Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
3
Replies

ASA FIREWALL ISSUE

pl.mailloux
Level 1
Level 1

‎10-11-2013 09:07 AM - edited ‎03-11-2019 07:51 PM

Hi

My setup is like this:

ASA-5505-SITE-A (1.1.1.1)

ASA-5510-SITE-B (1.1.2.1)

On this side the ASA inside interface gooing into a router as WAN.

My LAN outside my routeur is 192.168.1.x

There is a VPN UP between SITE-A and SITE-B

From SITE-B I can ping everything to SITE-A

From SITE-A to SITE-B, nothing works.

Please help me.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 09:13 AM

Hi,

I am not sure I understand the setup from the above.

If you could share the configurations of the ASA firewalls (without public IP addresses etc.) then could look through the configurations.

- Jouni

0 Helpful

pl.mailloux
Level 1
Level 1
In response to Jouni Forss

‎10-11-2013 09:39 AM

On SITE-A my PC's IP adress come directly from the ASA 1.1.1.x

On SITE-B we use a router behind the firewall so my PC's adress are : 192.168.1.x

I can ping from SITE-B to SITE-A without any problem.

I cannot ping from SITE-A to SITE-B.

There is my 2 firewalls config.

Thanks

SITE-A

Result of the command: "show run"

: Saved

:

ASA Version 9.1(3)

!

hostname ciscoasa

enable password *** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd *** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 1.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address SITE-A-PUBLIC-IP 255.255.255.240

!

boot system disk0:/asa913-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network LAN-SITE-B

subnet 1.1.2.0 255.255.255.0

object network LAN-SITE-A

subnet 1.1.1.0 255.255.255.0

object network Firewall-SITE-B

host SITE-B-PUBLIC-IP

object network SERVER01

host 1.1.1.2

object-group service ALL-IP tcp-udp

description ALL-IP

port-object range 1 65535

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B

access-list OUTSIDE-IN extended permit ip any object SERVER01

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static LAN-SITE-A LAN-SITE-A destination static LAN-SITE-B LAN-SITE-B no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network SERVER01

nat (inside,outside) static SERVER01-PUBLIC-IP

access-group OUTSIDE-IN in interface outside

route outside 0.0.0.0 0.0.0.0 SITE-A-PUBLIC-GATEWAY 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no user-identity enable

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 1.1.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer SITE-B-PUBLIC-IP

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 1.1.1.100-1.1.1.125 inside

dhcpd dns 24.200.241.37 24.201.245.77 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_SITE-B-PUBLIC-IP internal

group-policy GroupPolicy_SITE-B-PUBLIC-IP attributes

vpn-tunnel-protocol ikev1 ikev2

username *** password *** encrypted privilege 15

tunnel-group SITE-B-PUBLIC-IP type ipsec-l2l

tunnel-group SITE-B-PUBLIC-IP general-attributes

default-group-policy GroupPolicy_SITE-B-PUBLIC-IP

tunnel-group SITE-B-PUBLIC-IP ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect sip 

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8306344f5f134526aa6df7293730742f

: end


SITE-B

Result of the command: "show run"

: Saved

:

ASA Version 9.1(3)

!

hostname ciscoasa

enable password *** encrypted

passwd *** encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 1.1.2.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network FireWall-SITE-A

host 1.1.1.1

object network LAN-SITE-B

subnet 1.1.2.0 255.255.255.0

object network LAN-SITE-A

subnet 1.1.1.0 255.255.255.0

access-list outside_cryptomap extended permit ip object LAN-SITE-B object LAN-SITE-A

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static LAN-SITE-B LAN-SITE-B destination static LAN-SITE-A LAN-SITE-A no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no user-identity enable

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer SITE-A-PUBLIC-IP

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcp-client client-id interface outside

dhcpd address 1.1.2.100-1.1.2.125 inside

dhcpd dns 142.169.1.16 199.84.242.22 interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_SITE-A-PUBLIC-IP internal

group-policy GroupPolicy_SITE-A-PUBLIC-IP attributes

vpn-tunnel-protocol ikev1 ikev2

username *** password *** encrypted

tunnel-group SITE-A-PUBLIC-IP type ipsec-l2l

tunnel-group SITE-A-PUBLIC-IP general-attributes

default-group-policy GroupPolicy_SITE-A-PUBLIC-IP

tunnel-group SITE-A-PUBLIC-IP ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:db8f53008f268da84e76bae3bb414bc3

: end

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to pl.mailloux

‎10-11-2013 10:13 AM

Hi,

Some observations,

  • You say that Site B has a router behind the LAN interface of the ASA
  • You say that Site B can ping Site A with no problem
  • You say that Site A cant ping Site B
  • On Site B there is no Route for the network 192.168.1.0/24
  • On Site B you have a Management interface which has the address range 192.168.1.0/24 also?

So I am beginning to think that the router behind the Site B ASA is doing Dynamic PAT for the network 192.168.1.0/24 behind it. This would mean that all traffic from the 192.168.1.0/24 would be PATed to some IP address from network 1.1.2.0/24. This again would enable traffic to flow from Site B to Site A normally. Considering the Dynamic PAT done by the Site B LAN router would mean though that no connection initiation would work from Site A to Site B since you cant form connections through Dynamic PAT from the external side.

So my guess would be that you would have to

  • Remove the Site B management interface configurations, atleast the IP address. If its in use change the network for the Management interface
  • Disable any type of NAT on the LAN Router at Site B so Site A can actually see the local network 192.168.1.0/24
  • Change the VPN and NAT configurations on the ASAs to reflect this change in the Site B network

The above would most likely affect your Site B Static NAT configuration you did just in the other discussion here on the forums.

One other alternative is that you configure Static NAT for the hosts you need on the Site B router from 192.168.0.x to 1.1.2.x so they can be connected from Site A

Hope I made sense

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card