ASA won't pass outside traffic

Unanswered Question
Sep 21st, 2009
User Badges:

Background: We are in the process of migrating to a new high speed internet connection. I have attached an ASA to the new connection as follows:


ISP <==> Outside3750 <==> ASA


I have been over this a hundred times, but I cannot figure out why I cannot pass traffic to the outside. Here is the config from the ASA:

ASA# sh run int gig0/0

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address aaa.bbb.ccc.10 255.255.255.248


ASA# sh int gig0/0 stats

Interface GigabitEthernet0/0 "OUTSIDE", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

MAC address <privateMAC>, MTU 1500

IP address aaa.bbb.ccc.10, subnet mask 255.255.255.248

8252 packets input, 639464 bytes, 0 no buffer

Received 5173 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

26210 packets output, 1702124 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (1/11) software (0/0)

output queue (curr/max packets): hardware (0/2) software (0/0)

Traffic Statistics for "OUTSIDE":

8257 packets input, 490436 bytes

26210 packets output, 774728 bytes

2465 packets dropped

1 minute input rate 0 pkts/sec, 4 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 5 bytes/sec

5 minute output rate 0 pkts/sec, 1 bytes/sec

5 minute drop rate, 0 pkts/sec


route OUTSIDE 0.0.0.0 0.0.0.0 aaa.bbb.ccc.9


ASA# sh route:

S* 0.0.0.0 0.0.0.0 [1/0] via aaa.bbb.ccc.9, OUTSIDE

C aaa.bbb.ccc.8 255.255.255.248 is directly connected, OUTSIDE



From the Outside3750, I can see both the ISP and the ASA at layer 2:


Outside3750# sh mac address-table dynamic vlan 413

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----

111 <ISP MAC> DYNAMIC Gi1/0/14

111 <privateMAC> DYNAMIC Gi1/0/13


I have gone so far as to remove any ACL on the Outside interface, but still cannot pass traffic out. I can ping the ISP from the Outside3750, but I cannot ping the ASA Outside interface from the Outside3750.


Experts, your insight and expertise would be greatly appreciated. Thank you.


Patrick


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Collin Clark Mon, 09/21/2009 - 12:34
User Badges:
  • Purple, 4500 points or more

What does your NAT/Globals look like? Please check the log too.

Sharkey13 Mon, 09/21/2009 - 13:31
User Badges:

Thanks for the reply Collin. Would the NAT policy affect an ICMP reply from the ASA itself? This same exact config seems to work on another ASA. Here is the config:


nat (INSIDE) 0 access-list NAT-LIST

global (OUTSIDE) 0 interface


access-list NAT-LIST extended permit ip 192.168.0.0 255.255.128.0 any

access-list NAT-LIST extended permit ip 192.168.130.0 255.255.255.0 any

access-list NAT-LIST extended permit ip 192.168.140.0 255.255.255.0 any

access-list NAT-LIST extended permit ip 192.168.151.0 255.255.255.0 any


Here is an excerpt from the log after I removed the ACL:

5|Sep 21 2009 13:55:42|111008: User 'enable_15' executed the 'no access-group OUTSIDE_ACL in interface OUTSIDE' command.

5|Sep 21 2009 13:55:46|111005: 192.168.21.240 end configuration: OK

6|Sep 21 2009 13:55:51|302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388

3|Sep 21 2009 13:55:51|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE


Thanks, Patrick


Collin Clark Mon, 09/21/2009 - 13:34
User Badges:
  • Purple, 4500 points or more

I've found when you ping from the ASA itself, you need to add an ACE to the outside access list permitting echo-reply's. You have NAT 0 above which means do NOT NAT and there is no config for NATing your internal clients.

Collin Clark Mon, 09/21/2009 - 13:42
User Badges:
  • Purple, 4500 points or more

You will need something like-


global (outside) 1 12.aa.bb.ccc

nat (inside) 1 172.22.1.0 255.255.255.0

nat (inside) 1 192.168.53.0 255.255.255.0

nat (inside) 1 192.168.54.0 255.255.255.0

nat (inside) 1 192.168.55.0 255.255.255.0

Sharkey13 Mon, 09/21/2009 - 14:16
User Badges:

Collin - sorry, there was a typo:


nat (INSIDE) 1 access-list NAT-LIST

global (OUTSIDE) 1 interface

Collin Clark Tue, 09/22/2009 - 05:48
User Badges:
  • Purple, 4500 points or more

3|Sep 21 2009 13:55:51|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE shows that the OUTSIDE ACL is blocking ICMP. Add something like this-


access-list outside_access extended permit icmp host 4.2.2.2 host aaa.bbb.ccc.10

Sharkey13 Tue, 09/22/2009 - 06:59
User Badges:

Collin - here is the latest output from the log. First, I added the ACE:



5|Sep 22 2009 08:41:05|111008: User 'enable_15' executed the 'access-list OUTSIDE_ACL line 1 extended permit icmp host 4.2.2.2 host aaa.bbb.ccc.10' command.


Next, I tried to ping from the ASA:

6|Sep 22 2009 08:41:21|302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388

3|Sep 22 2009 08:41:21|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE

6|Sep 22 2009 08:41:21|302021: Teardown ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388


I have also added a host on the inside interface, confirmed my NAT,and I am getting similar results from there:


6|Sep 22 2009 08:32:27|305011: Built dynamic ICMP translation from INSIDE:10.90.90.100/512 to OUTSIDE(NAT-LIST):aaa.bbb.ccc.10/1

6|Sep 22 2009 08:32:27|302020: Built outbound ICMP connection for faddr 4.2.2.1/0 gaddr aaa.bbb.ccc.10/1 laddr 10.90.90.100/512

6|Sep 22 2009 08:32:29|302021: Teardown ICMP connection for faddr 4.2.2.1/0 gaddr aaa.bbb.ccc.10/1 laddr 10.90.90.100/512

Sharkey13 Tue, 09/22/2009 - 09:34
User Badges:

Collin - issue resolved. The issue was that icmp inspect was not turned on in AIP. Thanks for the assist.

Actions

This Discussion