Solved: ASA 5510 traffic from inside to outside

haidar_alm · ‎10-22-2014

Hello,

I'm working on a basic configuration of a 5510 ASA.

inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24

config is as follows:

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any

global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1

In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.

I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.

So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.

Any ideas please?

Karsten Iwen · ‎10-22-2014

The output in Phase7 still looks very strange. Please upgrade your ASA before testing any further. 8.2(1) was a horrible release.

View solution in original post

Karsten Iwen · ‎10-22-2014

Can you ping from the ASA to an internet-IP like 8.8.8.8?
Can you ping the IP .44.57 from an inside system?

And:

The line "access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https" is probably not needed in your setup as there is no static NAT for an internal server.

haidar_alm · ‎10-22-2014

Hi Karsten,

1. From ASA outside interface I can ping 8.8.8.8

2. From inside interface I cannot ping x.57

However, in the lab when I have a laptop plugged into the outside interface with the x.57, i can ping it. I've statically assigned the laptop with x.57, correct subnet, and a default GW of the ASA outside interface of 58.

Do I need to setup a static NAT?

This setup is for public internet where I will have devices on the inside interface pick up a dhcp address of 192.168.23.x accessing the internet (ISP's Juniper 1x.0.x.57)

Karsten Iwen · ‎10-22-2014

That shows that your external setup is fine. But it's strange that you can ping your external PC but not the provider-device.

Make sure that you have the icmp-inspection active:

policy-map global_policy class inspection_default inspect icmp

Please show the output of the following command:

packet-tracer input INSIDE 192.168.23.10 8 0 144.0.44.47

haidar_alm · ‎10-22-2014

Version of FW:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)

Output of Packet-Trace Command is:

SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    identity NAT translation, pool 0
    translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    identity NAT translation, pool 0
    translate_hits = 107, untranslate_hits = 0
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

Karsten Iwen · ‎10-22-2014

obviously you didn't show us the complete NAT-config:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255

You have to correct you NAT-Exemption (nat 0).

And you really should upgrade your ASA to at least 8.2.(5).

haidar_alm · ‎10-22-2014

That was the complete NAT in the OP. Since then I rebooted the FW and it picket up the original config with a different NAT.

I have run the command with the same NAT config now on the OP.

Apologies for the confusion..

haidar_alm · ‎10-22-2014

Sorry, I've made the following change to Nat

global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0

And here is the result of the same packet-trace command:

SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 141.$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 1 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
dynamic translation to pool 1 (141.0.x.58 [Interface PAT])
translate_hits = 66, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 1 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
dynamic translation to pool 1 (141.0.x.58 [Interface PAT])
translate_hits = 66, untranslate_hits = 0
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 286, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

Karsten Iwen · ‎10-22-2014

The output in Phase7 still looks very strange. Please upgrade your ASA before testing any further. 8.2(1) was a horrible release.

haidar_alm · ‎10-22-2014

Hi Karsten,

Many thanks for your help mate.

I've upgraded both the image and ASDM and it's flying.

:)

Tagir Temirgaliyev · ‎10-22-2014

config looks like good

problem can be like mac filtering from provider side

Karsten Iwen · ‎10-22-2014

> problem can be like mac filtering from provider side

That seems very unlikely to me. With this NAT-config, the pings from internal PC and the ASA should look completely the same on L2/L3 for the provider-router.

If the ASA is not running the latest 8.2 code, an update should also be done. There have been far too many strange bugs in the ASA.

haidar_alm · ‎10-22-2014

Hi Tagir,

Thought of this and used another laptop to connect straight into ISP's 44.57 and was able to access the internet. If it was MAC filtering, then laptop test should've failed.