Solved: Using ASA without NAT

ronald.nutter · ‎05-22-2013

The way I have usually deployed an ASA is with using NAT. I am working on a situation with an ASA where it is an interior firewall and NAT isnt needed.

At the same time, due to some organizational issues, I have brought up this ASA in multi-context mode so I can have the firewall for each group function in the way they need it. From my workstation on the inside interface, I can ping the inside interface of the firewall without a problem. From a console screen, I can ping from the firewall to anywhere on the outside or on the internet. Fromy my workstation, I can't ping the outside interface of the ASA or anything external on the firewall.

I have put a static route on the router that the interior ASA plugs into to point back to the public interface of the interior ASA for the subnet that is on the private side of the interface. My suspicion is that the problem is something on the ASA configuration that I have missed. Here is a snippet of the config to see if anyone can see what I have missed.

Thanks in advance for your help.

interface Outside

nameif Outside

security-level 0

ip address 10.34.50.101 255.255.255.0

!

interface NSG_Data

nameif NSG_Data

security-level 100

ip address 10.34.150.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list NSG_Data remark Access List for NSG Context

access-list NSG_Data extended permit ip any any

!

icmp permit any NSG_Data

!

access-group NSG_Data in interface NSG_Data

!

route Outside 0.0.0.0 0.0.0.0 10.34.50.1 1

!

dhcpd dns 8.8.8.8

!

dhcpd address 10.34.150.10-10.34.150.100 NSG_Data

dhcpd enable NSG_Data

!

I am using 8.2.5 version of code. I have stayed away from 8.3 at TAC's suggestion and was thinking about 8.4 when I saw v9 released. Since 8.2.5 doesnt support dynamic routing protocols, I will have to use static routes until I can get v9 downloaded and evaluated.

This is a bare minimum config at this point and will be properly hardened once I have it up and running. i have looked at the system context but dont see anything there since it is little more than assigning the physical interfaces or sub-interfaces to a specific context.

Thanks in advance for your help,

Ron

Jouni Forss · ‎05-22-2013

Hi,

You said that you configured route on the L3 switch for the networks behind the INSIDE ASA. Does the OUTSIDE ASA have the route for those networks aswell?

I guess you can always configure ICMP capture on the INSIDE ASA also

access-list ICMP-CAP permit icmp any

capture ICMP-CAP type raw-data access-list ICMP-CAP interface outside buffer 1000000 circular-buffer

Then you can test ICMP and issue the command

show capture ICMP-CAP

and determine if any Echo Reply messages are coming back to the INSIDE ASA "outside" interface when a host behind the INSIDE ASA sends ICMP Echos

- Jouni

View solution in original post

Jouni Forss · ‎05-22-2013

Hi,

Well the most common problem related to testing connectivity with ICMP through the ASA is lacking the ICMP Inspection which is NOT enabled by default

You can enable to inside each Security Context with the commands

fixup protocol icmp

fixup protocol icmp error

Or you can configure it also under the global "policy-map" currently on the ASA (The above commands are old format commands that the ASA converts to the below format automatically. I would imagine that they will eventually remove any support for the above commands)

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

The above should allow the ICMP messages to through in both direction.

Otherwise you have to configure an ACL on the external interface

access-list OUTSIDE-IN remark ICMP

access-list OUTSIDE-IN permit icmp any any echo-reply

access-list OUTSIDE-IN permit icmp any any time-exceeded

access-list OUTSIDE-IN permit icmp any any unreachable

access-group OUTSIDE-IN in interface outside

Or something to that direction.

Also, even though you said you had configured a route on the external router I am not sure if you have more routers in the network and are you running dynamic routing so that the route to the internal network (of the ASA) is reachable from everywhere else.

Hope this helps

- Jouni

ronald.nutter · ‎05-22-2013

I tried the inspect commands you gave (should have remembered that one). Still no joy on ping able to ping the Outside interface from the inside in the context (NSG) that I am working on.

Would think this should be that hard to do.

Not running any dynamic routing on the network. I have a 3560 switch in layer 3 mode that is sitting between the inside ASA and what I will refer to as the Outside ASA. The outside interface of the Inside ASA and the inside interface of the outside ASA are in ths same vlan. When plugged into the console port of the Inside ASA, I can ping the inside interface of the Outside ASA. That says the path is good between the two.

Ron

Jouni Forss · ‎05-22-2013

Hi,

You said that you configured route on the L3 switch for the networks behind the INSIDE ASA. Does the OUTSIDE ASA have the route for those networks aswell?

I guess you can always configure ICMP capture on the INSIDE ASA also

access-list ICMP-CAP permit icmp any

capture ICMP-CAP type raw-data access-list ICMP-CAP interface outside buffer 1000000 circular-buffer

Then you can test ICMP and issue the command

show capture ICMP-CAP

and determine if any Echo Reply messages are coming back to the INSIDE ASA "outside" interface when a host behind the INSIDE ASA sends ICMP Echos

- Jouni

ronald.nutter · ‎05-23-2013

Jouni:

Got it up and running. This is my first journey into running an ASA without NAT. Should have thought about putting a static route at the OUTSIDE ASA's end. That fixed the problem.

Thanks,

Ron