cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
0
Helpful
7
Replies

ASA 5505 Loss of Connectivity

Austin Rivet
Level 1
Level 1

Hello,

I have an ASA 5505 Sec Plus with ASA 9.1. This firewall has been setup wth a static WAN IP, basic NAT/PAT, ALC's to allow web connectivity, and access to SSH and ASDM enabled. A management PC has been setup with Teamviewer and is directly connected to the firewall and is used for ASDM access. I also have SSH temporarily enabled on the outside for ease of access while I am getting this firewall initially configured.

The day that I configured this device I was able to Teamviewer into the management PC from a different network. I was also able to SSH into the firewall from a different network. I tested this multiple times that day from various networks, and it worked just fine.

A couple of days later I tried to login to the management PC but it appeared to be offline. I then attempted to SSH into the firewall, but I was not able to establish a connection via SSH either. I was not able to go on-site in person to check the firewall, but I had someone at that location confirm that the device was still connected and powered on.

Based on the configs below, does anyone have an idea as to why the connection would sudenly go dead after that first day? Does this sound like a hardware failure? What can I do to further troubleshoot?

Thanks!

asa5505# sh run

: Saved

:

ASA Version 9.1(2)

!

hostname asa5505

domain-name default.domain.invalid

enable password eDNDD7lBLzSPpYwe encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description Inside interface

nameif inside

security-level 100

ip address 10.10.10.2 255.255.255.0

!

interface Vlan2

description Outside interface

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.240

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 208.67.222.222

name-server 75.75.75.75

domain-name default.domain.invalid

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-subnet

subnet 10.10.10.0 255.255.255.0

object-group service Internet-udp udp

description Standard UDP Internet services

port-object eq domain

port-object eq ntp

object-group service Internet-tcp tcp

description Standard TCP Internet services

port-object eq www

port-object eq https

port-object eq domain

access-list inside-in remark -=[Access lists to allow Internet TCP/UDP outgoing packets from inside interface]=-

access-list inside-in extended permit udp 10.10.10.0 255.255.255.0 any object-group Internet-udp

access-list inside-in extended permit tcp 10.10.10.0 255.255.255.0 any object-group Internet-tcp

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network inside-subnet

nat (inside,outside) dynamic interface

access-group inside-in in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 10.10.10.1 255.255.255.255 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username xxxxxxx password wwmM/Ms2vq88kRD4 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:56f0ee6b06aef749dc1dda4197bbd2cc

: end

1 Accepted Solution

Accepted Solutions

No,

That's not the case.

You have an internal address range of 10.10.10.x

This is a private range.

In order for you to access your PC you from the internet your PC should look like a public IP address.

Do the following

object network Team-Viewer

host 10.10.10.x (team viewer PC IP)

exit

object service TCP_80

service tcp source eq 80

exit

nat (inside,outside) source static  Team-Viewer  interface service TCP_80 TCP_80

access-list outside_in permit tcp any host 10.10.10.x (Team Viewer PC IP address) eq 80

access-group outside_in in interface outside

With this anyone will be able to open a TCP connection to that Team Viewer PC over port 80

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Austin,

Well you have SSH enabled on the outside

ssh 0.0.0.0 0.0.0.0 outside

My recomendation is to take a capture while trying to connect

capture capout interface outside match tcp any host x.x.x.x (ASA IP Address) eq 22

For access to the Inside host from the internet you will need to have a static NAT configured or a port-forwarding that allows access from Out to In to a public IP address.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

Thanks for the suggestions.

My understanding is that Teamviewer runs over http (port 80). As you can see in the "Internet-tcp" object group, http is being allowed. In my initial tests I was able to connect to the internet just fine from the Teamviewer host, and I was also able to remote in to the Teamviewer host from a different network. Since Teamviewer runs over http do I really nedd a static NAT?

Thanks!

After re-visiting the configs again I am thinking that there is an issue with my NAT statement. Currently I have nat (inside,outside) dynamic interface. Since my outside interface has a static IP assigned I am thinking that this command should be replaced with nat (inside,outside) static interface.

Can anyone confirm whether this is the case?

Thanks!

 

No,

That's not the case.

You have an internal address range of 10.10.10.x

This is a private range.

In order for you to access your PC you from the internet your PC should look like a public IP address.

Do the following

object network Team-Viewer

host 10.10.10.x (team viewer PC IP)

exit

object service TCP_80

service tcp source eq 80

exit

nat (inside,outside) source static  Team-Viewer  interface service TCP_80 TCP_80

access-list outside_in permit tcp any host 10.10.10.x (Team Viewer PC IP address) eq 80

access-group outside_in in interface outside

With this anyone will be able to open a TCP connection to that Team Viewer PC over port 80

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

Thanks again for the help.

That would work, but isn't this a static NAT? I wouldn't want to use a static NAT to the Teamviewer host because then all of my web traffic would be directed towards that single host. That's not going to work.

Do I need to open up port 80 to any inside destination?

Thanks!

Hello,

All web traffic from the outside to the inside. Not from the inside to the outside..

I do not see any HTTP server configuration on your ASA so it would not affect.

That being said only opening the Port will not work You already have the solution, let me know if you need something else

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

Thanks for the simple explanation. Instead of using Teamviewer, I switched to UltraVNC, so I switched port 80 with 5900. Your commands worked great - VNC from remote is working just fine. Here is what I ended up applying to the firewall:

object network VNC

host 10.10.10.x

exit

object service TCP_5900

service tcp source eq 5900

exit

nat (inside,outside) source static VNC interface service TCP_5900 TCP_5900

access-list outside_in permit tcp any host 10.10.10.x eq 5900

access-group outside_in in interface outside

Thanks again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: