prompt hostname context

Cryptochecksum:8ff10c17e565a87f0b3f6ab11ce7c5ac

: end

gzasa01#

Base on the above configuration, I still cannot ping or http. Any idea?

Thanks!

Jennifer Halim · ‎03-04-2011

the reason why you can ping ASA inside interface from 10.10.20.0 is because they are directly connected and in the same subnet, and same reason for the outside interface. When you are trying to ping across the ASA from inside to outside, the subnet is different, hence you would need to check if default gateway is set correctly, etc. However, to confirm the packet is actually getting to the ASA when you actually ping from inside host to outside host is by doing a packet capture on the ASA inside interface. This will confirm that the packet arrives at the ASA. The NAT translation has no hit count, that typically means that the ASA is not even seeing the packet or somehow drop the packet. So to confirm pls run packet capture as you test the ping.

View solution in original post

Jennifer Halim · ‎03-03-2011

Both your outside and inside interfaces are private ip, so when you say traffic from inside to outside does not work, do you mean towards the Internet? and who is NATing it for you?

From the inside host, can you ping 10.10.10.1?

josephschung · ‎03-03-2011

I have not got the real IPs yet so I put the private IP on the outside interface too.

The inside hosts cannot ping/http to 10.10.10.1, which is the outside switch VLAN ip.

Thank you.

Jennifer Halim · ‎03-03-2011

Actually, can you please remove the following:

no nat (inside,outside) source dynamic 10-10-20-0 interface dns

And configure the following instead:

object network obj-10.10.20.0

subnet 10.10.20.0 255.255.255.0

nat (inside,outside) dynamic interface

Then "clear xlate", and try to ping/telnet/http to the switch (10.10.10.1)

josephschung · ‎03-03-2011

Still does not work. Any idea? Thanks!

gzasa01# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic 10-10-20-0 interface
translate_hits = 0, untranslate_hits = 0

Nat configuration:

.

object network 10-10-20-0
subnet 10.10.20.0 255.255.255.0
access-list ICMP standard permit 10.10.20.0 255.255.255.0
access-list ICMP standard permit 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp 10.10.20.0 255.255.255.0 any
access-list global_access extended permit icmp any any
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/3
failover mac address GigabitEthernet0/0 00a0.c969.87c8 00a0.c918.95d8
failover mac address GigabitEthernet0/1 00a0.c969.87c7 00a0.c918.95d7
failover interface ip folink 1.1.1.1 255.255.255.0 standby 1.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic 10-10-20-0 interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00

Jennifer Halim · ‎03-03-2011

I don't see any changes that has been made to the config as I suggested earlier? You still have exactly the same config as before?

Also, the host that you are trying to ping from, I assume that its default gateway is configured as the ASA inside interface? Are you able to ping the ASA inside interface?

josephschung · ‎03-03-2011

Inside switch VLAN 20 : 10.10.20.1

Inside ASA : primary 10.10.20.2 and stnadby 3

outside switch VLAN 10 : 10.10.10.1

outside ASA : primary 10.10.10.2 and stnadby 3

My client is 10.10.20.11, which is provided by DHCP on the inside switch. Now it try to ping/http 10.10.10.1. All fail!

This time the config is changed so pls see below...but the results are still the same.

gzasa01# sh run | b object
object network 10-10-20-0
subnet 10.10.20.0 255.255.255.0
access-list ICMP standard permit 10.10.20.0 255.255.255.0
access-list ICMP standard permit 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp 10.10.20.0 255.255.255.0 any
access-list global_access extended permit icmp any any
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/3
failover mac address GigabitEthernet0/0 00a0.c969.87c8 00a0.c918.95d8
failover mac address GigabitEthernet0/1 00a0.c969.87c7 00a0.c918.95d7
failover interface ip folink 1.1.1.1 255.255.255.0 standby 1.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network 10-10-20-0
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.10.20.0 255.255.255.0 inside
telnet timeout 5
gzasa01#

gzasa01#

gzasa01# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic 10-10-20-0 interface
translate_hits = 0, untranslate_hits = 0

gzasa01#

Also, some asdm log below FYI.

6|Mar 04 2011 10:02:18|725001: Starting SSL handshake with client inside:10.10.20.11/4300 for TLSv1 session.
6|Mar 04 2011 10:02:18|725002: Device completed SSL handshake with client inside:10.10.20.11/4300
6|Mar 04 2011 10:02:18|605005: Login permitted from 10.10.20.11/4300 to inside:10.10.20.2/https for user "gzobs"
6|Mar 04 2011 10:02:18|725007: SSL session with client inside:10.10.20.11/4300 terminated.
6|Mar 04 2011 10:02:18|302014: Teardown TCP connection 68 for inside:10.10.20.11/4300 to identity:10.10.20.2/443 duration 0:00:00 bytes 12989 TCP Reset-O
6|Mar 04 2011 10:02:18|106015: Deny TCP (no connection) from 10.10.20.11/4300 to 10.10.20.2/443 flags FIN ACK on interface inside
6|Mar 04 2011 10:02:28|302013: Built inbound TCP connection 69 for inside:10.10.20.11/4301 (10.10.20.11/4301) to identity:10.10.20.2/443 (10.10.20.2/443)
6|Mar 04 2011 10:02:28|725001: Starting SSL handshake with client inside:10.10.20.11/4301 for TLSv1 session.
6|Mar 04 2011 10:02:28|725002: Device completed SSL handshake with client inside:10.10.20.11/4301
6|Mar 04 2011 10:02:28|605005: Login permitted from 10.10.20.11/4301 to inside:10.10.20.2/https for user "gzobs"
6|Mar 04 2011 10:02:28|725007: SSL session with client inside:10.10.20.11/4301 terminated.
6|Mar 04 2011 10:02:28|302014: Teardown TCP connection 69 for inside:10.10.20.11/4301 to identity:10.10.20.2/443 duration 0:00:00 bytes 12936 TCP Reset-O
6|Mar 04 2011 10:02:28|106015: Deny TCP (no connection) from 10.10.20.11/4301 to 10.10.20.2/443 flags FIN ACK on interface inside
5|Mar 04 2011 10:03:12|111008: User 'enable_15' executed the 'clear xlate' command.
5|Mar 04 2011 10:03:18|111001: Begin configuration: console writing to memory
5|Mar 04 2011 10:03:23|111004: console end configuration: OK
5|Mar 04 2011 10:03:23|111008: User 'enable_15' executed the 'write' command.
5|Mar 04 2011 10:03:23|111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'write'

Thanks a lot Jennifer!

Jennifer Halim · ‎03-04-2011

Can you please check if the ping actually arrive at the ASA inside interface?

I don't see any attempt to reach 10.10.10.1 at all from the logs provided.

I would suggest that you run a packet capture on the ASA inside interface to see if you are seeing the ping actually makes it to the ASA.

josephschung · ‎03-04-2011

Hi Jennifer,

The inside subnet is 10.10.20.0. There is no problem for PC from inside ping to inside VLAN IPs.

10.10.10.0 is the outside subnet. Again there is no problem for PC from outside ping to outside VLAN IPs.

yes, I have never been able to ping 10.10.10.1(outside) from 10.10.20.0(inside).

The nat hit rate is zero. I believe the problem is caused by nat though I do not see any problem with the commands.

Any idea? Thanks.

Jennifer Halim · ‎03-04-2011

the reason why you can ping ASA inside interface from 10.10.20.0 is because they are directly connected and in the same subnet, and same reason for the outside interface. When you are trying to ping across the ASA from inside to outside, the subnet is different, hence you would need to check if default gateway is set correctly, etc. However, to confirm the packet is actually getting to the ASA when you actually ping from inside host to outside host is by doing a packet capture on the ASA inside interface. This will confirm that the packet arrives at the ASA. The NAT translation has no hit count, that typically means that the ASA is not even seeing the packet or somehow drop the packet. So to confirm pls run packet capture as you test the ping.

josephschung · ‎03-06-2011

The packet capture shows that packets are not reaching even the inside interface. The truth is I made a silly mistake that pointing the default gateway wrongly. Sorry for the trouble and thanks again for your help.

Enjoy the day!