HI Jouni

first thanks for your reply and i am new to ASA's.

and i am sorry if i am unbale to explain correctly what i am try to do here

i am trying to move away from vpn concentrator and bring everything to ASA

i try to ping the gateway through ASA which fails. so i add the icmp inspection in global policy but still fails

so first i try to ping the internal address of VPN concentrator  which works and then try to ping the outside address which fails.

then i try the following command to do packet trace

packet-tracer input outside icmp 3.3.3.1 8 3.3.3.2

get error

% Invalid input detected at '^' marker

so i try it

packet-tracer input outside icmp 0 0 8  3.3.3.3

got the previous output  and following is like my topology

thanks

Hi,

Where is your default route pointing towards? (On the LAN I mean) And where are you sending the actual ICMP? From the LAN network behind the ASA and the VPN Concentrator?

I am not that familiar with the old Cisco VPN concentrators as we didnt have many of them when I started my current job.

The ASA firewalls atleast wont let you PING/ICMP an interface IP address other than the interfaces behind which the user doing the PING/ICMP is. So if the user is on the LAN network it can only ping the LAN interface IP address of the ASA.

If your default route is pointing towards the ASA I would imagine that the ICMP to the public IP address of the VPN concentrator should be ok provided that the ICMP is allowed.

I am not quite sure what you are trying to simulate with your "packet-tracer" command now that I can see the actual topology of the network.

If the ICMP was coming from the public network it would never reach the ASA as the ICMP would be forwarded directly from the Internet gateway to the VPN concentrator.

If you are sending ICMP from the LAN however then you would have to use the "inside" interface as the "input" interface in the command and the LAN IP address as the source IP address. Though this would only tell us if the ICMP Echo goes through the ASA

Please use the following format when using the "packet-tracer" command

packet-tracer input icmp 8 0

- Jouni

thanks again for your reply

on my ASA i create a default route pointing to the gateway

0.0.0.0 0.0.0.0 3.3.3.3

when i try to move the trafiic awayf rom vpn concentrator by creating a route towards the ASA on 3750,

network goes down. that's why i am trying to do packet trace to see where it get drops

and i follow your instructed command and found that acl is denying the flow.

i did a packet trace on ASDM as well and fins out that global implicit rule is blocking it .

and ASA is 5520 running on IOS 9.1.2

the NAT and PAT i configured on 8.3 then did gradual upgrade to 8.4 then to 9.1 and to 9.1.2

if you need config to see, i can post that as well

Any suggestion please

thanks

Hi,

The thing is,

If you are replacing a VPN concentrator with an ASA firewall then when you change the default route on the LAN router to point towards the ASA then you will naturally have to make sure that you still have routes on the LAN router for any VPN network that is located behind the VPN concentrator.

Since if there are active VPN Client connections and L2L VPN connections through the VPN concentrator then you naturally have to have specific routes for those remote network on the LAN router otherwise the traffic gets forwarded to the ASA.

Its impossible to say what the problem on the ASA side without seeing any "packet-tracer" output or some configurations.

Correct if I am wrong but to my understanding the Cisco VPN Concentrator were never used as your default Internet edge device. They were purely VPN devices? If so, what was acting as your Internet edge device for your LAN users before the ASA?

- Jouni

Thanks again Jouni

i do understand that VPN concentrators should not be a edge device but the vpn concentrator is there before i start this job and there was not even a L3 switch that time when i start this job few months ago.

i did configure everything on ASA as well  using the ASDM and i already have a routes for those networks on LAN router which sit behinds the L3 swicth. i just have to point the default route on L3 switch towards the ASA.

but the ASA wont let me ping the default gateway so i try to do packet trace to see where did that packets get dropped

and asked for help

thanks

Hi,

I guess we would need to see some configurations of the ASA to spot the problem.

If the problem is simply passing normal outbound connections to Internet then there shouldnt really be many things that could be wrong.

- Jouni

now we are having /29 addressing provided by the internet provider and first address is the address of outside interface of ASA, 2nd address is outside address of VPN concentrator and last one is inetrnet gateway

i also add the icmp inspection in the global inspection policy

and here is the config

ASA Version 9.1(2)

!

hostname rhino-yyc-fw1

domain-name Rhino.Local

enable password b97DQvkoEwlV.atc encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool VPN-Pool 172.30.255.1-172.30.255.255 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif outside

security-level 10

ip address 3.3.3.1 255.255.255.248

!

interface GigabitEthernet0/1

nameif DMZ  

security-level 0

ip address 172.30.254.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif Wireless_Guest

security-level 100

no ip address

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 172.30.0.3 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name Rhino.Local

same-security-traffic permit intra-interface

object network obj-3.3.3.1

host 3.3.3.1

object network obj-172.30.0.0

subnet 172.30.0.0 255.255.0.0

object network obj-3.3.3.2-3.3.3.6

range 3.3.3.2-3.3.3.6

object network obj-172.30.0.0-01

subnet 172.30.0.0 255.255.0.0

object network NETWORK_OBJ_172.30.255.0_24

subnet 172.30.255.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_access_in extended permit tcp any host 172.30.30.5 eq smtp

access-list inside_access_in extended permit tcp any host 172.30.30.5 eq https

access-list inside_access_in extended permit object-group TCPUDP any 172.30.10.0 255.255.255.0 eq sip

access-list DMZ_access_in extended permit tcp any host 172.30.254.10 eq ftp

access-list DMZ_access_in extended permit tcp any host 172.30.254.10 eq ftp-data

access-list inside_access_out extended permit ip 172.30.30.0 255.255.255.0 any

access-list inside_access_out extended permit ip 172.30.10.0 255.255.255.0 any

access-list inside_access_out extended permit ip 172.30.100.0 255.255.255.0 any

access-list inside_access_out extended permit icmp 172.30.0.0 255.255.255.0 any

access-list outside_access_in extended permit icmp any any

access-list outside_access_out extended permit icmp any4 any4

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

mtu Wireless_Guest 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 172.30.0.0 255.255.0.0 inside

icmp permit any inside

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.30.255.0_24 NETWORK_OBJ_172.30.255.0_24 no-proxy-arp route-lookup

!

object network obj-3.3.3.1

nat (DMZ,outside) static 172.30.254.10

object network obj-172.30.0.0

nat (inside,outside) dynamic obj-3.3.3.2-3.3.3.6

object network obj-172.30.0.0-01

nat (inside,DMZ) dynamic obj-3.3.3.2-3.3.3.6

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group DMZ_access_in in interface DMZ

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 3.3.3.6 1

route inside 172.30.0.0 255.255.0.0 172.30.0.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.30.100.9 255.255.255.255 inside

http 172.30.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 172.30.0.0 255.255.0.0 inside

telnet timeout 5

ssh 172.30.0.0 255.255.0.0 inside

ssh timeout 10

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

webvpn

enable inside

group-policy VPNTunnel internal

group-policy VPNTunnel attributes

dns-server value 172.30.30.5 172.30.30.5

vpn-tunnel-protocol ikev1

default-domain value Rhino.Local

username PPayette password DDrFX7KNlKNcw.b/ encrypted privilege 0

username PPayette attributes

vpn-group-policy VPNTunnel

username SCook password HOLBBoSs8CUb/u8H encrypted privilege 0

username SCook attributes

vpn-group-policy VPNTunnel

username CSchley password iO08v/EJ11FIj9z7 encrypted privilege 0

username CSchley attributes

vpn-group-policy VPNTunnel

username JJacobsen password Jlv6yjc1sl822LaW encrypted privilege 0

username JJacobsen attributes

vpn-group-policy VPNTunnel

username CBabbitt password aA86hfET6JOwiJIw encrypted privilege 0

username CBabbitt attributes

vpn-group-policy VPNTunnel

username CReaburn password pMLqBxzKqJguWqCs encrypted privilege 0

username CReaburn attributes

vpn-group-policy VPNTunnel

username BCampbell password KIPXHtz.2xH17A2t encrypted privilege 0

username BCampbell attributes

vpn-group-policy VPNTunnel

username JKosior password thHn8vMyTVlmiVh4 encrypted privilege 0

username JKosior attributes

vpn-group-policy VPNTunnel

username JKoehler password 3QbbnSJocpOZT5G5 encrypted privilege 0

username JKoehler attributes

vpn-group-policy VPNTunnel

username GDesrosiers password iUQFn78RdocfF1rD encrypted privilege 0

username GDesrosiers attributes

vpn-group-policy VPNTunnel

username KHagley password N7bOCR2baHZVa3I4 encrypted privilege 0

username KHagley attributes

vpn-group-policy VPNTunnel

username DGlasier password ZahEQ6WnIh1AfVQN encrypted privilege 0

username DGlasier attributes

vpn-group-policy VPNTunnel

username ADeMont password DO.tLRxCWmR4Et0E encrypted privilege 0

username ADeMont attributes

vpn-group-policy VPNTunnel

username JoNeill password zA.WYYJK1xxRWQZ0 encrypted privilege 0

username JoNeill attributes

vpn-group-policy VPNTunnel

username admin password rqI1kZGuZ9MdeRsq encrypted

username RGibson password HBrM3ZVNaklmWciY encrypted privilege 0

username RGibson attributes

vpn-group-policy VPNTunnel

username RGlasier password XzJXeOkgrar.OHtN encrypted privilege 0

username RGlasier attributes

vpn-group-policy VPNTunnel

username MKrukowski password XpJsR2Ytu69jFVap encrypted privilege 0

username MKrukowski attributes

vpn-group-policy VPNTunnel

username TBuhay password fKbgv93sW/6pQcY9 encrypted privilege 0

username TBuhay attributes

vpn-group-policy VPNTunnel

username GParmar password NMDCU09PRq4y/AhW encrypted privilege 0

username GParmar attributes

vpn-group-policy VPNTunnel

username VAppunni password BNNDiLTc5JCoCZUW encrypted privilege 0

username VAppunni attributes

vpn-group-policy VPNTunnel

username EBell password PNwNfv2I3f0Mc.n2 encrypted privilege 0

username EBell attributes

vpn-group-policy VPNTunnel

username JSanders password hWZnuuxsuL2I7wor encrypted privilege 0

username JSanders attributes

vpn-group-policy VPNTunnel

username MTharp password 7zGs3yYOSvLFYQbP encrypted privilege 0

username MTharp attributes

vpn-group-policy VPNTunnel

username RKrukowski password OdZUEcOb.lk25cqO encrypted privilege 0

username RKrukowski attributes

vpn-group-policy VPNTunnel

username SJackson password wpfwjl0q2Zv8Np6z encrypted privilege 0

username SJackson attributes

vpn-group-policy VPNTunnel

username CoNeill password U9hGb.vI5/L.w80D encrypted privilege 0

username CoNeill attributes

vpn-group-policy VPNTunnel

username JVanderstar password qdJRyxclKVQvFOke encrypted privilege 0

username JVanderstar attributes

vpn-group-policy VPNTunnel

username SMesiatowsky password .5IZxbI/Ef/dMFTp encrypted privilege 0

username SMesiatowsky attributes

vpn-group-policy VPNTunnel

username LCroker password tsGUhroR3Zml/OTc encrypted privilege 0

username LCroker attributes

vpn-group-policy VPNTunnel

username TKochanowicz password 3A2RxqBfSbUA5gHJ encrypted privilege 0

username TKochanowicz attributes

vpn-group-policy VPNTunnel

tunnel-group VPNTunnel type remote-access

tunnel-group VPNTunnel general-attributes

address-pool VPN-Pool

default-group-policy VPNTunnel

tunnel-group VPNTunnel ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

thanks again for your reply

Hi,

I would suggest only configuring ACLs that are attached to your interface in the direction "in". This means traffic coming towards your "inside" interface and therefore leaving your network.

It seems to me that you might have mixed up the directions with your ACLs.

So I would suggest trying to following

no access-group inside_access_in in interface inside

no access-group inside_access_out out interface inside

access-list INSIDE-IN extended permit ip 172.30.30.0 255.255.255.0 any

access-list INSIDE-IN extended permit ip 172.30.10.0 255.255.255.0 any

access-list INSIDE-IN extended permit ip 172.30.100.0 255.255.255.0 any

access-list INSIDE-IN extended permit icmp 172.30.0.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

I would also suggest removing the "access-group" command for "outside" interface that is configured in the direction "out"

If you want to allow some traffic to some server from the Internet then use an ACL attached in the direction "in" in the interface "outside".

- Jouni

thanks again  Jouni

i will follow your intruction later today because now network is working and when everybody left the buliding then i will try to move away from VPN concentrator and see hows the network goes and post back agian to let you know

and just to make sure and confirm, in end of your lastpost you are taking about these two accesslist to move to outside interface inbound

access-list inside_access_in extended permit tcp any host 172.30.30.5 eq smtp

access-list inside_access_in extended permit tcp any host 172.30.30.5 eq https

if i am wrong please let me know

thanks

Hi,

To me the following ACL

access-list inside_access_in extended permit tcp any host 172.30.30.5 eq smtp

access-list inside_access_in extended permit tcp any host 172.30.30.5 eq https

Seems like its meant to allow traffic from the "outside" to the "inside". And naturally to allow that kind of traffic you would need to have Static NAT configured for the host 172.30.30.5 but I cant see any Static NAT for this host on the ASA.

If you had a Static NAT configured for the host 172.30.30.5 then you would usually use an ACL on the "outside" interface to allow traffic from the Internet to that server

access-list OUTSIDE-IN extended permit tcp any host 172.30.30.5 eq smtp

access-list OUTSIDE-IN extended permit tcp any host 172.30.30.5 eq https

access-group OUTSIDE-IN in interface outside

But as I said, I dont see any Static NAT for the host 172.30.30.5 so I am not sure what the ACL you have configured is supposed to achieve.

- Jouni

i am totally lost now

this new IOS configuration is very hard for me since i never worked on ASA's before this job.

you are saying that i should configurred a static NAT for that 172.30.30.5 server and then configure ACLs and use that ACls on outside interface inbound

like following

object network MAILSERVER

host 172.30.30.5

nat (inside,outside) static 3.3.3.1

access-list OUTSIDE-IN permit tcp any object MAILSERVER eq https

access-list OUTSIDE-IN permit tcp any object MAILSERVER eq smtp

access-group OUTSIDE-IN in interface outside

i took this exmple from one of your answers in somebody else post

and correct me if i am wrong

thanks

Hi,

Yes, the above configuration is correct if the following are true

• Local IP address of the server is 172.30.30.5
• Public IP address of the server is 3.3.3.1
• Public IP address of 3.3.3.1 is NOT the interface IP address of the ASA
• You want to allow SMTP and HTTPS traffic to the server from the Internet

All but the third comment above might be clear to you.

The reason why you CAN NOT use the "outside" interface IP address as the Static NAT IP address of the server is the fact that the server would start using the public IP address of the "outside" interface alone for its Static NAT purposes and any other host trying to use it as the Dynamic PAT address would fail.

So since you have a /28 subnet at your disposal, I would suggest reserving a public IP address for the server from that range.

Or you could use Static PAT to do Port Forwarding

object network MAILSERVER-SMTP

host 172.30.30.5

nat (inside,outside) static interface service tcp 25 25

object network MAILSERVER-HTTPS

host 172.30.30.5

nat (inside,outside) static interface service 443 443

access-list OUTSIDE-IN permit tcp any object MAILSERVER-SMTP eq smtp

access-list OUTSIDE-IN permit tcp any object MAILSERVER-HTTPS eq https

The above would enable you to use the "outside" interface public IP address for both Dynamic PAT for all the hosts behind the ASA and also for the Static PAT purposes for your Mail Server.

- Jouni

thanks for explanation Jouni

i am understadnig what you are trying  to say

3.3.3.1 is the ip add of outsid einterface of ASA so instead of that i can use any other address from the subnet which comes with /29 subnet mask

3.3.3.1 is outside address of ASA, 3.3.3.2 is outside interface of VPN concentrator and 3.3.3.6 is gateway

which means i can use either 3.3.3.3 or .4 or .5 for the server public ip address

and use it as following

object network MAILSERVER

host 172.30.30.5

nat (inside,outside) static 3.3.3.3 or .4 or .5 (any one of these three)

access-list OUTSIDE-IN permit tcp any object MAILSERVER eq https

access-list OUTSIDE-IN permit tcp any object MAILSERVER eq smtp

access-group OUTSIDE-IN in interface outside

and then it wil be good

hope i am going in right direction

please correct me if i am wrong

thanks

Again