Cisco ASA 5505 not passing traffic (Possible NAT or ACL issue)

Answered Question
Jul 26th, 2010
User Badges:

I have an ASA 5505 in front of (7) devices.  Each device is statically NAT'd to an external IP address with ACLs restricting the specific ports.  This setup works perfectly on ASAs with a single host behind the ASA.  Below is a sample config of the ASA.  Any help would be greatly appreciated!

interface Vlan10
nameif inside
security-level 100
ip address 10.200.3.161 255.255.255.240
!
interface Vlan300
nameif outside
security-level 0
allow-ssc-mgmt
ip address 172.21.3.74 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 300
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Poll tcp
description External Poller
port-object eq 2101
object-group service Poll2 tcp
description Poll 20000
port-object eq 20000
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq 20000
object-group network New_Hosts
description New Hosts
network-object host 192.168.95.0 255.255.255.0
network-object host 192.168.96.0 255.255.255.0
network-object host 192.168.97.0 255.255.255.0
network-object host 192.168.98.0 255.255.255.0
object-group network Old_Hosts
description Old Hosts (Subnets)
network-object 192.168.89.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
network-object 192.168.92.0 255.255.255.0
network-object 192.168.93.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
group-object New_Hosts
group-object Old_Hosts
network-object 192.168.79.0 255.255.255.0
network-object 192.168.201.0 255.255.255.248
object-group network DM_INLINE_NETWORK_4
network-object 192.168.201.0 255.255.255.248
network-object 192.168.79.0 255.255.255.0
group-object New_Hosts
group-object Old_Hosts
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq 20000
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 host 172.21.3.64 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.65 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.66 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.67 log debugging inactive
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_1 host 172.21.3.69 log debugging
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 172.21.3.69 eq 2101 log debugging
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.70 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.71 log debugging inactive
access-list inside_access_in extended permit ip any any log debugging
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.21.3.65 10.200.3.167 netmask 255.255.255.255
static (inside,outside) 172.21.3.66 10.200.3.168 netmask 255.255.255.255
static (inside,outside) 172.21.3.67 10.200.3.169 netmask 255.255.255.255
static (inside,outside) 172.21.3.69 10.200.3.170 netmask 255.255.255.255
static (inside,outside) 172.21.3.70 10.200.3.171 netmask 255.255.255.255
static (inside,outside) 172.21.3.71 10.200.3.172 netmask 255.255.255.255
static (inside,outside) 172.21.3.64 10.200.3.174 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.21.0.1 1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global

Correct Answer by Nagaraja Thanthry about 7 years 2 days ago

Hello,


All your access-lists that allow ICMP connection from outside to inside are

inactive. I would suggest either reactivating the access-lists are trying a

specific ACL for ICMP and see if that helps.


Access-list outside_access_in line 1 permit icmp any any echo


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
manish arora Mon, 07/26/2010 - 16:03
User Badges:
  • Silver, 250 points or more

Ok , can you elaborate on the issue you are experiencing a little more as i cant understand

what are you trying to do and seeing issues ?

thanks

Manish

BEHowardGRDA Mon, 07/26/2010 - 17:41
User Badges:

The devices I am trying to place behind the firewall are currently running on the network using the addresses defined in the NAT rules.  The internal devices can ping out just fine, but the external hosts are unable to ping through the firewall or poll the internal devices as required.  I am beginning to think it may be an ARP issue, but I want to rule out the NAT/ACL rules first.


Thank you for the reply!

Correct Answer
Nagaraja Thanthry Mon, 07/26/2010 - 18:03
User Badges:
  • Cisco Employee,

Hello,


All your access-lists that allow ICMP connection from outside to inside are

inactive. I would suggest either reactivating the access-lists are trying a

specific ACL for ICMP and see if that helps.


Access-list outside_access_in line 1 permit icmp any any echo


Hope this helps.


Regards,


NT

manish arora Mon, 07/26/2010 - 18:18
User Badges:
  • Silver, 250 points or more

Yeah , It should work the way NT mentioned.

or you can do this

object-group icmp-type icmp

icmp-object echo

icmp-object echo-reply


and then give an access-list statement:-

access-list outside_access_in extended permit icmp object-group xxx ( your white list ip's ) a.b.c.d 255.255.255.0 object-group icmp


thanks

Manish

Actions

This Discussion