Solved: ASA 5512 internet connection - Page 2

vladimir.spasojevic1 · ‎02-20-2015

Hi,

I'm new into networking and I have a problem setting up ASA 5512 firewall. The problem is that I can't setup internet connection inside my network.

I've created two interfaces WAN with the public IP address (security level 0), and LAN with the ip of 192.168.35.4, security level 100. Actually, we are replacing the old router, and this one should take his address. I've added static route 0\0 to my default gateway, and I'm able to ping Google DNS server from the router, but can't from network computer. The network switch is also present on 192.168.35.254.

For the testing purpose I've changed WAN IP address to 192.168.99.1, and attached computer to it with IP 192.168.99.2, and when I try to ping it from the LAN interface, it does not return ping.

I would appreciate any help.

vladimir.spasojevic1 · ‎02-24-2015

How could I do that?

Jon Marshall · ‎02-24-2015

Well if you temporarily want to disable it -

"no access-group global_access global"

the above won't remove the acl from the configuration but it will stop it being used.

I don't know your company security rules so I don't know whether it needs to be there or not.

If it does try adding this line -

access-list global_access permit icmp host 192.168.35.11 host 192.168.99.2 echo

this will allow you from inside to out and ICMP inspection should allow it back in.

However you won't be able to start the ping from the outside host. For that you would need another line in the above acl.

Jon

vladimir.spasojevic1 · ‎02-24-2015

That will solve pinging, but what about Internet connection? Will my LAN user be able to access Internet cause that's actually the main problem? And disabling acl represents a security issue.

Jon Marshall · ‎02-24-2015

No they wouldn't.

You could try adding -

access-list global_access permit ip 192.168.35.0 255.255.255.0 any

to that acl and that should work or you can be more specific if you know the ports are just http/https etc. eg.

access-list global_access permit tcp 192.168.35.0 255.255.255.0 any eq 80
access-list global_access permit tcp 192.168.35.0 255.255.255.0 any eq 443
etc

but that would apply it to all interfaces and I can't see the logic of doing that.

Or perhaps you can have an acl on the inside interface to allow that specific traffic rather than on all interfaces.

To be honest I haven't used global acls and I'm not sure what the best practice is in terms of how you use them.

I'm assuming the global acl merges with any acl applied to the interface but I can't say for sure.

Looking at the existing rules in that acl I can't see why you would want to apply some of the lines in the acl to all interfaces but perhaps I am misunderstanding something.

Jon

Jon Marshall · ‎02-24-2015

Just had a quick read of the docs.

If you have an acl applied inbound to an interface and a global acl then the rules in the acl applied to the interface are processed first and then the global ones.

So you could have an inside acl allowing that traffic.

As to which to use I can't say because I don't know what your company's security policies are.

Jon

vladimir.spasojevic1 · ‎02-24-2015

I'll test and let you know. I think that I've tried to allow ip from any to any, but internet did not work.

Jon Marshall · ‎02-24-2015

If it's still not working after modifying the acl then run the "packer-tracer ..." command again to see what is happening and post back here if you need more help.

Jon

vladimir.spasojevic1 · ‎02-25-2015

Hi Jon,

still no progress. I've made some changes into configuration, added another interface and connected pc directly to it, but still no luck. Here is the output:

Result of the command: "packet-tracer input LAN tcp 192.168.45.2 80 192.168.99.2 80 detailed"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.99.0 255.255.255.0 WAN

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group LAN_access_in in interface LAN

access-list LAN_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa033ca70, priority=13, domain=permit, deny=false

hits=1, user_data=0x7fff9b795140, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=LAN, output_ifc=any

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) after-auto source dynamic any interface

Additional Information:

Dynamic translate 192.168.45.2/80 to 192.168.99.1/80

Forward Flow based lookup yields rule:

in id=0x7fff9fdfa6a0, priority=6, domain=nat, deny=false

hits=6, user_data=0x7fff9fb4e6a0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=LAN, output_ifc=WAN

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff9eba4d20, priority=0, domain=nat-per-session, deny=false

hits=19194, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff9ff06120, priority=0, domain=inspect-ip-options, deny=true

hits=7932, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=LAN, output_ifc=any

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) after-auto source dynamic any interface

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fff9f52e430, priority=6, domain=nat-reverse, deny=false

hits=2, user_data=0x7fffa05f92b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=LAN, output_ifc=WAN

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fff9eba4d20, priority=0, domain=nat-per-session, deny=false

hits=19196, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fff9e391890, priority=0, domain=inspect-ip-options, deny=true

hits=16734, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=WAN, output_ifc=any

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 17528, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

Jon Marshall · ‎02-25-2015

Okay, that packet-tracer output is showing you that the packet was allowed out and had matching NAT rules.

So as far as the ASA is concerned that traffic is allowed through.

Because TCP is stateful the return traffic should also be allowed back to the client.

So can you check your client and the server you are connecting to ie. that they have the right default gateways, that the web server is actually up and running etc.

Jon

Jon Marshall · ‎02-25-2015

When you say you have added another interface and connected the PC to it what is the interface name.

That is the name you need to use in your packet-tracer test.

Can you clarify ?

Jon

vladimir.spasojevic1 · ‎02-25-2015

I've got it to work. Can ping, access shared folders and http. Like you said the access rules were causing the problems. Now I just need to modify settings and permit http and https

Jon Marshall · ‎02-25-2015

Good news.

Glad you got it working.

Jon

vladimir.spasojevic1 · ‎02-25-2015

Thank you so much for your help!

Jon Marshall · ‎02-25-2015

No problem, happy to do it.

Jon

vladimir.spasojevic1 · ‎02-23-2015

Roberto,

can you check the configs below, and tell me what's needed to be done? I would appreciate your help a lot!