Hi Luke,

not sure what do you mean by it is not truncated? The configuration on the switch is trunkated via port 24. It passes both vlan1 and vlan10 (if I am not wrong...?) Also what I have learned is that on ASA you don't have "switchport trunk", instead you create subinterface and you add that to specific VLAN. In my case I could ping inside interface without any issues, but when I wanted to ping outside interface, I could not do it. There are no ACL list on outside interface, and honestly I don't know how ASA is working. I had pleasure to work with switches and routers, and access lists are the least thing that I used (simply because there are other security protections on higher layers, so I didn't bother myself with that, plus in case of troubleshooting network issues, I would make my life even harder...). Anyway, the goal is that I need to configure ASA to pass all the traffic from inside network, and restrict access from outside to inside network. From inside to outside, there is no need for ACL since traffic should be able to freely pass from higher security value eg. 100 to lower security value of 0 (outside), so I am not sure if the ACL is needed. By my logic, fw that passes traffic from inside network, should automatically allow same traffic to go inside (an reply from other servers...). 

What it caught my attention is the NAT. In many examples, people were using (inside, outside), and in my case I was using object (any)...? Technically speaking it should allow NAT to function correctly, but again, I don't know how ASA behaves in specific situation under specific rule.

So to answer your question:

1. Are you able to ping the ISP next hop at 93.164.15.49 from your PC which sits behind the ASA?

NO, unfortunately, the ping is not passing through... and honestly I am not sure why.

2. Can you please amend your only NAT statement to read the following:

nat (inside,outside) source dynamic Inside_Networks interface

This is not correct in my case, the difference is the nat (any, outside) and I am not sure is there any difference in ASA behavior...?

3. We need ICMP stateful inspection enabled since you have an implicit deny on the outside. Please can you add ICMP to your policy map?

Actually I don't need ICMP. This was only used for testing. My only concern is that all the network traffic from inside can travel to outside and that fw should allow "reply" back to inside network. All other requests from outside should be banned (such as scans, or penetration attempts).

I will try tomorrow to change NAT rule, and hopefully I don't need to use ACL for outside to inside. 

Hi Luke,

sorry for not replying sooner. My boss has used power adapter from ASA5506X to another site, so I am not able to do it - right now. I will try this as soon as possible. I see the point were you need to allow traffic from outside to inside, and that is what I was bit curious. I didn't know if the ASA do it dynamically when it sends the traffic, it automatically see the outside ip address and appends the rule to allow the traffic, or I need to do it manually. Second thing that I need to ask you. Since there are two VLANs involved (or should I say two subinterfaces on GigabitEthernet 1/2 - 1/2.1 and 1/2.10) 

by your NAT rule - last keyword interface:

nat (administration,outside) source dynamic 192.168.1.0 255.255.255.0 interface

I presume that I need to set name of the interface like "administration" or "guestWifi" correct?

The same question applies to the access list:

access-group OUTSIDE_ACCESS_IN in interface outside

Last and not least,

I found that I am missing a static route for network 93.164.15.48/30 

correct me if I am wrong, but this is also needed or not? I know that you will probably have in the routing table record where it says C - "directly connected", but I am not sure if this would be enough for router to know the path to the gateway ip address or not?

P.S. I don't know if I need to mention, I am running ASA5506X with firepower. Is there a difference between ASA5506X with workflow from standard firewall where you use only fw rules and firewall with firepower services which is basically additional layer of security with IDS/IPS on board...?

Best regards

Hi [@dovla091@gmail.com],

No problem. Yes, correct, the ASA will not dynamically allow the traffic to flow back from security level 0 without either an ACL permitting it or stateful inspection. Please see my answer to your questions below.

A) In answer to your NAT question, yes, the word "administration" refers to the nameif of the sub-interface. As I mentioned, I was keen just to get VLAN1 up and running for now to prove connectivity and routing. After we've fixed this, we can then change the NAT statement to "any" to start NAT'ing the guest traffic too.

B) In answer to your ACL question, yes, that rule is telling the ASA to apply the ACL "OUTSIDE_ACCESS_IN" to the outside interface in an ingress direction. The word "outside" at the end of the rule is matched to the nameif of the interface.

C) In answer to your routing question, no, you are not missing a route as the 93.164.15.48/30 network is a directly connected route so will already be in your routing table. Also, the traffic already knows how to break out by using your default route under the command "route outside 0.0.0.0 0.0.0.0 93.164.15.49 1" which will send it to the ISP router or gateway of last resort.

D) In answer to your FirePower question, it is irrelevant. Think of FirePower (the function of IDS/IPS) as a separate module. The firewall side of things is what we are dealing with in this post and this will have the same behaviour with our without the FirePower module installed.

As per my last post, please action the needed changes when you get a chance and let me know how you get on. Look forward to hearing back.

Cheers,

Luke

Please rate helpful posts and mark correct answers.

Hi Luke, you will probably go nuts with all my questions. Regarding C) I was not too sure, but thanks for confirming this :) Regarding your answer D) I believe that this would only apply if the traffic is not redirected to firepower module. As I understood, if you do a redirection of the traffic to SFR module, than this might not apply. Any additional rule might cause to drop packets and not to forward them front, correct?

If so, than I need to make sure not to use SFR module (for now), until I don't chew all the ASA documentation and books regarding additional SFR module :)

[@dovla091@gmail.com],

No problem brother. Yes potentially this could happen depending on what your policy states of course. Perhaps it is best to leave the SFR un-configured until we get the basics working first.

Let me know when you've had a chance to test those changes and we will go from there.

Cheers,

Luke

Please rate helpful posts and mark correct answers.

Hi Luke,

Unfortunately, no. Last few day I was pretty busy. :( We've got a new power adapter today, and I was mostly on site, so haven't had a chance. Even though I was reading some articles regarding configuring ASA, and more I read, more confusing it is. For example. You've mentioned that I am probably missing access-list, but on all examples even on video tutorials ASA 101, they configure: interfaces, ip address, vlans, default route and NAT. They haven't mention access-lists nor they have setup one, and the traffic was passing through and getting back without any problem. How come that in their case it is going through and in mine, it is not working?

Example:

https://www.youtube.com/watch?v=F6qvKRFn-xc

They are using ASA 5505 and my model is ASA5506X.

Is there a difference?

[@dovla091@gmail.com],

No problem mate - it is confusing stuff, ASA is a complicated bit of code.

The most likely reason their traffic was flowing is because of stateful inspection as part of their basic setup. So if a computer behind the NAT on the LAN tries to access Google, the firewall will inspect the packet on the way out, so that when the return traffic comes back from Google it will not need an access control list to allow it back through or it will bypass the access control lists if there is one applied. As the return traffic is inspected it will see it as "safe".

The reasons I have suggested for you to create an access control list are:

1. It is best practice to, else, what is the point of having a firewall over a standard router?

2. As we are connecting directly to the firewall from the outside, the traffic will not have the chance to be inspected, so we must specify this in an access control list and allow it.

I hope that makes sense and good luck with the testing :-)

Thanks,

Luke

Please rate helpful posts and mark correct answers.

Hi Luke,

"B. As we are connecting directly to the firewall from the outside, the traffic will not have the chance to be inspected, so we must specify this in an access control list and allow it."

With second line, you've lost me. Perhaps I might not understood you correctly:  I am not trying to connect from outside (like access server via some port or whatever - even though this will probably come in future...). I am just planning to do this (for now):

- To allow users from inside to go where ever they please, and deny attacker from outside to access the internal network.

- Set VPN Anyconnect to allow me from outside to get into internal network (If I need to fix something by remote)...

This is why I am bit confused. If you are tying to get outside, firewall should inspect packets and say: "this is from higher priority - safe network, I will allow packets, and on return, it should in theory look for the destination IP address and connect the dots that this traffic is initiated by user from inside network, and let it through". I know that ACL is great layer of security if you wish to "ban or allow" people from outside to go in, but it is quite strange that I need to implement ACL for internal network users just so they can go out and browse webpages on the internet...

Please correct me if I am wrong.

P.S. I bought 3 books with value of 150€. I hope they will help me understand, what is happening in the background on that device :) 

[@dovla091@gmail.com],

You are absolutely correct that you do not need an access control list on the outside just to pass through inside traffic to Google for example because as the traffic is inspected on the way out (providing inspection is configured correctly) it will allow it back through as it is considered "safe". However, if you wish to use AnyConnect as you say, you'll need an access control list for that because as the traffic is being initiated from the outside (AnyConnect VPN Client) and thus it will not be pre-inspected. Not to mention, it's as per Cisco best practice to have an access control list anyway, even if it is not explicitly needed it isn't going to harm your configuration and traffic flow and it will be needed later on for static PAT'ing to servers and running your AnyConnect service as you say. I hope that helps :-)

Any of the Cisco certified books are expensive, but I'm my opinion good value for money. Good luck with your studies and testing when you get around to it! 

Thanks,

Luke

Please rate helpful posts and mark correct answers. 

Hi Luke.

I will quote:

You are absolutely correct that you do not need an access control list on the outside just to pass through inside traffic to Google for example because as the traffic is inspected on the way out (providing inspection is configured correctly) it will allow it back through as it is considered "safe".

Yes, this is where it starts to be weird. It doesn't allow traffic to go outside from inside. Last time I have placed wireshark to pickup anything that is going from external IP address, and I caught nothing. It is like no traffic were sent from firewall to another (outside) machine...

On Monday, I will try to simulate once again, and I will paste my current configuration. I newer worked with ASA but I know how in theory it should work (by simply applying logic), and this device is behaving quite odd... :(

[@dovla091@gmail.com],

Provided you follow my command sets that I suggested up above, this should get you working. As I say, have a test and let me know how you get along. 

Thanks,

Luke

Please rate helpful posts and mark correct answers. 

Hi Luke,

I will try it on Monday when I come to the office and I will let you know.

thank you once again for the help and have a great weekend