Assistance - Possible Router config Issue?

krillin21 · ‎01-13-2017

Hi Guys,

I need some assistance. we have a Cisco ASA as a perimeter firewall, and a our ISP has put down their CE router. We have been given an IP block, and the gateway.

The way I understand, and have configured previously is that We have a static route on the firewall, 0.0.0.0/0.0.0.0 Gateway IP which sits on the CE. This is done on all our sites.

At a new site, we have a different ISP, they use Mikrotik routers, and I have configured this the same. Traffic out gets NATTED on the FW so thats ok. The problem that I have is that remote access to connect via ssh or ASDM, I have allowed for testing remotely, the Outside interface of the ASA. The problem is that all outside traffic shows the source IP as the CE's public IP, and not the actual source IP, meaning that if my public ip at home is 1.1.1.1. The ASA outside Interface ip is 5.5.5.5, and the default route configured on the ASA is 8.8.8.8, if I ssh to 5.5.5.5, and look on the log of the ASA, it gets denied because it sees traffic sourcing from 8.8.8.8 and not from 1.1.1.1. so now I have to allow 8.8.8.8 asdm and ssh access, which essentially allows the whole internet access to my FW as long as they have the password.

I dont know if that makes sense. On all the other ASA's it shows the actual source IP and not the ISPs public interface as the source.

I have an issue establishing an IPSec, and I have a feeling that this could be the culprit as well.

Any assistance would be appreciated.

Georg Pauwen · ‎01-13-2017

Hello,

the problem is likely with your ''ssh inside" or 'ssh outside" configuration. Post the config of the ASA...

krillin21 · ‎01-16-2017

hostname Test
domain-name Test.CO.ZA
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
description Test_LAN
nameif Test_LAN
security-level 100
ip address 172.23.2.1 255.255.255.0
!
interface GigabitEthernet1/2
description VOIP
nameif VOIP
security-level 100
ip address 172.23.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Internet_Interface
nameif outside
security-level 0
ip address 5.5.5.5 255.255.255.248
!
interface Management1/1
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!

ftp mode passive
clock timezone SAST 2
dns server-group DefaultDNS
domain-name Test.CO.ZA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Test_LAN
subnet 172.23.2.0 255.255.255.0
description Test_LAN
object network VOIP
subnet 172.23.1.0 255.255.255.0
description VOIP
object network Test_DHCP_Server
host 172.23.62.10
description Test_DHCP_Server
object network CPT
host 41.164.114.69
object network HO_LAN
subnet 172.23.137.0 255.255.255.0
description Head Office
object network PAT
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.23.60.0_24
subnet 172.23.60.0 255.255.255.0
object network NETWORK_OBJ_172.23.62.0_24
subnet 172.23.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object Test_LAN
network-object object VOIP
object-group network DM_INLINE_NETWORK_2
network-object 173.252.101.0 255.255.255.0
network-object 173.252.112.0 255.255.255.0
network-object 173.252.64.0 255.255.224.0
network-object 173.252.70.0 255.255.255.0
network-object 173.252.88.0 255.255.255.0
network-object 204.15.20.0 255.255.252.0
network-object host 216.58.223.46
network-object 31.13.24.0 255.255.248.0
network-object host 31.13.90.36
network-object 66.220.144.0 255.255.248.0
network-object 66.220.152.0 255.255.248.0
network-object 69.171.224.0 255.255.240.0
network-object host 69.171.230.68
network-object 69.171.239.0 255.255.255.0
network-object 69.171.240.0 255.255.240.0
network-object 69.171.255.0 255.255.255.0
network-object 69.63.176.0 255.255.248.0
network-object 69.63.176.0 255.255.255.0
network-object 69.63.184.0 255.255.248.0
network-object 74.119.76.0 255.255.252.0
network-object host 91.103.108.73
network-object host 92.103.108.73
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
access-list Data_Vlan_access_in extended permit ip any any
access-list Voice__Vlan_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list LAN_access_in extended permit ip object DHCP_Server object VOIP
access-list VOIP_access_in extended permit ip object VOIP object Test_DHCP_Server
access-list VOIP_access_in_1 extended permit ip object VOIP object Test_DHCP_Server
access-list Test_LAN_access_in remark Block Facebook
access-list Test_LAN_access_in extended deny object-group DM_INLINE_SERVICE_1 object Test_LAN object-group DM_INLINE_NETWORK_2 inactive
access-list Test_LAN_access_in extended permit ip object Test_LAN any
access-list Test_LAN_access_in extended permit ip object Test_DHCP_Server object-group DM_INLINE_NETWORK_1
access-list Test_LAN_access_in extended permit ip object Test_LAN object HO_LAN
access-list outside_cryptomap_1 extended permit ip object Test_LAN 172.23.60.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Test_LAN 1500
mtu VOIP 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Test_LAN,outside) source dynamic Test_LAN interface
nat (Test_LAN,outside) source static Test_LAN Test_LAN destination static NETWORK_OBJ_172.23.60.0_24 NETWORK_OBJ_172.23.60.0_24 no-proxy-arp route-lookup
!
object network PAT
nat (any,outside) dynamic interface
access-group Test_LAN_access_in in interface Test_LAN
access-group VOIP_access_in_1 in interface VOIP
route outside 0.0.0.0 0.0.0.0 8.8.8.8 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.2 255.255.255.255 management
http 172.23.2.0 255.255.255.0 Test_LAN
http 5.5.5.5 255.255.255.255 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map0 1 match address outside_cryptomap_1
crypto map outside_map0 1 set pfs group5
crypto map outside_map0 1 set peer 6.6.6.6
crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=172.23.2.1,CN=Test-FW
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 748d7558
    308202ca 308201b2 a0030201 02020474 8d755830 0d06092a 864886f7 0d010105
    05003027 310f300d 06035504 0313064a 48422d46 57311430 12060355 0403130b
    3137322e 32332e36 322e3130 1e170d31 37303131 31313635 3232315a 170d3237
    30313039 31363532 32315a30 27310f30 0d060355 04031306 4a48422d 46573114
    30120603 55040313 0b313732 2e32332e 36322e31 30820122 300d0609 2a864886
    f70d0101 01050003 82010f00 3082010a 02820101 00b4435c 162cb627 5662a6dd
    cce9a743 8c0acec1 980f0769 81ddcadc ee1d3eb9 43e22115 7123bead aae46874
    86896fc6 b417b6c5 7bba7b72 1c5e45a9 4c19cd5e d906d2fb ad174fa1 e7e871b0
    0a2ea52e 33b020ad c61092dd 7254ca54 29c78219 dfc8c41a b8e47d2c 9943b3ba
    2a0c2d5d f74b5802 bdf7bb14 f0645e26 55519fcb 9dc00f7d f9c47f18 75794bad
    6d0b242e d8665549 63a97f86 8a3e9b0e f461b7cc 17cfe3fa 770057d5 801269c5
    53223380 61917ee8 7f07af39 aa05d69f 4f7a2efb 1abf4d7f dfaaaa9e 17b5db72
    1325d028 4ed8443c 957e48c5 7bf3af4f 9391afa3 1282e864 8cb64c59 f03e25ef
    f8e3a044 3fc5cbdb fb2ad5eb dfb7dc9c 22204566 d3020301 0001300d 06092a86
    4886f70d 01010505 00038201 01004ea8 8d5fc196 452f86c3 0e3a6f6e cff494cd
    391d2f1d 59a4566d 5c7cc7ca 76acf577 709f2414 935c333c 507c5333 3ac48cb8
    ae11e201 839a7f86 714cd68d f421f695 839b0d10 25f3301d 7b3a260d fbc510ad
    db7ebc66 79c0938e 374e0188 e0d8d57e 39958a24 5965e252 2fde9131 569fba8e
    937ba57d ea672e3c 9e74c4a1 56ea9a50 1c2e2327 46f6630f 19b3173e dee84c0a
    da10ffc2 1b78798b ff5f9d89 6c47c4a8 611b9328 5cc01a63 fec18588 3ec355d6
    06455d8d 3e3fed13 daa5bd7b a3c41f23 6ed81dea a8bc8066 8e873532 1df10d86
    32d220f5 48c99e71 e404047b 23d023aa 90067d12 b0e244ad b663eb4c c773e289
    ec93cc28 8aa64261 a241d255 25ff
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 172.23.2.0 255.255.255.0 Test_LAN
ssh 5.5.5.5 255.255.255.255 outside
ssh 192.168.1.2 255.255.255.255 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcprelay server 172.23.2.10 Test_LAN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect http
inspect icmp
inspect pptp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 4
subscribe-to-alert-group configuration periodic monthly 4
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0377dab1c8365d6c2bfd1163366a341b
: end

Georg Pauwen · ‎01-17-2017

Hello,

tricky indeed. Unless you can get your ISP to restrict SSH access directed at your ASA on their Mikrotik, your only other option would be to allow SSH access through VPN to another than your outside interface.

That said, with ssh 0.0.0.0 0.0.0.0 outside configured, does any public Internet user actually get to your ASA login prompt ? Usually ISPs have some security configured on their equipment, if only because they don't want everybody to access their routers...

krillin21 · ‎01-17-2017

I can get the ISP to only allow specific Sources, but that doesn't really help the situation. I can seem to establish the IPSec Tunnel either, and I think its related.

Currently any outside source is able to get to the login Prompt, which is not ideal.