Solved: Sorry for the delay my friend - Page 2

gasparmenendez · ‎11-19-2016

Hello, I´m setting up an ASA 5540 from scratch. Right now is only for testing and understanding purposes, so the configuration is very simple. My problem is that I have a PC in my LAN that can´t reach internet through the ASA. I can´t see what I´m missing, like I said the configuration is very simple so this shouldn´t be an issue. Here´s the configuration:

ciscoasa# show running-config
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password X encrypted
passwd X encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 200.X.X.194 255.255.255.252
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.227.225.1 255.255.252.0
!
interface GigabitEthernet0/2
nameif FTTH
security-level 50
ip address 10.229.0.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif CMTS
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.22 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
same-security-traffic permit intra-interface
object network CACTI
host 10.227.224.11
object network ip120
host 200.X.X.120
object network ip101
host 200.X.X.101
object network ip102
host 200.X.X.102
object network ip121
host 200.X.X.121
object network ip122
host 200.X.X.122
object network ip123
host 200.X.X.123
object network ip124
host 200.X.X.124
object network ip125
host 200.X.X.125
object network ip126
host 200.X.X.126
object network ip127
host 200.X.X.127
object network Caja_Hipodromo
host 10.227.225.29
object network Farma_Eco_NI
host 10.227.255.3
object network Gas_Holanda
host 10.227.225.41
object network Gasolinera_CM
host 10.227.225.22
object network Gasolinera_Samantha
host 10.227.225.21
object network Notigram
host 10.227.224.225
object network Odoo
host 10.227.224.226
object network AutopartesStgo_SucNI_81
host 10.227.225.12
object network AutopartesStgo_SucNI_554
host 10.227.225.12
object network AutopartesStgo_SucNI_8000
host 10.227.225.12
access-list INSIDE_nat_outbound extended permit ip 10.227.224.0 255.255.252.0 any
access-list OUTSIDE_access_in remark Cacti
access-list OUTSIDE_access_in extended permit ip any object ip120 log disable
access-list OUTSIDE_access_in remark Caja Hipodromo
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.123 log disable
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10443 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10500 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 14500 inactive
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.102
access-list OUTSIDE_access_in remark puerto Ferrepisos NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 13389
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.127 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10081 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10554 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 18000 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10587 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10110
access-list OUTSIDE_access_in extended permit udp 200.X.X.0 255.255.255.0 any range 10000 20000 log disable
access-list OUTSIDE_access_in remark Odoo Felipe
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.121 log disable
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.101 log disable
access-list OUTSIDE_access_in remark Servidor Notigram
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.122 log disable
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.124 log disable
access-list CMTS_nat_outbound extended permit ip 10.39.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_1 extended permit ip 10.27.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_2 extended permit ip 10.25.0.0 255.255.0.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.229.0.0 255.255.255.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.228.0.0 255.255.240.0 any
access-list INSIDE_access_in extended permit ip 10.227.224.0 255.255.252.0 any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu FTTH 1500
mtu CMTS 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network AutopartesStgo_SucNI_81
nat (INSIDE,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_SucNI_554
nat (INSIDE,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_SucNI_8000
nat (INSIDE,OUTSIDE) static interface service tcp 8000 18000
!
nat (INSIDE,OUTSIDE) after-auto source static CACTI ip120
nat (INSIDE,OUTSIDE) after-auto source static Gas_Holanda ip101
nat (INSIDE,OUTSIDE) after-auto source static Farma_Eco_NI ip102
nat (INSIDE,OUTSIDE) after-auto source static Odoo ip121
nat (INSIDE,OUTSIDE) after-auto source static Notigram ip122
nat (INSIDE,OUTSIDE) after-auto source static Caja_Hipodromo ip123
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_CM ip124
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_Samantha ip127
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.X.X.193 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route FTTH 10.228.0.0 255.255.240.0 10.229.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server location X
snmp-server contact X
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username X password X encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:X
: end

Right now I'm only using INSIDE and OUTSIDE interfaces, the rest are disconnected. PC have ip address 10.227.224.228, Mask 255.255.252.0, GW 10.227.225.1, DNS publics. PC can ping INSIDE interface 10.227.225.1. Any ideas what I´m doing wrong??? Can anybody help please??

cofee · ‎12-15-2016

try this:

sh xlate | inc 200.x.x.x (replace this with the public address)

This will give you any inside addresses that are being NATed to the outside address you specified in the show command. But it will show you connections that are live at that time of using this command. Or you can simply look at the NAT configuration.

gasparmenendez · ‎12-15-2016

the problem is that the access was a few days ago...

how can I look into the NAT configuration???

and another thing: how can I block the access from my LAN to that specific public ip address?? I've been searching on the internet but found nothing...

BR.

cofee · ‎12-15-2016

You can run this command and go through the NAT entries:

show nat detail

You don't want this PC to access the internet or don't want it to be NAted to a particular outside address when it needs to access internet?

gasparmenendez · ‎12-15-2016

I don't want ANY PC on the LAN to be NATed to a particular outside address when it needs to access internet...

cofee · ‎12-15-2016

Please send running.config

gasparmenendez · ‎12-15-2016

oh, it's too biggggg, believe me... do you like me to filter the runn-config for something specific??

about the show nat detail command I did: show nat detail | i 20.x.x.x.x and returns nothing...

???

cofee · ‎12-15-2016

That's fine you can send me nat configuaration and also let me know nameif for inside and outside interfaces and subnet blocks

gasparmenendez · ‎12-15-2016

nameif outside

nameif inside

192.168.0.0/24

10.0.0.0/8

nat (CABLE,outside) source dynamic 10.33.0.0 ip160
nat (inside,inside) source static net192.168.0.0-16 net192.168.0.0-16 destination static net192.168.0.0-16 net192.168.0.0-16
nat (inside,webservers) source static net192.168.0.0-16 net192.168.0.0-16 destination static net172.16.8.0-24 net172.16.8.0-24
nat (inside,webservers) source static net10.150.150.0-24 net10.150.150.0-24 destination static net172.16.8.0-24 net172.16.8.0-24
nat (inside,any) source static obj-192.168.0.0-01 obj-192.168.0.0-01 destination static obj-192.168.61.0 obj-192.168.61.0 unidirectional
nat (inside,any) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-192.168.245.0 obj-192.168.245.0 unidirectional
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.249.0 obj-192.168.249.0 unidirectional
nat (inside,any) source static obj-192.168.11.0 obj-192.168.11.0 destination static obj-192.168.249.0 obj-192.168.249.0 unidirectional
nat (inside,any) source static obj-192.168.10.253 obj-192.168.10.253 destination static obj-192.168.249.0-01 obj-192.168.249.0-01 unidirectional
nat (inside,any) source static asterisk asterisk destination static obj-10.11.0.0 obj-10.11.0.0 unidirectional
nat (inside,outside) source static sling-stgo ip3 service obj-tcp-source-eq-5003 obj-tcp-source-eq-5003
nat (inside,outside) source static sling-stgo ip3 service obj-udp-source-eq-5003 obj-udp-source-eq-5003
nat (inside,outside) source static zabbix ip3 service obj-udp-source-eq-514 obj-udp-source-eq-514
nat (inside,outside) source static zabbix ip3 service obj-tcp-source-eq-514 obj-tcp-source-eq-514
nat (inside,outside) source static zabbix ip3 service obj-udp-source-eq-161 obj-udp-source-eq-161
nat (inside,outside) source dynamic comrex ip3
nat (inside,outside) source dynamic zabbix ip3
nat (CABLE,any) source static obj-10.11.0.0 obj-10.11.0.0 destination static asterisk asterisk service iax iax
nat (CABLE,outside) source static obj-192.168.61.100 obj-192.168.61.100 destination static obj-192.168.60.10 obj-192.168.60.10 unidirectional
nat (CABLE,outside) source static obj-192.168.60.10 obj-192.168.60.10 destination static obj-192.168.0.0-01 obj-192.168.0.0-01 unidirectional
nat (CABLE,CABLE) source static obj-192.168.61.100 obj-192.168.61.100 destination static obj-192.168.60.10 obj-192.168.60.10 unidirectional
nat (CABLE,CABLE) source static obj-192.168.60.10 obj-192.168.60.10 destination static obj-192.168.0.0-01 obj-192.168.0.0-01 unidirectional
nat (CABLE,CABLE) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-10.11.1.63 obj-10.11.1.63 unidirectional
nat (CABLE,CABLE) source static obj-10.11.1.63 obj-10.11.1.63 destination static obj-192.168.61.0 obj-192.168.61.0 unidirectional
nat (CABLE,inside) source static obj-192.168.60.10 obj-192.168.60.10 destination static obj-192.168.0.0-01 obj-192.168.0.0-01 unidirectional
nat (inside,outside) source static redradix667 redradix667 destination static NETWORK_OBJ_192.168.249.0_25 NETWORK_OBJ_192.168.249.0_25
nat (inside,CABLE) source static asterisk asterisk destination static obj-10.11.0.0 obj-10.11.0.0 service iax iax
nat (inside,CABLE) source static NETWORK_OBJ_192.168.11.5 NETWORK_OBJ_192.168.11.5 destination static NETWORK_OBJ_192.168.111.0_28 NETWORK_OBJ_192.168.111.0_28
nat (inside,outside) source static cobrosFacturas cobrosFacturas destination static NETWORK_OBJ_192.168.230.0_24 NETWORK_OBJ_192.168.230.0_24
nat (CABLE,outside) source dynamic obj-10.11.0.0 ip140
nat (CABLE,outside) source dynamic CMTS-NombreDios-10-17-0-0 ip155
nat (CABLE,outside) source dynamic CMTS-STGO-10-25-0-0 ip155
nat (CABLE,outside) source dynamic net-10.9.0.0-16 ip141
nat (CABLE,outside) source dynamic cmts-10-19-0-0 ip141
nat (inside,CABLE) source static cobrosFacturas cobrosFacturas destination static NETWORK_OBJ_192.168.240.0_26 NETWORK_OBJ_192.168.240.0_26
nat (CABLE,inside) source static obj-10.11.1.45 obj-10.11.1.45 destination static Server-Softv Server-Softv
nat (CABLE,CABLE) source static madero-softv madero-softv destination static NETWORK_OBJ_192.168.223.0_24 NETWORK_OBJ_192.168.223.0_24
nat (outside,outside) source static asterisk asterisk destination static NETWORK_OBJ_192.168.41.96_27 NETWORK_OBJ_192.168.41.96_27
nat (CABLE,webservers) source static camara-madero camara-madero
nat (inside,outside) source static consoftacceso consoftacceso destination static NETWORK_OBJ_192.168.243.0_24 NETWORK_OBJ_192.168.243.0_24
nat (CABLE,outside) source dynamic CM-stgo-D050 CM-stgo-D050 service any 18001-5900
nat (CABLE,outside) source dynamic CM-stgo-D050 CM-stgo-D050 service any 18002-81
nat (CABLE,CABLE) source dynamic CM-stgo-D050 CM-stgo-D050 service any 18003-5901
nat (CABLE,outside) source dynamic CM-stgo-D050 CM-stgo-D050 service any 18004-7000
nat (inside,outside) source static odoo-v8-test ip3 service tcp-22-7050 tcp-7050-ssh
nat (CABLE,outside) source dynamic 10.27-stgo-2 ip155
nat (CABLE,outside) source dynamic 10.35.0.0 ip154
nat (inside,outside) source dynamic RedWifiUnifi ip3
nat (CABLE,outside) source dynamic CMTS-Canatlan-37 ip152
!
object network dvr-marthagarza
nat (inside,outside) static ip13-01
object network obj-192.168.1.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.0.0
nat (inside,outside) dynamic ip3
object network obj-192.168.60.0
nat (inside,outside) dynamic ip3
object network obj-192.168.61.0
nat (CABLE,outside) dynamic 200.66.x.x
object network obj-192.168.11.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.4.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.10.0
nat (inside,outside) dynamic ip13-01
object network obj-192.168.60.10
nat (inside,outside) dynamic 200.66.x.x
object network asterisk
nat (inside,outside) static ip12
object network obj-192.168.4.64
nat (inside,outside) static interface service tcp 9000 9003
object network obj-192.168.4.64-01
nat (inside,outside) static interface service udp 9000 9003
object network obj-192.168.4.253
nat (inside,outside) static interface service tcp 9007 9007
object network obj-192.168.4.253-01
nat (inside,outside) static interface service udp 9007 9007
object network obj-192.168.2.22
nat (inside,outside) static interface service tcp ftp 4001
object network obj-192.168.11.64
nat (inside,outside) static ip3 service tcp www 1027
object network obj-192.168.11.5
nat (inside,outside) static interface service tcp 3389 3389
object network obj-192.168.60.0-01
nat (inside,CABLE) static 192.168.60.0
object network obj-10.150.150.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.2.0
nat (inside,outside) dynamic ip3
object network obj-192.168.3.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.5.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.6.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.7.0
nat (inside,outside) dynamic ip3
object network obj-192.168.8.0
nat (inside,outside) dynamic ip3
object network obj-192.168.9.0
nat (inside,outside) dynamic ip3
object network obj-192.168.12.0
nat (inside,outside) dynamic ip3
object network obj-192.168.13.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.14.0
nat (inside,outside) dynamic ip3
object network obj-192.168.15.0
nat (inside,outside) dynamic 200.66.x.x
object network obj-192.168.16.0
nat (inside,outside) dynamic ip3
object network obj-192.168.17.0
nat (inside,outside) dynamic ip3
object network web-global
nat (webservers,outside) static ip11
object network web-gglpublicidad
nat (webservers,outside) static ip10
object network obj-172.16.8.40
nat (webservers,outside) dynamic 200.66.x.x
object network baticamara
nat (inside,outside) static interface service tcp www 8089
object network camara-bati
nat (inside,outside) static 200.66.x.x service tcp www 8008
object network jimtcp
nat (inside,outside) static interface service tcp 9008 9008
object network jimudp
nat (inside,outside) static interface service udp 9008 9008
object network red69.0
nat (inside,outside) dynamic 200.66.x.x
object network mancinas
nat (inside,outside) dynamic 200.66.x.x
!
nat (CABLE,outside) after-auto source dynamic net10.13.0.0-16 ip152

cofee · ‎12-15-2016

I found this in the nat rule:

object network obj-192.168.1.0
nat (inside,outside) dynamic 200.66.x.x

This rule will NAT/PAT anything under that object obj-192.168.1.0 to 200.66.x.x. I can't tell what you have under this object as it could be a single host or your whole inside network without looking at the object. You can look under that object to find out what's being NATed to 200.66.x.x

gasparmenendez · ‎12-15-2016

sorry very much my friend, maybe I didn't explain my self well enough. I received an email telling me this:

IP Address 200.66.X.X is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.......This was detected by a TCP/IP connection from "200.66.X.X" on port "18981% going to IP address "192.42.119.41" (the sinkhole) on port "80".

So I need two things:

1-know wich PC from my LAN accessed to that ip address (192.42.119.41), don't know when, maybe it was yesterday or maybe it was last week

2- block all attempts of access to that site (192.42.119.41) from my LAN

BR.

cofee · ‎12-15-2016

This is what you need to do if you want to prevent your internal users to access this IP (192.42.119.41).
You will just need to create an access list which is pretty straight forward.

access-list inside_in line 1 deny ip any host 192.42.119.41 log

just replace access-list name with the one you are using for internal users and that's associated to your inside interface.

(you don't need to use to line 1, you can move it down but just keep in mind are applied from top to bottom so if there is an access list on top of it that allows this connection then it won't even hit this acl. for example if you have something like ip any any.)

This address appears to be used by a group that hacks networks for ransom. Therefore no valid domain name is registered with this IP ( it comes up as a sinkhole) so using FQDN to block this site won't work in this situation. You may want to get with with your Information assurance team and ask about potential network blocks or malicious addresses that are being used for attacking networks for future.

Let me know if you have any questions.

gasparmenendez · ‎12-17-2016

Sorry for the delay my friend, I'll try that and get back to you.

BR

cofee · ‎11-22-2016

According to the latest route table that you sent CM is not the gateway for your Inside network because your inside network is directly connected to the firewall and you are NATing your inside network to CM network hoping that it will route traffic destined to internet using CM interface.

Think of it like this - source address - 10.x.x.x , destination 98.x.x.x (random public address) , NAted address - 192.168.1.3

Now if you look at the route table you don't have a specific route for 98.x.x.x so it will fall back to default route which is the outside interface in your case.

So may be you will be able to accomplish that using PBR like Kaisero has recommended. I don't know if you would also need to configure a floating default route pointing to CM for PBR to work. But Per Kaisero this is only supported since 9.5 so you may want to think about upgrading your firewall since it's not live yet. I think minimum flash requirement for post ASA 8.3 is 2GB, so make sure you meet that requirement if you decide to go that route.

I will try to mock this in the lab tonight if I get time. Not sure if I have 9.5. Will let you know.

cofee · ‎11-22-2016

create another default router using cm interface:

route cm 0.0.0.0 0.0.0.0 next hop

see if that works

cofee · ‎11-22-2016

Sorry these are 2 different interfaces so ASA won't accept dual default gateways. Yeah don't install this route because it will remove your current default gateway. I can't think of a solution for this right now.

Problem accessing internet through ASA 5540