03-12-2015 06:14 AM - edited 03-07-2019 11:03 PM
Hello everyone,
I am having a little trouble with routing and looking for some help or guidance. My setup is my ISP (Cable) comes in to my Motorola SB modem --> goes to my Cisco 871 FastEthernet4 --> out of the FastEthernet1 (plans to eventually move to FastEthernet0) of the 871 --> into the ASA 5505 Ethernet 0 (outside interface) --> out of the ASA 5505 Ethernet 1 --> into my LAN (DHCP configured for 10.10.10.0 network.)
The problem that I am running into is that I am unable to ping through my ASA while connected to my inside interface. I am; however, able to ping from the console of the ASA to the outside, just not from an inside-connected PC. Likewise, I am unable to browse or reach the Internet in any way (I wanted to rule out ICMP as being the only protocol blocked.)
I currently have a DHCP pool (10.10.10.0) set up on my 871, because the ASA5505 was added after-the-fact. Eventually I would like hand out most if not all DHCP addresses from the ASA, but I left the conflicting DHCP pool in place on the router until I get routing through the ASA figured out (I have an access point and some other devices hanging off of that which are Internet-accessible.)
My outside interface (FA4) on the 871 is setup for DHCP. Inside (FA1) is setup for VLAN5, which is configured as another internal address of 192.168.1.1. On the ASA, my outside (Ethernet0) interface is setup with an IP address of 192.168.1.2 and my inside (Ethernet 1) interface (plan to have remaining Ethernet ports hand out DHCP addresses as well if possible) are setup for DHCP network 10.10.10.0.
I know I could eliminate the 871 and do all of the routing on the ASA, but that would take the fun out of learning :) Plus, I would like to eventually do some ingress/egress filtering on the edge router. You'll notice I'm forwarding 32400 for my Plex server as well on the 871 plus I will have to open a few other ports for other applications that require access to the web.
Below is my 871 config:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
enable secret 5 $1$l6em$U/xDm4Ls6932u5AVPvbYU/
!
no aaa new-model
clock timezone est -5
clock summer-time EDT recurring
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.101 10.10.10.255
!
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 208.67.222.222 208.67.220.220
!
!
ip cef
ip domain name lab.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username cisco privilege 15 secret 5 $1$eFJE$P3EoqEUbHIAqH5vXe.bFZ/
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 5
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan5
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.10 32400 interface FastEthernet4 32400
ip nat inside source static udp 10.10.10.10 32400 interface FastEthernet4 32400
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
login local
transport input ssh
!
scheduler max-task-time 5000
end
And this is my ASA5505 config:
asa# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname asa
enable password aaM6CM7NHIUNxhXl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan5
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 5
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 10.10.10.11-10.10.10.42 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 2Y5LXjCiT.j9NH6j encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination forsport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2a74d4bee8105a6f33d77afe97d03c7
: end
Any help or guidance with my config would be greatly appreciated.
I think my problems lie within the ASA config, but maybe I am overlooking something on the 871 too?
Thank you everyone,
Mike T.
Solved! Go to Solution.
03-16-2015 05:33 AM
Mike
No problem.
Glad to hear it's all working now and thanks for getting back to me and letting me know.
By all means come back if you need any more help.
Jon
03-13-2015 06:14 AM
Mike
So relatively briefly the ASA is stateful which means it keeps track of connections going through it.
When it first sees a packet for a new connection it records the source and destination IP addresses and port numbers and with TCP it also records the SYN, SYN-ACK, ACK, FIN flags in the packets.
The important thing to bear in mind is where the connection was initiated from ie. from a client on the inside or from a device on the outside.
Each interface on the ASA has a security level and the rules are -
1) traffic that is initiated from a higher security level to a lower security level is allowed by default eg. from inside to outside on your ASA.
2) traffic that is initiated from a lower security level to a higher security level is denied eg. from outside to inside on your ASA
NAT also comes into it as you have seen but with no nat-control your inside clients are by default allowed to access any device on the outside of the ASA eg. the internet in your example.
The stateful part is that once the ASA has allowed the original packet through, because it has recorded it in the state table, the return traffic is allowed back in.
This happens whether you have no acl on the outside interface applied inbound or whether you do. If you do the acl is not applied to the return traffic
Outside to inside is different. With no acl applied any traffic initiated from the outside to the inside is denied. So in order to allow outside devices to connect to inside devices you need an acl which is what you have added for your Plex server.
And once you have allowed it the stateful part still applies ie. it records the information and so return traffic is allowed with no checks on acls etc.
In terms of NAT, and where I misled you before, if you enable "no nat-control" this is for inside to outside but not outside to inside ie. you still need a NAT statement for that traffic.
Again there are general rules with NAT but put simply to go from inside to outside you can use dynamic NAT/PAT (if you use nat-control) which means the translations are setup dynamically as needed.
For outside to inside you cannot use dynamic translations, you need a permanent translation and this is why you have to use a static NAT translation on your ASA (you can also use a NAT exemption but I don't want to complicate the issue).
So it all depends on where the traffic was initiated from in relation to the ASAs interfaces as to what you need to or don't need both in terms of acls and NAT.
One final point. The ASA is a stateful firewall but it can also do more than just record IPs, ports etc for a certain number of applications eg. http. Here it can look a bit deeper into the packet to check certain things but only for a limited set of applications not all TCP/UDP.
Hope some of that has helped and if you have any queries etc. please fee free to come back.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide