Yesterday, a very strange incident occurred, which led to the partial loss of my ASA5540 configuration. The building in which our servers are housed, suffered a power outage of some type, and when the power came back on, and the ASA5540 rebooted, it kept trying to load an older binary, asa803-k8.bin, in a continuous loop. I drove out there to inspect what was happening, and found that the BOOT variable was setup to "try" the older version first, then the newer version (asa917-32-k8.bin). Unfortunately, it would never try the new version, and instead would just keep failing on the older version. Not sure how all of this came to be, but I couldn't resolve getting out of the loop until I pressed <ESC> to break out of it, and into the ROMMON. Then, at the ROMMON, I typed "boot help", and it then loaded an even older version of the IOS, asa722-k8.bin. When that happened, the existing configuration changed dramatically, and I lost most of my configuration. I figured out how to change the BOOT variable so that only the newest IOS would load, but my configuration is still mostly gone. I have cut and paste it here, to try to see if I can get some help as to why when this is loaded, I cannot gain access to the Internet. I can ping outside, but none of my servers on the inside can gain internet access. I believe it must have something to do with NAT. I also lost most of my ACL list that I had built up for access into the servers. Here is the configuration file, as it now exists, with some of the IPs masked for privacy:
ciscoasa5540(config)# show config
: Saved
:
: Serial Number: JMX1112L1JH
: Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz
: Written by enable_15 at 14:50:20.086 UTC Sat Jul 25 2020
!
ASA Version 9.1(7)32
!
hostname ciscoasa5540
domain-name edenxxx.net
enable password Vkz0vtCccFeMll8t encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
passwd Vkz0vtCccFeMll8t encrypted
names
name 10.1.252.219 Sendmail description OLD Mail Server (92)
name 10.1.252.247 ExchangeServer description Exchange Server 2016 (94)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.246 NAS description Synology NAS (86)
name 10.1.252.250 WebServerIIS10 description Windows Server 2019 (88)
name 10.1.252.192 DRAC-VirtualServer description DRAC for Virtual Server (89)
name 10.1.252.245 DNS-Server description Primary DNS Server (91)
name 10.1.252.190 VM-HyperV-Port4 description Ethernet Port 4 for VM Machine (87)
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.xx.xx.90 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.252.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa917-32-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone UTC -8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server DNS-Server
name-server 8.8.8.8
domain-name edenhosting.net
object network VM-HyperV-Port4
host 10.1.252.190
description Created during name migration
object network WebServerIIS10_1
host 10.1.252.250
description Created during name migration
object-group network IIS85Server
object-group network WebServerIIS80
object-group network WebServerIIS10
object-group network Sendmail
object-group network DNS-Server
object-group network DRAC-VirtualServer
object-group network SQLServer
object-group network ExchangeServer
object-group network NAS
access-list outside_access_in extended deny ip 51.222.38.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 65.197.196.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 212.70.149.0 255.255.255.0 any4
access-list outside_access_in extended permit icmp any4 any4 echo-reply
<THIS IS WHERE ALL OF MY FORMER ACLs USED TO BE AND ARE NOW GONE>
access-list outside_access_in extended permit tcp xx.xx.247.0 255.255.255.0 object VM-HyperV-Port4 eq 3395
access-list outside_access_in extended permit tcp xx.xx.247.0 255.255.255.0 object WebServerIIS10_1 eq 3395
access-list outside_access_in extended permit tcp xx.xx.247.0 255.255.255.0 object WebServerIIS10_1 eq 3389
pager lines 24
logging enable
logging asdm informational
logging from-address support@edenxxxx.net
logging recipient-address support@edenxxxx.net level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782-151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.xx.xx.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 management
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
<Not Shown>
quit
telnet 10.1.252.0 255.255.255.0 inside
telnet timeout 10
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server WebServerIIS80 source inside prefer
!
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ip-options
policy-map type inspect dns DNS-MediumSecurityLevel
parameters
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action log
policy-map type inspect esmtp ExtendedSMTP
parameters
no allow-tls
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
drop-connection log
!
service-policy global_policy global
smtp-server 10.1.252.219 10.1.252.250
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f73b354382ad78753d07db0c1d94e1e5
Unfortunately, I do not know how to view the contents of that file. I do have access to the firewall via ADSM.
To get the servers back up and running, I put our old Cisco PIX 515E back in, and we are up for now, but need to get back up on our ASA5540 as soon as possible. I have a separate question regarding blocking a specific network subnet on the PIX 515E. I have put the following in the old conduit list, but it is placed at the BOTTOM of all of the permits, so it doesn't work:
conduit permit tcp host 12.xx.xx.88 eq 3389 any
conduit permit tcp host 12.xx.xx.88 eq ssh any
conduit permit tcp host 12.xx.xx.88 eq ftp any
conduit deny tcp host 212.70.149.82 any
conduit deny tcp host 212.70.149.51 any conduit deny tcp any any
conduit deny udp any any
I know that the config needs to look like this, but I don't know how to get the lines up to the top:
conduit deny tcp host 212.70.149.82 any
conduit deny tcp host 212.70.149.51 any conduit deny tcp any any
conduit permit tcp host 12.xx.xx.88 eq 3389 any
conduit permit tcp host 12.xx.xx.88 eq ssh any
conduit permit tcp host 12.xx.xx.88 eq ftp any
conduit deny udp any any
Thank you all very much for your help! It is most appreciated.
