Solved: You won't have to add all

JIMYSPEED · ‎04-03-2014

Hello Guys i need a little help

I have configured several ASA 5505 some years ago, now it has fall into my lap an ASA 5515 with the the version 9.1

Bellow you can find my current setup, can any one check if there is something wrong with it. From the firewall i am able to ping to machines in the outside and inside interfaces. But i am unable to ping from the machine in the inside to the outside and vice-versa. In the rules page i am able to see the hits count when i am pinging and in the output
I can see the icmp connection being started and soon after i see the connection teardown message. And no pings are passing throw. I tried any any rule but still no success, maybe is the NAT or this asa unit is faulty. Any help is appreciated.

I really dont know what is wrong in my configuration

:
ASA Version 9.1(2)
!
hostname XPTOFW
domain-name XPTO.local
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.7.0.5 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.195.151.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name XPTO.local
same-security-traffic permit intra-interface
object network D4K
host 190.50.100.76
object network DOC01
host 10.6.2.29
description D4K SERVER
object network DOC01_NAT
host 10.195.151.15
object-group service SQLPorts tcp-udp
port-object eq 1433
port-object eq 1434
object-group icmp-type PingGroup
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
access-list outside_access extended permit icmp object D4K object DOC01_NAT object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01_NAT object-group SQLPorts
access-list inside_access_in extended permit icmp object DOC01 object D4K object-group PingGroup
access-list inside_access_in extended permit object-group TCPUDP object DOC01 object D4K object-group SQLPorts
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network DOC01
nat (inside,outside) static DOC01_NAT
access-group inside_access_in in interface inside
access-group outside_access in interface outside
route inside 10.6.0.0 255.255.0.0 10.7.0.3 1
route outside 190.50.0.0 255.255.0.0 10.195.151.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 20
subscribe-to-alert-group configuration periodic monthly 20
subscribe-to-alert-group telemetry periodic daily
: end
no asdm history enable

_______________________________________

Thanks and Regards

jmeggers · ‎04-03-2014

First, try adding "inspect icmp" to the class inspection_default in the global_policy. That should allow ICMP through. Your NAT config looks OK to me.

View solution in original post

jmattbullen · ‎04-07-2014

If everything works as you want with no acls then that means your nat and routing is spot on. The only thing left is your ACLs. I want to just make sure I'm not assuming anything and verify that when you are running your tests from the Inside network you are only using a client with the ip 10.6.2.29. Next I'd setup your logging to debug.

logging monitor debugging

terminal monitor

logging buffer debugging

Also, when you create your access-list end them with the log command so they will create an entry on match. Make sure you see the hits when you are generating traffic. As for the ACLs, I think this one is incorrect

access-list outside_access extended permit icmp object D4K object DOC01_NAT object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01_NAT object-group SQLPorts

ACLs map to the real IP not the mapped IP so it should be

access-list outside_access extended permit icmp object D4K object DOC01 object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01 object-group SQLPorts

View solution in original post

jmeggers · ‎04-03-2014

First, try adding "inspect icmp" to the class inspection_default in the global_policy. That should allow ICMP through. Your NAT config looks OK to me.

JIMYSPEED · ‎04-04-2014

Yes with that ping might go through, but what about the rest of the ports in this case the SQL ports group that i have, i just add the ping rule i could see if it was communicating, when the firewall goes to production all the ping rules will be disable

There must me something else wrong. Or i should add in the inspection_defaul all the ports/protocols i will use

Thanks

Best Regards

jmeggers · ‎04-04-2014

You won't have to add all ports and protocols to inspection_default, only ICMP. TCP and UDP should go through anyway, as long as the interfaces and NAT are set up correctly. ICMP behaves a little differently through the ASA which is why you need the ASA to inspect it, to know that it needs to let the return traffic through. SQL should not be a problem.

So please clarify, have you tested and traffic is not flowing? For example, can you telnet through the ASA to something else (router or switch) on the outside, or HTTP through to a web server on the outside? I'm not seeing anything in your config that looks wrong -- NAT, routes, access lists, etc.

JIMYSPEED · ‎04-04-2014

That is the main issue no information is passing through. I tried web server in the outside but no luck same as sql and http or rdp.

I had this same configuration working in the same place but in an old asa 5510. The only thing that changes i think is the nat, that is wahy i thought that the problem could be in the nat, but from what i have see and read in foruns the nat looks ok. Nothing changed no ip addresses no new routes, just a new firewall.

regards

jmeggers · ‎04-04-2014

I would suggest opening your inside-in ACL for testing purposes and see if traffic succeeds. Most of my customers don't configure inbound ACLs on the inside (although some do) but right now you're only allowing ICMP and SQL, so of course HTTP and telnet are going to be blocked. Also check "show xlate" to see what NATs are in the table.

JIMYSPEED · ‎04-04-2014

When o made the test i made it with the correct rules in the inside and not using the current rules.

Even if all the rules are in place, in the syslog messages from the ASDM i am only see the teardown of the icmp packages.

But i will try what you said.

Thanks

jmeggers · ‎04-04-2014

Is your destination in the subnet for which you have the static route pointing outside? I noticed you don't have a default route, only specific routes.

Definitely check "show xlate" for translations. Also verify "inspect icmp" is in the class inspection_default. Maybe try NATing to the interface instead of the NAT address. That shouldn't make a difference as long as the DOC01_NAT address is reachable, but I'm running out of ideas.

You say ASDM logs are showing ICMP is being torn down, meaning it's not even being allowed through? Maybe check the inside-in ACL to see if you're getting hits on that (show access-list....). If I think of anything else I'll let you know.

jmattbullen · ‎04-05-2014

One thing I see is the object-group TCPUDP that you use in the access-lists is not defined above. When I look at my existing asa deployments I have an object-group protocol TCPUDP that shows up in the config. Maybe in the 9.0 it is a default config that doesn't show up in the running config but worth looking into. Also, for simple troubleshooting like this I'd run the packet-tracer on the command line.

packet-tracer input inside icmp host 10.6.2.29 8 0 190.50.100.76 detailed

JIMYSPEED · ‎04-07-2014

jmattbullen

With that packet tracer command this is the output:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a639130, priority=1, domain=permit, deny=false
   hits=53, user_data=0x0, cs_id=0x0, l3_type=0x8
   src mac=0000.0000.0000, mask=0000.0000.0000
   dst mac=0000.0000.0000, mask=0100.0000.0000
   input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 190.50.0.0 255.255.0.0 outside

Phase: 3
Type: ACCESS-LIST

Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp object PGDOC01 object D4K_BUSINESS object-group PingGroup
object-group icmp-type PingGroup
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29d6eb60, priority=13, domain=permit, deny=false
   hits=2, user_data=0x7fff23768380, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
   src ip/id=10.6.2.29, mask=255.255.255.255, icmp-type=8, tag=0
   dst ip/id=190.50.100.76, mask=255.255.255.255, icmp-code=0, tag=0, dscp=0x0
   input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network PGDOC01
nat (inside,outside) static PGDOC01_NAT

Additional Information:
Static translate 10.6.2.29/0 to 10.195.151.15/0
Forward Flow based lookup yields rule:
in id=0x7fff2a65ebc0, priority=6, domain=nat, deny=false
   hits=2, user_data=0x7fff2a38f1a0, cs_id=0x0, flags=0x0, protocol=0
   src ip/id=10.6.2.29, mask=255.255.255.255, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b81660, priority=0, domain=nat-per-session, deny=true
   hits=18, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS

Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a60ada0, priority=0, domain=inspect-ip-options, deny=true
   hits=12, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a303de0, priority=70, domain=inspect-icmp, deny=false
   hits=3, user_data=0x7fff2a6a8a70, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
   src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
   input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a60abc0, priority=66, domain=inspect-icmp-error, deny=false
   hits=3, user_data=0x7fff2a63c130, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
   src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
   input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:

Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff29b81660, priority=0, domain=nat-per-session, deny=true
   hits=20, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a616420, priority=0, domain=inspect-ip-options, deny=true
   hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=outside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:

Result: ALLOW
Config:
Additional Information:
New flow created with id 432, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside

input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

jmeggers

I am back to basic now, i erased all the rules, just leave the object group, nat and routes in place, rules are any any and every thing is ok, but when i put any rule for ping or ip or whatever doesn´t work.

There must be something that i am missing...

Best Regards

jmattbullen · ‎04-07-2014

If everything works as you want with no acls then that means your nat and routing is spot on. The only thing left is your ACLs. I want to just make sure I'm not assuming anything and verify that when you are running your tests from the Inside network you are only using a client with the ip 10.6.2.29. Next I'd setup your logging to debug.

logging monitor debugging

terminal monitor

logging buffer debugging

Also, when you create your access-list end them with the log command so they will create an entry on match. Make sure you see the hits when you are generating traffic. As for the ACLs, I think this one is incorrect

access-list outside_access extended permit icmp object D4K object DOC01_NAT object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01_NAT object-group SQLPorts

ACLs map to the real IP not the mapped IP so it should be

access-list outside_access extended permit icmp object D4K object DOC01 object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01 object-group SQLPorts

JIMYSPEED · ‎04-10-2014

Hey guys sorry for the late response. jmattbullen the problem was that i was using the nat ip instead of the real ip my bad.

And also i had to clear the ARP table from the swtiches connected to the outside and inside interfaces because they still had the mac address from the old firewall. One of my initial mistakes was that i just copy paste the config from the old firewall to the new one and the IOS version was older then 8.3.

when i contacted this cisco center in my region they said migrating to a new next generation firewall should be easy and with zero down time, this is not really true. In this case my costumer believes in this mambo jambo zero down time sh....t and was always demanding for a quick and fast response.

Lesson learned: Always prepare a firewall migration days before the job is done,

Thanks for the help guys.

Best Regards

obumrozel · ‎06-03-2015

I am having a similar issue with asa5515. I can get to my cameras from outside with the old firewall(ASA5510)but i migrated the config to a ASA5515 IOS 9.2 and i cannot get to the cameras anymore. I had the Service provider(NTS) clear the mac address associations on their end,called cisco TAC to check the config and they it was perfect.Still i cannot access my camera from outside. Please any help will be appreciated. I ended up plugging the old firewall back in(ASA5510). Please help. I uploaded my config

mfernan91 · ‎04-09-2014

Did you ever get this to work? I am having the same issue...

JIMYSPEED · ‎04-10-2014

Yes mfernan91

It did work

Regards

Problem in ASA 5515 no traffic (information) passing through