07-22-2016 05:53 AM - edited 03-08-2019 06:44 AM
Hi,
I am configuring ASA for the first time. Usually I was playing with Cisco switches, HP switches and Cisco routers, but eventualy time comes for me to play with ASA. The network goes like this.
On HP switch there is two networks:
- admin (192.168.1.0/24 VLAN1) (ports untagged 13-23)
- guestWifi (192.168.10.0/24 VLAN10) (ports untagged 1-12)
Tagged trk port (24) to pass VLAN 1 and VLAN 10 to ASA, and this is done just fine
HP Configuration:
show running-config
Running configuration:
; J9773A Configuration Editor; Created on release #YA.15.16.0006
; Ver #06:04.9c.63.ff.37.27:12
hostname "MDF-XXXX"
trunk 24 trk1 lacp
timesync sntp
sntp unicast
sntp 30
sntp server priority 1 194.239.123.230
snmp-server community "public" unrestricted
vlan 1
name "XXXX-ADMINISTRATION"
no untagged 1-12
untagged 13-23,25-28
tagged Trk1
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.1
exit
vlan 10
name "XXXX-GUEST-WIFI"
untagged 1-12
tagged Trk1
ip address 192.168.10.254 255.255.255.0
ip helper-address 192.168.10.1
exit
spanning-tree
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
no dhcp image-file-update
password manager
I have setup the configuration for ASA as interface 1/1 to be outside with static IP of 93.164.15.50/30 and interface 1/2 to have two subinterfaces each per specific VLAN (so, gi1/2.1 - VLAN1 and gi1/2.10 - VLAN10) and ping from switch to ASA works flawlessly.
I have setup one default route as 0.0.0.0 0.0.0.0 93.164.15.49 1 which is the line between ASA and ISP box, when I try to ping from pc that simulates "gateway" to ASA, everything works as it should, but when I try to ping from switch to outside interface of ASA on IP 93.164.15.50/30 then I get no reply. Even thoug we are speaking of ICMP protocol, I presume that this also applies to all other traffic TCP/UDP.
ASA configuration:
show running-config
: Saved
:
: Serial Number: JAD20230482
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname xxxxxxxxxx
enable password ciqYWBUSFqxNA58M encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
description Outside interface for connecting to ISP box
nameif outside
security-level 0
ip address 93.164.15.50 255.255.255.252
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.1
description administration office network
vlan 1
nameif administration
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2.10
description guest wifi network
vlan 10
nameif guestWifi
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
description Management of the ASA via ASDM
management-only
nameif Management
security-level 80
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
object network administration
subnet 192.168.1.0 255.255.255.0
description administration network
object network guestwifi
subnet 192.168.10.0 255.255.255.0
description guest wifi zone
object network defaultRoute
subnet 0.0.0.0 0.0.0.0
description Default route
object-group network Inside_Networks
description All Inside xxxxxx Networks
network-object object administration
network-object object guestwifi
pager lines 24
logging enable
mtu Management 1500
mtu administration 1500
mtu guestWifi 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.1.0 255.255.255.0 administration
icmp permit 192.168.1.0 255.255.255.0 guestWifi
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic Inside_Networks interface description Nat translation for xxxxx for all networks
route outside 0.0.0.0 0.0.0.0 93.164.15.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=xxxxxx.xx
keypair tokaicert.key
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.2.1,CN=xxxxxASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 7fd59157
30820339 30820221 a0030201 0202047f d5915730 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130874 6f6b6169 2e646b31 17301506 092a8648
86f70d01 09021608 546f6b61 69415341 301e170d 31363037 32323039 31353534
0a00eae3 c1e13963 faa26a89 5fff7ee3 77f6bffc d373dc5c 75bd1db8 7a5f27bf
f2f3aff7 a279c32e f174c6b5 c5f37dc9 4fbaa003 ded7161a 787f4e6f caad57b3
1dfb9fe0 c3cc990f c11bc06f c142379d 1b91f5cb c10fc89a 6fcf5d49 39679a77
087c68cf 8b6c803b 29c8a084 77baf819 78bac258 67c3b38c 65d28a7c df
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 80d59157
308202ce 308201b6 a0030201 02020480 d5915730 0d06092a 864886f7 0d010105
05003029 3111300f 06035504 03130854 6f6b6169 41534131 14301206 03550403
130b3139 322e3136 382e322e 31301e17 0d313630 37323231 31303532 385a170d
32363037 32303131 30353238 5a302931 11300f06 03550403 1308546f 6b616941
c8a71d39 a28b574b ae2d2a13 48cbca81 207f2455 1854a334 da51685a af280634
2b397dc1 d237d294 7687145d da038bfa 418824f5 74b666a8 892572e5 85f550fd
676612f8 4587203a fef23deb 263b8788 235b09f7 d61f8f62 59ec8f81 2ca964ff
8074643a 47b551bb dd059fb8 a621da24 76651c7e 25d2686b 1da35983 beca326f
3996fe1e b56ff5e8 1dbb18c9 6723d809 6b0e
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 administration
ssh 192.168.10.0 255.255.255.0 guestWifi
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.253 administration
dhcpd dns 8.8.8.8 208.67.222.222 interface administration
dhcpd enable administration
!
dhcpd address 192.168.10.2-192.168.10.253 guestWifi
dhcpd dns 8.8.8.8 208.67.222.222 interface guestWifi
dhcpd enable guestWifi
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management vpnlb-ip
dynamic-access-policy-record DfltAccessPolicy
username fellow password xxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
Can anyone explain where is the problem, because I cannot see it. Also if someone has some emulator or what, can you give me the correct answer what is missing in ASA. The reason for that is I am running production machine and I cannot do "try this, or try that". I hope you understand that.
Thank you in advance and have a great weekend :)
Solved! Go to Solution.
07-27-2016 10:55 AM
1. In my last post to you I made a typing error, your NAT statement should read the below example. You are correct that you should eventually be able to use "(any,outside)" instead of "(administration,outside)" in the statement and it'll work the same - I am just trying to simplify things to get this working from VLAN1 (administration) to prove connectivity. Please amend your statement to the following.
nat (administration,outside) source dynamic 192.168.1.0 255.255.255.0 interface
access-list OUTSIDE_ACCESS_IN extended permit icmp any any log
access-group OUTSIDE_ACCESS_IN in interface outside
Now you should be able to ping through the firewall to the ISP router on 93.164.15.49 and received a reply. Note that you will still be unable to ping the outside address of the ASA, this is fairly standard practice - we can remedy this too if required. Please action my suggestion above and test... I look forward to hearing how you get along.
Luke
* Things to bear in mind:
- You will not be able to ping the outside interface of your ASA directly as traffic cannot flow from security level 0 to security level 100 without an ACL. Not being able to ping the outside address is fairly standard practice. You will be able to ping out on the WAN through the firewall however.
- ICMP is not natively a stateful protocol.
- If there is no ACL on the outside interface, it will block all traffic by default unless it is inspected, otherwise know as an implicit deny rule.
07-25-2016 11:44 AM
[@dovla091@gmail.com],
Thanks for your post. I've had a browse over your configuration - which I assume is not truncated. One thing I notice is that you have no ACL on your outside interface, so it'll be blocking everything via the implicit deny which is applied by default.
1. Are you able to ping the ISP next hop at 93.164.15.49 from your PC which sits behind the ASA?
2. Can you please amend your only NAT statement to read the following:
nat (administration,outside) source dynamic Inside_Networks interface
3. We need ICMP stateful inspection enabled since you have an implicit deny on the outside. Please can you add ICMP to your policy map?
Let me know how you get along. We will get this sorted for you.
Luke
Please rate helpful posts and mark correct answers.
07-25-2016 11:44 AM
Hi Luke,
not sure what do you mean by it is not truncated? The configuration on the switch is trunkated via port 24. It passes both vlan1 and vlan10 (if I am not wrong...?) Also what I have learned is that on ASA you don't have "switchport trunk", instead you create subinterface and you add that to specific VLAN. In my case I could ping inside interface without any issues, but when I wanted to ping outside interface, I could not do it. There are no ACL list on outside interface, and honestly I don't know how ASA is working. I had pleasure to work with switches and routers, and access lists are the least thing that I used (simply because there are other security protections on higher layers, so I didn't bother myself with that, plus in case of troubleshooting network issues, I would make my life even harder...). Anyway, the goal is that I need to configure ASA to pass all the traffic from inside network, and restrict access from outside to inside network. From inside to outside, there is no need for ACL since traffic should be able to freely pass from higher security value eg. 100 to lower security value of 0 (outside), so I am not sure if the ACL is needed. By my logic, fw that passes traffic from inside network, should automatically allow same traffic to go inside (an reply from other servers...).
What it caught my attention is the NAT. In many examples, people were using (inside, outside), and in my case I was using object (any)...? Technically speaking it should allow NAT to function correctly, but again, I don't know how ASA behaves in specific situation under specific rule.
So to answer your question:
1. Are you able to ping the ISP next hop at 93.164.15.49 from your PC which sits behind the ASA?
NO, unfortunately, the ping is not passing through... and honestly I am not sure why.
2. Can you please amend your only NAT statement to read the following:
nat (inside,outside) source dynamic Inside_Networks interface
This is not correct in my case, the difference is the nat (any, outside) and I am not sure is there any difference in ASA behavior...?
3. We need ICMP stateful inspection enabled since you have an implicit deny on the outside. Please can you add ICMP to your policy map?
Actually I don't need ICMP. This was only used for testing. My only concern is that all the network traffic from inside can travel to outside and that fw should allow "reply" back to inside network. All other requests from outside should be banned (such as scans, or penetration attempts).
I will try tomorrow to change NAT rule, and hopefully I don't need to use ACL for outside to inside.
07-27-2016 10:55 AM
1. In my last post to you I made a typing error, your NAT statement should read the below example. You are correct that you should eventually be able to use "(any,outside)" instead of "(administration,outside)" in the statement and it'll work the same - I am just trying to simplify things to get this working from VLAN1 (administration) to prove connectivity. Please amend your statement to the following.
nat (administration,outside) source dynamic 192.168.1.0 255.255.255.0 interface
access-list OUTSIDE_ACCESS_IN extended permit icmp any any log
access-group OUTSIDE_ACCESS_IN in interface outside
Now you should be able to ping through the firewall to the ISP router on 93.164.15.49 and received a reply. Note that you will still be unable to ping the outside address of the ASA, this is fairly standard practice - we can remedy this too if required. Please action my suggestion above and test... I look forward to hearing how you get along.
Luke
* Things to bear in mind:
- You will not be able to ping the outside interface of your ASA directly as traffic cannot flow from security level 0 to security level 100 without an ACL. Not being able to ping the outside address is fairly standard practice. You will be able to ping out on the WAN through the firewall however.
- ICMP is not natively a stateful protocol.
- If there is no ACL on the outside interface, it will block all traffic by default unless it is inspected, otherwise know as an implicit deny rule.
07-27-2016 10:55 AM
Hi Luke,
sorry for not replying sooner. My boss has used power adapter from ASA5506X to another site, so I am not able to do it - right now. I will try this as soon as possible. I see the point were you need to allow traffic from outside to inside, and that is what I was bit curious. I didn't know if the ASA do it dynamically when it sends the traffic, it automatically see the outside ip address and appends the rule to allow the traffic, or I need to do it manually. Second thing that I need to ask you. Since there are two VLANs involved (or should I say two subinterfaces on GigabitEthernet 1/2 - 1/2.1 and 1/2.10)
by your NAT rule - last keyword interface:
nat (administration,outside) source dynamic 192.168.1.0 255.255.255.0 interface
I presume that I need to set name of the interface like "administration" or "guestWifi" correct?
The same question applies to the access list:
access-group OUTSIDE_ACCESS_IN in interface outside
Last and not least,
I found that I am missing a static route for network 93.164.15.48/30
correct me if I am wrong, but this is also needed or not? I know that you will probably have in the routing table record where it says C - "directly connected", but I am not sure if this would be enough for router to know the path to the gateway ip address or not?
P.S. I don't know if I need to mention, I am running ASA5506X with firepower. Is there a difference between ASA5506X with workflow from standard firewall where you use only fw rules and firewall with firepower services which is basically additional layer of security with IDS/IPS on board...?
Best regards
07-27-2016 01:07 PM
07-27-2016 01:16 PM
Hi Luke, you will probably go nuts with all my questions. Regarding C) I was not too sure, but thanks for confirming this :) Regarding your answer D) I believe that this would only apply if the traffic is not redirected to firepower module. As I understood, if you do a redirection of the traffic to SFR module, than this might not apply. Any additional rule might cause to drop packets and not to forward them front, correct?
If so, than I need to make sure not to use SFR module (for now), until I don't chew all the ASA documentation and books regarding additional SFR module :)
07-27-2016 03:02 PM
07-29-2016 04:58 PM
Hi Luke,
Unfortunately, no. Last few day I was pretty busy. :( We've got a new power adapter today, and I was mostly on site, so haven't had a chance. Even though I was reading some articles regarding configuring ASA, and more I read, more confusing it is. For example. You've mentioned that I am probably missing access-list, but on all examples even on video tutorials ASA 101, they configure: interfaces, ip address, vlans, default route and NAT. They haven't mention access-lists nor they have setup one, and the traffic was passing through and getting back without any problem. How come that in their case it is going through and in mine, it is not working?
Example:
https://www.youtube.com/watch?v=F6qvKRFn-xc
They are using ASA 5505 and my model is ASA5506X.
Is there a difference?
07-29-2016 05:06 PM
07-30-2016 12:53 AM
Hi Luke,
"B. As we are connecting directly to the firewall from the outside, the traffic will not have the chance to be inspected, so we must specify this in an access control list and allow it."
With second line, you've lost me. Perhaps I might not understood you correctly: I am not trying to connect from outside (like access server via some port or whatever - even though this will probably come in future...). I am just planning to do this (for now):
- To allow users from inside to go where ever they please, and deny attacker from outside to access the internal network.
- Set VPN Anyconnect to allow me from outside to get into internal network (If I need to fix something by remote)...
This is why I am bit confused. If you are tying to get outside, firewall should inspect packets and say: "this is from higher priority - safe network, I will allow packets, and on return, it should in theory look for the destination IP address and connect the dots that this traffic is initiated by user from inside network, and let it through". I know that ACL is great layer of security if you wish to "ban or allow" people from outside to go in, but it is quite strange that I need to implement ACL for internal network users just so they can go out and browse webpages on the internet...
Please correct me if I am wrong.
P.S. I bought 3 books with value of 150€. I hope they will help me understand, what is happening in the background on that device :)
07-30-2016 04:26 AM
Any of the Cisco certified books are expensive, but I'm my opinion good value for money. Good luck with your studies and testing when you get around to it!
07-30-2016 05:08 AM
Hi Luke.
I will quote:
You are absolutely correct that you do not need an access control list on the outside just to pass through inside traffic to Google for example because as the traffic is inspected on the way out (providing inspection is configured correctly) it will allow it back through as it is considered "safe".
Yes, this is where it starts to be weird. It doesn't allow traffic to go outside from inside. Last time I have placed wireshark to pickup anything that is going from external IP address, and I caught nothing. It is like no traffic were sent from firewall to another (outside) machine...
On Monday, I will try to simulate once again, and I will paste my current configuration. I newer worked with ASA but I know how in theory it should work (by simply applying logic), and this device is behaving quite odd... :(
07-30-2016 05:12 AM
07-30-2016 05:19 AM
Hi Luke,
I will try it on Monday when I come to the office and I will let you know.
thank you once again for the help and have a great weekend
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide