Solved: Cisco ASA 5506-X routing without NAT

Jochem Sparla · ‎08-02-2018

Hi,

I have a configuration I have previously used on ASA 5506 firewalls, which now no longer works (version 9.6).

I am trying to make one single host accessible to 7 other networks.

Therefore, I configure all 8 interfaces with an IP, and create and add access-lists.

Like so:

interface GigabitEthernet1/7
 nameif AAAAAA
 security-level 100
 ip address 172.31.0.1 255.255.0.0
 no shutdown
!
interface GigabitEthernet1/8
 nameif ZZZZZZ
 security-level 0
 ip address 192.168.0.1 255.255.255.0
 no shutdown
!

access-list AAAAAA-in extended permit ip 172.31.0.0 255.255.0.0 host 192.168.0.2
access-list AAAAAA-out extended permit ip host 192.168.0.2 172.31.0.0 255.255.0.0
access-list ZZZZZZ-in extended permit ip host 192.168.0.2 any
access-list ZZZZZZ-out extended permit ip any host 192.168.0.2

access-group AAAAAA-in in interface AAAAAA
access-group AAAAAA-out out interface AAAAAA
access-group ZZZZZZ-in in interface ZZZZZZ
access-group ZZZZZZ-out out interface ZZZZZZ

Interface 1 to 6 are configured like 7, but with different subnets.

Now my problem. This only works when I have a NAT entry, like so:

object network obj_any
 nat (any,ZZZZZZ) dynamic interface

When I remove this entry, I am not able to have any traffic from AAAAAA to ZZZZZZ or the other way around.

Strangely, packet-tracer shows that everything should be fine. Traffic can pass from and to both interfaces, according to packet-tracer.

I have checked the settings on the hosts connected to the interfaces, and double checked for a default gateway to be configured.

What am I doing wrong, or what am I missing here?

Georg Pauwen · ‎08-02-2018

According to the output, both devices can ping each other.

What is the output if 'ipconfig/ all' from both Windows machines ? Try and disable the Windows firewalls to check if the problem is with the security settings on the clients...

View solution in original post

Georg Pauwen · ‎08-02-2018

Hello,

post the full running configuration of your ASA...

Jochem Sparla · ‎08-02-2018

: Saved

:
: Serial Number: ***********
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ciscoasa
enable password **************** encrypted
names

!
interface GigabitEthernet1/1
 nameif AAA
 security-level 100
 ip address 172.16.0.1 255.255.0.0
!
interface GigabitEthernet1/2
 nameif BBB
 security-level 100
 ip address 172.17.0.1 255.255.0.0
!
interface GigabitEthernet1/3
 nameif CCC
 security-level 100
 ip address 172.18.0.1 255.255.0.0
!
interface GigabitEthernet1/4
 nameif DDD
 security-level 100
 ip address 172.19.0.1 255.255.0.0
!
interface GigabitEthernet1/5
 nameif EEE
 security-level 100
 ip address 172.20.0.1 255.255.0.0
!
interface GigabitEthernet1/6
 nameif FFF
 security-level 100
 ip address 172.22.0.1 255.255.0.0
!
interface GigabitEthernet1/7
 nameif GGG
 security-level 100
 ip address 172.31.0.1 255.255.0.0
!
interface GigabitEthernet1/8
 nameif ZZZ
 security-level 0
 ip address 192.168.0.1 255.255.255.0
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list AAA-in extended permit ip 172.16.0.0 255.255.0.0 host 192.168.0.2
access-list AAA-out extended permit ip host 192.168.0.2 172.16.0.0 255.255.0.0
access-list BBB-in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.0.2
access-list BBB-out extended permit ip host 192.168.0.2 172.17.0.0 255.255.0.0
access-list CCC-in extended permit ip 172.18.0.0 255.255.0.0 host 192.168.0.2
access-list CCC-out extended permit ip host 192.168.0.2 172.18.0.0 255.255.0.0
access-list DDD-in extended permit ip 172.19.0.0 255.255.0.0 host 192.168.0.2
access-list DDD-out extended permit ip host 192.168.0.2 172.19.0.0 255.255.0.0
access-list EEE-in extended permit ip 172.20.0.0 255.255.0.0 host 192.168.0.2
access-list EEE-out extended permit ip host 192.168.0.2 172.20.0.0 255.255.0.0
access-list FFF-in extended permit ip 172.22.0.0 255.255.0.0 host 192.168.0.2
access-list FFF-out extended permit ip host 192.168.0.2 172.22.0.0 255.255.0.0
access-list GGG-in extended permit ip 172.31.0.0 255.255.0.0 host 192.168.0.2
access-list GGG-out extended permit ip host 192.168.0.2 172.31.0.0 255.255.0.0
access-list ZZZ-in extended permit ip host 192.168.0.2 any
access-list ZZZ-out extended permit ip any host 192.168.0.2
pager lines 24
logging asdm informational
mtu AAA 1500
mtu BBB 1500
mtu CCC 1500
mtu DDD 1500
mtu EEE 1500
mtu FFF 1500
mtu GGG 1500
mtu ZZZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group AAA-in in interface AAA
access-group AAA-out out interface AAA
access-group BBB-in in interface BBB
access-group BBB-out out interface BBB
access-group CCC-in in interface CCC
access-group CCC-out out interface CCC
access-group DDD-in in interface DDD
access-group DDD-out out interface DDD
access-group EEE-in in interface EEE
access-group EEE-out out interface EEE
access-group FFF-in in interface FFF
access-group FFF-out out interface FFF
access-group GGG-in in interface GGG
access-group GGG-out out interface GGG
access-group ZZZ-in in interface ZZZ
access-group ZZZ-out out interface ZZZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 BBB
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config AAA
!
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:********************************
: end

Georg Pauwen · ‎08-02-2018

Hello,

the config looks good, in fact, recreated it in GNS3 with hosts directly connected to the interfaces, and they have full connectivity.

How are your hosts connected to the ASA, any intermediate devices ? Can the hosts ping their respective default gateways ?

Jochem Sparla · ‎08-02-2018

No intermediate devices, just two Windows laptops directly connected to the ASA interfaces.

Both can ping the ASA interface, but neither can reach the other device.

Georg Pauwen · ‎08-02-2018

Hello,

odd indeed...

Can you post the output of:

ciscoasa# packet-tracer input AAA icmp 172.16.0.2 0 8 192.168.0.2

Jochem Sparla · ‎08-02-2018

ciscoasa# packet-tracer input AAA icmp 172.16.128.1 0 8 192.168.0.2

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.2 using egress ifc  ZZZ

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AAA-in in interface AAA
access-list AAA-in extended permit ip 172.16.0.0 255.255.0.0 host 192.168.0.2
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ZZZ-out out interface ZZZ
access-list ZZZ-out extended permit ip any host 192.168.0.2
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 995, packet dispatched to next module

Result:
output-interface: ZZZ
output-status: up
output-line-status: up
Action: allow

Georg Pauwen · ‎08-02-2018

According to the output, both devices can ping each other.

What is the output if 'ipconfig/ all' from both Windows machines ? Try and disable the Windows firewalls to check if the problem is with the security settings on the clients...

Jochem Sparla · ‎08-02-2018

It's in the Windows Firewall configurations.
After disabling the Windows Firewall on both clients, they are able to ping each other.
When the firewall is enabled on one of them, the other is no longer able to ping it. And vice versa.
Thank you!

It's still strange to me that this does work when using NAT, but does not work without. Specific port numbers being blocked? By my knowledge there's no special configuration in the Windows Firewall on either of these clients, just the standard.

Georg Pauwen · ‎08-02-2018

Odd indeed, again...

Do you have the ASA config with NAT enabled ?

Jochem Sparla · ‎08-02-2018

That would be the exact config I posted before, with the addition of:

object network obj_any
 nat (any,ZZZ) dynamic interface

Georg Pauwen · ‎08-02-2018

So with the Windows firewalls enabled and NAT, the hosts can ping each other...

I guess you would need to look inside the packets...do you have something like Wireshark installed on one of your machines ?

Jochem Sparla · ‎08-06-2018

I checked using Wireshark.

When NAT is enabled, the source of the ping command is the interface of the firewall, i.e. 192.168.0.1 pings to 192.168.0.2.

When NAT is disabled, the source of the ping command is the other host, i.e. 172.16.128.1 to 192.168.0.2.

Windows Firewall has a rule which only allows ping from the local network.

That's why a ping using NAT works, but a ping without NAT fails.