Solved: Re: Outside to Inside traffic flow

CliveAllen · ‎04-12-2018

Quick overview:

To overcome current issues in a new Data Network we have installed an ASA5525.

I can get the VPN up with no problem but I cannot get traffic to flow from outside to inside with the most basic of configurations.

VPN = Anyconnect

Outside interface config:

nameif outside
security-level 0
ip address 195.80.10.149 255.255.255.252

Inside Interface Config:

nameif inside
security-level 100
ip address 195.80.10.157 255.255.255.252

Access lists:

access-list outside_to_inside extended permit ip any any
access-list inside_to_outside extended permit ip any any

access-group outside_to_inside in interface outside
access-group inside_to_outside in interface inside

Static routes:

route outside 0.0.0.0 0.0.0.0 195.80.10.150 1
route inside 195.80.10.0 255.255.255.0 195.80.10.158 1

I was sure this would just let all traffic flow through, but not so it seems. Any help would be appreciated to ge inside interfaces pinging....

Thanks

Rob Ingram · ‎04-12-2018

Hi there,
I assume the AnyConnect client is connecting ok, it's just you cannot ping anything on the inside network, is that correct?
Do you have NAT configured at all?
What is the IP address is given to the AnyConnect client?
Is there a route on next-hop connected to the ASA to route that AnyConnect subnet to the ASA?
If you run packet trace what is the output from that?

If you want to post the full config, we can have a look

View solution in original post

CliveAllen · ‎04-12-2018

As an add on I may have found out why

ICMP is denied by default across the firewall and needs the following configured:

class inspection_default

inspect icmp

However, I don't have "inspect" as an option on this ASA. I am running software version:

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

Do I need to upgrade?

Rob Ingram · ‎04-12-2018

Yes, I'd upgrade the firmware, there has been a lot of bug fixes since 8.6

Rob Ingram · ‎04-12-2018

Hi there,
I assume the AnyConnect client is connecting ok, it's just you cannot ping anything on the inside network, is that correct?
Do you have NAT configured at all?
What is the IP address is given to the AnyConnect client?
Is there a route on next-hop connected to the ASA to route that AnyConnect subnet to the ASA?
If you run packet trace what is the output from that?

If you want to post the full config, we can have a look

CliveAllen · ‎04-12-2018

Hi,

Yes, the VPN Anyconnect is connected and working. We are, unfortunately, in an environment where normal traffic cannot be passed over the VPN so I need to be able to verify with "ping".

We have a slightly unusual topology here but suffice to say that both interfaces are public addresses so no NAT is required.

Here is the route being taken (as this is a test environment currently):

Laptop --> Core Router --> (outside) ASA (Inside) --> (ge-0/0/10) SRX

So, the next-hop address is the SRX. The ge-0/0/10 interface on the SRX is placed within a routing-instance and also instance zone. The zone is any any any permit as is the other end which leads to the internal network. I have entered a route on the SRX as follows:

set routing-options static route 192.168.200.0/24 next-hop ge-0/0/10

I can ping the "inside" address from the SRX so there is no problem with connectivity there. However, and I will look into this, when using the following command on the SRX I get the following:

run show route 192.168.200.100

0.0.0.0/0

So, it is going to the default in every routing-instance. This means it will traverse the wrong direction and go to the iBGP speakers for Internet access through the PE routers.

On the Internal network we are running ISIS so I will see if I can get the route to propagate through the IGP.

I will also look at the upgrade path.

CliveAllen · ‎04-12-2018

I think I have found the answer.

Ping test to another SRX shows the ICMP packet hitting the interface and then a TTL expiry. This is because the response does not know how to get back because of it sending it to the default. The version of ASA software I have does not support ISIS. I am upgrading to a working ISIS version and will then be able to propagate the routes.

Thank you for your help.