cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
868
Views
0
Helpful
14
Replies

ASA 5510 - Outboud traffic doesn't come back in

interknox
Level 1
Level 1

Greetings friends.

I've got an 5510 setup for internet (static). The appliance builds the connection, tears it down, no errors.

Problem I'm having is, no one can get access. I can ping and traceroute fine from the ASA to the 'net. I have a rule allowing anyone to the net from the network.

What I don't see though, is a ACL allowing traffic in (this seems different behavior than my 5505). Do I need to add an ACL to allow some traffic back? I think I'm getting confused with the "outside_in" being deny any...

Any help would be greatly appreciated!

CH

14 Replies 14

a.alekseev
Level 7
Level 7

Hi, Chris

Could you show the configurations?

Sure...sorry about that:

: Saved

:

ASA Version 8.0(3)

!

hostname ciscoasa

enable password xxx

names

!

interface Ethernet0/0

description Internet

speed 100

nameif Outside

security-level 0

ip address 70.x.x.201 255.255.255.252

!

interface Ethernet0/1

speed 100

nameif Inside_1

security-level 100

ip address 10.170.50.50 255.255.0.0

!

interface Ethernet0/2

speed 100

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Outside

dns domain-lookup Inside_1

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

object-group network Outgoing_Allowed

description Internal users allowed to have internet access

network-object 10.170.0.0 255.255.0.0

network-object 10.190.0.0 255.255.0.0

object-group network Datalink_Internet

description Datalink internet users

network-object host 10.183.64.10

network-object host 10.183.64.104

network-object host 10.183.64.105

network-object host 10.183.64.106

object-group network DM_INLINE_NETWORK_1

network-object 10.180.0.0 255.255.0.0

group-object Datalink_Internet

group-object Outgoing_Allowed

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any

pager lines 24

logging enable

logging asdm debugging

mtu Outside 1500

mtu Inside_1 1500

mtu management 1500

ip verify reverse-path interface Outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

icmp permit any Inside_1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

access-group Inside_access_in in interface Inside_1

route Outside 0.0.0.0 0.0.0.0 70.88.41.202 1

route Inside_1 10.160.0.0 255.255.0.0 10.170.0.1 1

route Inside_1 10.160.0.0 255.255.255.240 10.170.0.1 1

route Inside_1 10.183.64.0 255.255.252.0 10.170.4.249 1

route Inside_1 10.190.3.0 255.255.255.0 10.170.4.249 1

route Inside_1 10.190.4.0 255.255.255.0 10.170.0.1 1

route Inside_1 128.8.0.0 255.255.0.0 10.170.0.1 1

route Inside_1 172.16.29.0 255.255.255.0 10.170.0.1 1

route Inside_1 192.168.69.0 255.255.255.0 10.170.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 208.x.x.222 208.67.220.220

dhcpd wins 128.8.242.240 128.8.242.241

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics access-list

username chaynes password xxxencrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-603.bin

no asdm history enable

Hello Chris,

Your inside interface IP is 10.170.50.50 255.255.0.0 . The object-group DM_INLINE_NETWORK_1 that you permit is 10.180.0.0 255.255.0.0. If your hosts that have to connect to internet reside at 10.170.0.0/16 network, then you should correct your object-group accordingly. If not, lets say that this network is routed via a L3 device to inside interface, the issue is you do not have any route back to that L3 device for this network. Statement should be something like

route inside 10.180.0.0 255.255.0.0 10.170.x.x

Regards

One of my issues here is, my 10.170.x.x people cannot get to the internet either.

Being that my inside_1 interface resides on the 10.170 net, shouldn't a default route automatically exist for these users?

Sorry if I'm confusing...

nat (inside) 1 10.170.50.50 255.255.0.0

nat (inside) 1 10.190.0.0 255.255.0.0

global (outside) 1 interface

"Being that my inside_1 interface resides on the 10.170 net, shouldn't a default route automatically exist for these users"

A connected route exists for them to be able to connect. Thats OK. Then you need a NAT & global statement. Since you have too many networks inside, use a single command that covers multiple entries

nat (inside_1) 1 0 0

gloabl (outside) 1 interface

This will immediately solve the internet connectivity of all networks that are permitted in ACL execpt the ones which do not have route back to source.

Regards

Greetings!

I've tried both of your ideas. Either one gives me the following errors now within the ASA logs (still no internet):

1. "UDP Request discarded from 10.170.x.x/138 to Inside_1:10.170.255.255/138"

I get hundreds of these (above).

2. "Teardown TCP connection 13334 for outside:69.x.x.193/80 to inside_1:10.170.x.x/3974 duration 0:00:30 bytes 0 SYN Timeout"

There are a lot of those entries as well.

What do you guys think?

What the actual configuration do you have?

In regards to the network setup or the ASA?

both :)

nat (inside) 1 0 0

global (outside) 1 interface

no access-group Inside_access_in in interface Inside_1

ant try again

Assign 4.2.2.2 as DNS server for client in which you test internet connectivity

The error about "Teardown TCP connection 13334 for outside:69.x.x.193/80 to inside_1:10.170.x.x/3974 duration 0:00:30 bytes 0 SYN Timeout" is that the ASA is forwarding the traffic out of the ASA to the Internet but because the SYN packet didn't receive any replies, it times out to prevent SYN Floods.

To verify if you are able to go out to the Internet through the ASA, try the following:

1. From a host behind the ASA, ping the gateway of the ASA (not the host).

2. If you are not even able to ping gateway of the ASA, make sure that you have created a NAT and global rule so the ASA NAT's the host to a routable IP.

I had a similar issue with error message SYN Timeout accessing a web server in a DMZ from the outside, i had no return from the outside.

(http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc15cb0).

I had a problem with a static route on my outside interface (i was in DHCP instead of static ip on that interface).

Hope it help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: