ASA won't pass outside traffic

Unanswered Question
Sep 21st, 2009

Background: We are in the process of migrating to a new high speed internet connection. I have attached an ASA to the new connection as follows:

ISP <==> Outside3750 <==> ASA

I have been over this a hundred times, but I cannot figure out why I cannot pass traffic to the outside. Here is the config from the ASA:

ASA# sh run int gig0/0

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address aaa.bbb.ccc.10 255.255.255.248

ASA# sh int gig0/0 stats

Interface GigabitEthernet0/0 "OUTSIDE", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address <privateMAC>, MTU 1500

IP address aaa.bbb.ccc.10, subnet mask 255.255.255.248

8252 packets input, 639464 bytes, 0 no buffer

Received 5173 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

26210 packets output, 1702124 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (1/11) software (0/0)

output queue (curr/max packets): hardware (0/2) software (0/0)

Traffic Statistics for "OUTSIDE":

8257 packets input, 490436 bytes

26210 packets output, 774728 bytes

2465 packets dropped

1 minute input rate 0 pkts/sec, 4 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 5 bytes/sec

5 minute output rate 0 pkts/sec, 1 bytes/sec

5 minute drop rate, 0 pkts/sec

route OUTSIDE 0.0.0.0 0.0.0.0 aaa.bbb.ccc.9

ASA# sh route:

S* 0.0.0.0 0.0.0.0 [1/0] via aaa.bbb.ccc.9, OUTSIDE

C aaa.bbb.ccc.8 255.255.255.248 is directly connected, OUTSIDE

From the Outside3750, I can see both the ISP and the ASA at layer 2:

Outside3750# sh mac address-table dynamic vlan 413

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

111 <ISP MAC> DYNAMIC Gi1/0/14

111 <privateMAC> DYNAMIC Gi1/0/13

I have gone so far as to remove any ACL on the Outside interface, but still cannot pass traffic out. I can ping the ISP from the Outside3750, but I cannot ping the ASA Outside interface from the Outside3750.

Experts, your insight and expertise would be greatly appreciated. Thank you.

Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Sharkey13 Mon, 09/21/2009 - 13:31

Thanks for the reply Collin. Would the NAT policy affect an ICMP reply from the ASA itself? This same exact config seems to work on another ASA. Here is the config:

nat (INSIDE) 0 access-list NAT-LIST

global (OUTSIDE) 0 interface

access-list NAT-LIST extended permit ip 192.168.0.0 255.255.128.0 any

access-list NAT-LIST extended permit ip 192.168.130.0 255.255.255.0 any

access-list NAT-LIST extended permit ip 192.168.140.0 255.255.255.0 any

access-list NAT-LIST extended permit ip 192.168.151.0 255.255.255.0 any

Here is an excerpt from the log after I removed the ACL:

5|Sep 21 2009 13:55:42|111008: User 'enable_15' executed the 'no access-group OUTSIDE_ACL in interface OUTSIDE' command.

5|Sep 21 2009 13:55:46|111005: 192.168.21.240 end configuration: OK

6|Sep 21 2009 13:55:51|302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388

3|Sep 21 2009 13:55:51|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE

Thanks, Patrick

Collin Clark Mon, 09/21/2009 - 13:34

I've found when you ping from the ASA itself, you need to add an ACE to the outside access list permitting echo-reply's. You have NAT 0 above which means do NOT NAT and there is no config for NATing your internal clients.

Collin Clark Mon, 09/21/2009 - 13:42

You will need something like-

global (outside) 1 12.aa.bb.ccc

nat (inside) 1 172.22.1.0 255.255.255.0

nat (inside) 1 192.168.53.0 255.255.255.0

nat (inside) 1 192.168.54.0 255.255.255.0

nat (inside) 1 192.168.55.0 255.255.255.0

Sharkey13 Mon, 09/21/2009 - 14:16

Collin - sorry, there was a typo:

nat (INSIDE) 1 access-list NAT-LIST

global (OUTSIDE) 1 interface

Collin Clark Tue, 09/22/2009 - 05:48

3|Sep 21 2009 13:55:51|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE shows that the OUTSIDE ACL is blocking ICMP. Add something like this-

access-list outside_access extended permit icmp host 4.2.2.2 host aaa.bbb.ccc.10

Sharkey13 Tue, 09/22/2009 - 06:59

Collin - here is the latest output from the log. First, I added the ACE:

5|Sep 22 2009 08:41:05|111008: User 'enable_15' executed the 'access-list OUTSIDE_ACL line 1 extended permit icmp host 4.2.2.2 host aaa.bbb.ccc.10' command.

Next, I tried to ping from the ASA:

6|Sep 22 2009 08:41:21|302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388

3|Sep 22 2009 08:41:21|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE

6|Sep 22 2009 08:41:21|302021: Teardown ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388

I have also added a host on the inside interface, confirmed my NAT,and I am getting similar results from there:

6|Sep 22 2009 08:32:27|305011: Built dynamic ICMP translation from INSIDE:10.90.90.100/512 to OUTSIDE(NAT-LIST):aaa.bbb.ccc.10/1

6|Sep 22 2009 08:32:27|302020: Built outbound ICMP connection for faddr 4.2.2.1/0 gaddr aaa.bbb.ccc.10/1 laddr 10.90.90.100/512

6|Sep 22 2009 08:32:29|302021: Teardown ICMP connection for faddr 4.2.2.1/0 gaddr aaa.bbb.ccc.10/1 laddr 10.90.90.100/512

Sharkey13 Tue, 09/22/2009 - 09:34

Collin - issue resolved. The issue was that icmp inspect was not turned on in AIP. Thanks for the assist.

Actions

This Discussion