Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
0
Helpful
4
Replies

Routed network cannot go through ASA 5508

gcn66
Level 1
Level 1

‎12-04-2017 01:29 AM - edited ‎02-21-2020 06:53 AM

Hello,

 

I read a lot on here, and as I was not able to understand what I am doing wrong... I am opening that discussion.

We have an ISR4331 and a ASA5508 and this is what we are trying to achieve :

Screen Shot 2017-12-04 at 10.18.21.pngThe outside interface of the ASA is - for now - connected to a private network (192.168.0.0/24) but this is obviously for testing purpose, the ultime goal is that the outside interface will have our public IP so the ASA is doing the NAT.

Again, as this is the "setup" phase, we tried to set up the ASA as "quite open" as we are debugging our issue.

Issue being that :

- when in the LAN, I can ping the inside interface of the ASA (172.23.0.1), but nothing else : not the internet gateway (192.168.0.254) nor any outside IP like 8.8.8.8.

- when connected on the router-to-firewall network (172.23.0.0/24) I can ping both (192.168.0.254 and 8.8.8.8) just fine.

On the ASA, I declared the proper routing for the LAN (10.46.0.0/16 with next hop being 172.123.0.2).

 

Do you see any obvious thing I am missing ? :(

 

Thanks for your help !

Labels:
Preview file
149 KB
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-04-2017 03:38 AM

If you could share your ASA configuration it would help.

 

You can also check the configuration logic using the ASA's built-in packet-tracer. From the cli type:

 

packet-tracer input inside icmp 10.46.0.1 8 0 8.8.8.8
0 Helpful

gcn66
Level 1
Level 1
In response to Marvin Rhoads

‎12-04-2017 05:14 AM

Here is the config of the ASA (wide open on the outside interface, but that won't stay like this you can imagine ;o).

 

!
interface GigabitEthernet1/1
 description to WAN
 nameif outside
 security-level 0
 ip address 192.168.0.46 255.255.255.0 
!
interface GigabitEthernet1/2
 description to LAN
 nameif inside
 security-level 100
 ip address 172.23.0.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 description OOB Management
 management-only
 nameif mgmt
 security-level 100
 ip address 192.168.66.1 255.255.255.0 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_lan
 subnet 10.46.0.0 255.255.0.0
 description Internal LAN
object network obj_fw-router
 subnet 172.23.0.0 255.255.255.0
 description router-firewall link
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip any any 
access-list name extended permit icmp any any 
access-list global_access extended permit ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
route inside 10.0.0.0 255.0.0.0 172.23.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.66.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5 
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
hpm topN enable

and the packet-tracer :

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.254 using egress ifc  outside

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network obj_any
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.46.0.1/0 to 192.168.0.46/7731

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
              
Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW 
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 8, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Thanks !

0 Helpful

gcn66
Level 1
Level 1
In response to gcn66

‎12-04-2017 05:21 AM

It seems that the way back is the issue if I read that correctly :

 

# packet-tracer input inside icmp 172.23.0.1 8 0 10.46.0.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.23.0.2 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gcn66

‎12-04-2017 05:59 AM

Per the first packet-tracer output, your ping from the inside 10.46.x.x. addresses should work - assuming they are reaching the ASA properly and that the return packets are being forwarded back by the router.

 

The second packet-tracer you used was incorrectly formed as it specified the source as the ASA inside interface and the destination is downstream from that same interface so it would not be allowed by default.

 

I would check the router configuration and/or do a packet capture on the ASA while pinging the Internet from a 10.46.x.x. host and watching for the outbound and return traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card