Re: ASA 8.4, subnets unable to reach outside

benlemasurier · ‎02-19-2012

I'm replacing our current router with an ASA 5510 running 8.4(3) and I'm having what I think are NAT issues.

From the 192.168.0.0/24 subnet, I'm able to reach the outside world (via NAT/PAT) without any issues. However none of the internal subnets (e.g. 192.168.10.0/24) are able to. Packet-tracer shows no ACL issues. Any thoughts?

Here's my config:

ASA Version 8.4(3)

!

hostname gw

domain-name internal.mycompany.com

enable password asdf encrypted

passwd asdf encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 216.x.x.x 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone MST -7

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name internal.mycompany.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network public_dc

subnet 204.x.x.x 255.255.255.224

object network subnet_a

subnet 192.168.20.0 255.255.255.0

object network subnet_a_wireless

subnet 192.168.21.0 255.255.255.0

object network subnet_b

subnet 192.168.10.0 255.255.255.0

object network subnet_b_wireless

subnet 192.168.11.0 255.255.255.0

object network subnet_c

subnet 192.168.30.0 255.255.255.0

object network subnet_c_wireless

subnet 192.168.31.0 255.255.255.0

object network subnet_dc

subnet 10.10.10.0 255.255.255.192

object network subnet_server

subnet 192.168.5.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network subnet_primary

subnet 192.168.0.0 255.255.255.0

object network EXTERNAL_PAT

host 216.x.x.x

object-group network internal_lan_trusted

network-object object subnet_a

network-object object subnet_b

network-object object subnet_c

network-object object subnet_server

network-object object subnet_primary

object-group network internal_lan_wireless

network-object object subnet_b_wireless

network-object object subnet_c_wireless

network-object object subnet_a_wireless

object-group network mycompany_trusted_lan

network-object object subnet_a

network-object object subnet_b

network-object object subnet_c

network-object object subnet_server

network-object object subnet_dc

network-object object subnet_primary

object-group network mycompany_lan

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_dc

network-object object subnet_primary

network-object object subnet_server

object-group network mycompany_lan_internal

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_primary

network-object object subnet_server

access-list inside_access_in extended permit ip any any log disable

access-list global_access extended permit icmp any any log disable

access-list global_access extended permit ip any any log disable

access-list outside_access_in extended permit ip any any log disable

access-list outside_access_in extended permit icmp any any log disable

access-list split_tunnel extended permit ip object-group mycompany_lan any log disable

access-list DC_VPN_TRAFFIC extended permit ip object-group mycompany_trusted_lan object subnet_dc log disable

access-list DC_VPN_TRAFFIC extended permit icmp object-group mycompany_trusted_lan object subnet_dc log disable

access-list inside_access extended permit ip any any

access-list inside_acl extended permit ip object-group mycompany_lan any

access-list inside_acl extended permit icmp object-group mycompany_lan any

access-list outside_access_out extended permit ip any any log disable

access-list outside_access_out extended permit icmp any any log disable

no pager

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu temporary 1500

ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

!

nat (inside,outside) source static mycompany_lan mycompany_lan destination static mycompany_lan mycompany_lan

nat (inside,outside) after-auto source dynamic mycompany_lan_internal interface

!

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_acl in interface inside

access-group inside_acl out interface inside

access-group global_access global

!

router eigrp 10

network 192.168.0.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 216.x.x.x 1

route inside 192.168.5.0 255.255.255.0 192.168.0.6 1

route inside 192.168.10.0 255.255.255.0 192.168.0.10 1

route inside 192.168.11.0 255.255.255.0 192.168.0.10 1

route inside 192.168.20.0 255.255.255.0 192.168.0.20 1

route inside 192.168.21.0 255.255.255.0 192.168.0.20 1

route inside 192.168.30.0 255.255.255.0 192.168.0.30 1

route inside 192.168.31.0 255.255.255.0 192.168.0.30 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server mycompany protocol radius

aaa-server mycompany (inside) host 192.168.5.29

key *****

radius-common-pw *****

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec fragmentation after-encryption outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC

crypto map DC_VPN_MAP 1 set pfs

crypto map DC_VPN_MAP 1 set peer 204.x.x.x

crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA

crypto map DC_VPN_MAP interface outside

crypto ca trustpoint anyconnect_trustpoint

enrollment self

subject-name CN=gw

crl configure

crypto ca certificate chain anyconnect_trustpoint

certificate 48733d4f

308201e3 3082014c a0030201 02020448 733d4f30 0d06092a 864886f7 0d010105

05003036 310b3009 06035504 03130267 77312730 2506092a 864886f7 0d010902

16186777 2e696e74 65726e61 6c2e7370 61726b66 756e2e63 6f6d301e 170d3132

30323136 32323331 30375a17 0d323230 32313332 32333130 375a3036 310b3009

06035504 03130267 77312730 2506092a 864886f7 0d010902 16186777 2e696e74

65726e61 6c2e7370 61726b66 756e2e63 6f6d3081 9f300d06 092a8648 86f70d01

01010500 03818d00 30818902 818100dd c12be975 8e68594c 3d3f2e20 2deab59b

5a584d62 f1dc0a2f 34bfbf7b a3cda514 c9b8cd7a 371920b4 20460ff8 0bc15eea

8ce801d1 96745f83 c6218cee d87d0d47 8b1eb05a f2f65367 069a99ff 3af5bd3a

4a1bbb79 b0229e81 1a507670 bb7aa46e 9224791c a9e353ec 60a262ea 7a262909

56afa944 536864b5 4e93a19d b77df302 03010001 300d0609 2a864886 f70d0101

05050003 81810078 7c5c652a 3f1b296d 72cca5f8 a8ba36f3 110a21bc 6c501c88

22eed1db 086dac0a 90d1cecd e870c113 b1614445 fc0e3505 1b569c1a c196d1d1

6af0efff f8c6e76a eb269b7f bae0cbf0 5cb4f010 f35496a3 504c8001 f81c3b7f

e98a2cae 6610bdd7 2a25ccba ac5d735a 71c72069 53653a7a c0ef0121 0adfe7b6

58798f08 0750d8

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint anyconnect_trustpoint

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 60

console timeout 0

dhcpd address 192.168.0.20-192.168.0.100 inside

dhcpd dns 192.168.5.47 interface inside

dhcpd wins 192.168.5.29 interface inside

dhcpd ping_timeout 20 interface inside

dhcpd domain internal.mycompany.com interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.189.94.4 source outside prefer

ssl trust-point anyconnect_trustpoint outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2

anyconnect image disk0:/anyconnect-linux-64-2.5.3054-k9.pkg 3

anyconnect image disk0:/anyconnect-linux-2.5.3054-k9.pkg 4

anyconnect profiles mycompany_anyconnect_client_profile disk0:/mycompany_anyconnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev1 ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

group-policy mycompany internal

group-policy mycompany attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev1

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

group-policy GroupPolicy_mycompany_anyconnect internal

group-policy GroupPolicy_mycompany_anyconnect attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

webvpn

anyconnect profiles value mycompany_anyconnect_client_profile type user

tunnel-group DefaultRAGroup general-attributes

address-pool vpn_pool

authentication-server-group (temporary) mycompany LOCAL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group (temporary) mycompany LOCAL

tunnel-group mycompany_anyconnect type remote-access

tunnel-group mycompany_anyconnect general-attributes

address-pool vpn_pool

authentication-server-group (temporary) mycompany LOCAL

default-group-policy GroupPolicy_mycompany_anyconnect

tunnel-group mycompany_anyconnect webvpn-attributes

group-alias mycompany_anyconnect enable

tunnel-group mycompany type remote-access

tunnel-group mycompany general-attributes

address-pool vpn_pool

authentication-server-group (temporary) mycompany LOCAL

default-group-policy mycompany

tunnel-group mycompany ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DC_VPN type ipsec-l2l

tunnel-group 204.x.x.x type ipsec-l2l

tunnel-group 204.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:3a10facef4d0c6fe63bf34d5899274f9

: end

Reza Sharifi · ‎02-19-2012

What is connected to ASA on the internal side?

Are u running EIGRP with that device?

Sent from Cisco Technical Support iPhone App

benlemasurier · ‎02-19-2012

Routers on the 192.168.0.0/24 network are connected via a switch. All internal 192.168.0.0/16 hosts are able to communicate with each other.

EIGRP is running on all devices, though I was having some issues so I added static routes on the ASA

cadet alain · ‎02-20-2012

Hi,

what is packet-tracer telling you ?

maybe you could do a packet capture on inside and outside interfaces and post it here too.

Regards.

Alain

Don't forget to rate helpful posts.

benlemasurier · ‎02-20-2012

Packet tracer output:

gw# packet-tracer input inside tcp 192.168.5.1 4900 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_acl in interface inside

access-list inside_acl extended permit ip object-group mycompany_lan any

object-group network mycompany_lan

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_dc

network-object object subnet_primary

network-object object subnet_server

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) after-auto source dynamic mycompany_lan_internal interface

Additional Information:

Dynamic translate 192.168.5.1/4900 to 216.x.x.x/4900

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_out out interface outside

access-list outside_access_out extended permit ip any any log disable

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 49776, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ebarticel · ‎02-20-2012

Did you try to change the network statement in eigrp to include other subnets too?

router eigrp 10

network 192.168.0.0 255.255.0.0

Also can you post the output of "sh ip route"

benlemasurier · ‎02-20-2012

I did try setting the ASA's EIGRP network to /16, which didn't seem to make a difference.

gw# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 216.x.x.x to network 0.0.0.0

S 192.168.31.0 255.255.255.0 [1/0] via 192.168.0.30, inside

S 192.168.30.0 255.255.255.0 [1/0] via 192.168.0.30, inside

S 192.168.10.0 255.255.255.0 [1/0] via 192.168.0.10, inside

S 192.168.11.0 255.255.255.0 [1/0] via 192.168.0.10, inside

C 216.x.x.x 255.255.255.224 is directly connected, outside

S 192.168.21.0 255.255.255.0 [1/0] via 192.168.0.20, inside

S 192.168.20.0 255.255.255.0 [1/0] via 192.168.0.20, inside

S 192.168.5.0 255.255.255.0 [1/0] via 192.168.0.6, inside

S 192.168.0.104 255.255.255.255 [1/0] via 216.x.x.x, outside <--- Not sure why this is here..?

C 192.168.0.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 216.x.x.x, outside