09-11-2015 01:00 AM - edited 03-11-2019 11:35 PM
After puzzling for a week, reading articles on various websites and reading similar topics of others on this community, I have decided to create a new topic in the hope that someone is able to help me by pinpointing what I am doing wrong. (I do not want to hijack a topic started by someone else.)
My set up is straight forward. All my computers, servers and such are connected to (managed) switches and wireless access points. These are in turn connected to a (wireless) router. This router was directly connected to my modem and everything was working well.
Now I am trying to add a Cisco ASA 5505 to my network, which I would like to place in between my modem and my router, but doing so currently breaks the connection to the internet for all my devices.
The last progress which I was able to make, is that I am now able to ping 8.8.8.8 for example from any device, but browsing the internet still does not work. I cannot ping google.com for example from any device. From my Cisco ASA 5505 however, I can ping both 8.8.8.8 and google.com without any issues.
My last configuration changes are listed below:
access-list outside_access_out extended permit icmp any any echo
access-list outside_access_out extended permit icmp any any echo-reply
access-list outside_access_out extended permit icmp any any time-exceeded
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
In the command above, xxx.xxx.xxx.xxx is the IP address of the gateway of my provider, which I managed to grab via the command show ip address outside dhcp lease (which was a pain to find out, as this was not mentioned anywhere where I had looked).
Also, I ran access-list global_access extended permit ip any any the other day, as the packet tracer reported an implicit deny due to an existing default rule.
I hope that someone can point me in the right direction to get this issue solved.
Please find below my full, sanitized configuration:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
!
ASA Version 9.1(6) 
!
hostname xxxxxxxx
domain-name xxxxxxxx.xxx
enable password xxxxxxxx.xxxxxx/ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxx.xxxxxx/ encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Private Interface
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0 
!
interface Vlan2
 description Public Interface
 mac-address xxxx.xxxx.xxxx (I have to fake the MAC address to match that of the WAN port on my router because of my ISP)
 nameif outside
 security-level 0
 ip address dhcp setroute (It seems like this only sets the default route for the Cisco ASA 5505 itself and not for the devices behind it)
!
boot system disk0:/asa916-k8.bin
ftp mode passive
clock timezone CEST 1 (ASDM does not seem to know this timezone, only GMT plus and minus timezones)
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4 (I have omitted the two DNS servers from my ISP which are the third and fourth on this list)
 domain-name xxxxxxxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_access_in extended permit ip any any (I used to have separate TCP, UDP and ICMP rules, but if I am not mistaken IP covers all of those?)
access-list inside_access_out extended permit ip any any
access-list outside_access_in extended permit tcp any host 10.0.0.x eq www (I have a web server which should be reachable from the internet)
access-list outside_access_in extended permit tcp any host 10.0.0.x eq https 
access-list outside_access_in extended permit icmp any any echo 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit tcp any any eq sip 
access-list outside_access_out extended permit tcp any any 
access-list outside_access_out extended permit udp any any eq ntp 
access-list outside_access_out extended permit icmp any any echo 
access-list outside_access_out extended permit icmp any any echo-reply 
access-list outside_access_out extended permit icmp any any time-exceeded 
access-list outside_access_out extended permit icmp any any unreachable 
access-list outside_access_out extended permit udp any any range 33434 33523 (To allow ping via UDP)
access-list global_access extended permit ip any any (Added to counter the default deny rule; is this even safe to do?)
no pager
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 50 burst-size 1 (I see a rate limit of 1 too; what should I use 50 or 1?)
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 (Using the gateway IP address which my modem supplied via DHCP)
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization exec LOCAL auto-enable
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0 (Not safe, I know, but only here until I get this issue solved)
management-access inside
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd update dns both override (Something which I added through ASDM in the hope it would solve this issue, but it did not help)
!
dhcpd address 10.0.0.193-10.0.0.254 inside
dhcpd lease 1048575 interface inside
dhcpd domain xxxxxxxx.xxx interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.xxx source outside (Public internet NTP servers)
ntp server xxx.xxx.xxx.xxx source outside
username xxxxxxxx password xxxxxx/xxxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
 class class-default
  set connection decrement-ttl (To get the Cisco ASA 5505 to show up on a trace route)
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
 
					
				
		
09-12-2015 12:41 PM
Hi,
I am assuming as per the description above:-
1) Internal PC are able to ping the DNS server configured on the ASA device for the DNS resolution.
Have you checked what is the DNS server configured on the PC ?
Also , simplify this configuration as below:-
interface Vlan2
 description Public Interface
 mac-address xxxx.xxxx.xxxx (not required)
 nameif outside
 security-level 0
 ip address dhcp setroute 
Remove the Statically configured default gateway:-
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 (Using the gateway IP address which my modem supplied via DHCP)
Also , remove these access groups:-
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
After this run a packet tracer from the Inside to outside and post that:-
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia
09-14-2015 06:21 AM
Thank you for your reply Vibhor, it is appreciated.
I have since updated my Cisco ASA 5505 to version 9.2.4, cleared the configuration and started over, leaving out the route outside and access-groups on the inside interface, as you suggested.
I will test the current configuration this evening and I will let you know the outcome.
If I recall correctly, computers would get the IP address of the router as their primary DNS and 8.8.8.8 as their secondary DNS, both dynamically assigned.
The router would have the private IP address of my Cisco ASA 5505 as its primary DNS and 8.8.8.8 as its secondary DNS, both statically assigned.
What I want to do this evening is connect the Cisco ASA 5505 to the modem again, but instead of connecting a router to it, I will first test with a computer directly connected, to see if the firewall or the router is to blame.
As for the MAC address of the public interface, I have to spoof this as my ISP requires any new device connected to the modem to follow a web based set up before it is allowed to connect to the internet. New devices are recognized by their MAC address. By spoofing the MAC address, the Cisco ASA 5505 is not seen as a new device, but as the router which used to be connected to the modem, so spoofing the MAC address is required.
Hopefully the packet tracer will run fine this evening. Fingers crossed.
09-16-2015 12:49 AM
I have managed to get my configuration working now, but I wonder if I have not made any mistakes regarding the security. Various things are unclear to me.
The following entries which were present in my first configuration are now missing in my new configuration. I never added them myself to my first configuration, so now I wonder if these are required or not? I have read about per-session and multi-session PAT, but it has not helped me much.
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
The following object group was also automatically created in my first configuration, but this is also missing in my new configuration. What does this do and is this required?
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
Is it safe to have both these rules in my configuration? If so, if I understood correctly, "ip" would sum these up, so maybe it is better to create one rule to "permit ip any any"?
access-list outside_access_out extended permit tcp any any
access-list outside_access_out extended permit udp any any
I created the following rule in my first configuration and I have added it again in my new configuration, but is this safe? To what is this rule applied; to both inbound and outbound traffic?
access-list global_access extended permit ip any any
Also, I forgot to run the following command in my current configuration I believe. Does that matter? Does the rule above even do something now then?
access-group global_access global
The following command was missing in my first configuration and I have added it to my new configuration. I have no idea if this is even required though?
nat (inside,outside) source dynamic any interface
Below is a default rule which was present in my first configuration, but which is missing in my new configuration. Should I still add it?
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
SSH host key checking for SCP was enabled by default in my first configuration, but in the new configuration is was set to disabled automatically. Should I enable it still?
ssh stricthostkeycheck
The following DHCPD commands have not been added to my new configuration. Is it better to add these still? I do not quite understand what these would do.
dhcpd update dns both override
dhcpd auto_config outside interface inside
dhcpd update dns both override interface inside
What does "user-statistics-accounting" do? It is not present anymore in my new configuration.
policy-map global_policy
 class class-default
  user-statistics accounting
Below the full new configuration.
HOSTNAME(config)# show running-config
: Saved
:
: Serial Number: XXXXXXXXXXX
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
hostname HOSTNAME
domain-name XXXXXXXX.XXX
enable password XXXXXXXX.XXXXXX/ encrypted
passwd XXXXXXXX.XXXXXX/ encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Private Interface
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
 description Public Interface
 mac-address XXXX.XXXX.XXXX
 nameif outside
 security-level 0
 ip address dhcp setroute
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 name-server XXX.XXX.XXX.XXX
 name-server XXX.XXX.XXX.XXX
 name-server XXX.XXX.XXX.XXX
 domain-name XXXXXXXX.XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq https
access-list outside_access_in extended permit udp any host XXX.XXX.XXX.XXX eq 3391
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_out extended permit icmp any any echo
access-list outside_access_out extended permit icmp any any echo-reply
access-list outside_access_out extended permit icmp any any time-exceeded
access-list outside_access_out extended permit icmp any any unreachable
access-list outside_access_out extended permit tcp any any
access-list outside_access_out extended permit udp any any
access-list outside_access_out extended permit udp any any eq ntp
access-list outside_access_out extended permit udp any any range 33434 33523
access-list global_access extended permit ip any any
no pager
logging enable
logging timestamp
no logging hide username
logging buffer-size 16384
logging console errors
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec LOCAL auto-enable
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
no ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd lease 1048575
dhcpd auto_config outside
!
dhcpd address 10.0.0.193-10.0.0.254 inside
dhcpd domain XXXXXXXX.XXX interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server XXX.XXX.XXX.XXX source outside
ntp server XXX.XXX.XXX.XXX source outside
username XXXXXXXX password XXXXXX/XXXXXXXXX encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
 class class-default
  set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide