Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5512 Does no Packet Capture on an Inside VLAN interface definitely mean the packet has not gone?

LAN traffic is going through the ASA5512 fine, onto a single switch and then to servers.

We are trying to NAT some internet IPs to VLANs, and the connections are timing out. The connection is built as below but the only packets captured on the vlan-100 interface are from the Packet Tracer (which states packet allowed).

Built TCP state-bypass connection 7121 from outside:x.x.x.x/56120 (x.x.x.x/56120) to vlan-100:172.16.100.10/3389 (5.x.x.166 /3389)

We are unsure if the problem is with the ASA or the Switch (a Cisco SG300-20, at L2 just mapping the VLAN to specific ports). The VLAN is up on the switch, but I have not yet figured out a way to verify if the traffic is getting there.

I can find no relevant asp drops fpr the VLAN connection on the ASA, so I was wondering whether there were any circumstances where the traffic could be going from the ASA to the switch, but not showing on a packet capture?

5 REPLIES

Can you ping the Server from

Can you ping the Server from the ASA?

Why are u running TCP state bypass?

 

Can u provide show run?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Thanks for your response.No,

Thanks for your response.

No, I can't ping the server from the ASA, though I can ping the vlan-100 interface.

We are running TCP State Bypass as there will ultimately two ASAs from two separate internet feeds in a datacentre and we think response traffic could come via either ASA (Servers will be connected to both via separate switches).

 

show run below (complete but a bit anonymised).. I tried making the 5-Internet interface a VLAN, but I had the same problem with that (i.e could not get through, with no packet capture traffic on the VLAN interface). 5-Internet is working fine as a physical interface going through the same switch.

 

: Saved
:
ASA Version 9.1(1)
!
hostname xxx-xxx-00004
enable password e3TOrE7HjNBQm75. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif 5-Internet
 security-level 100
 ip address 5.x.x.161 255.255.255.240
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif vlan-100
 security-level 100
 ip address 172.16.100.1 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 nameif outside
 security-level 0
 ip address 213.x.x.220 255.255.255.248
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 5-Subnet
 subnet 5.x.x.160 255.255.255.240
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 5-subnet
object network 213-DefaultGateway
 host 213.x.x.217
object service mcgsql
 service tcp source eq 1167 destination eq 1167
object service drac-console
 service tcp destination eq 5900
object network 172-16-100-10-host
 host 172.16.100.10
object network 172-16-100-Subnet
 subnet 172.16.100.0 255.255.255.0
object network 5-102-189-166-host
 host 5.x.x.166
object network blocked-85-195-114-0-24
 subnet 85.195.114.0 255.255.255.0
 description Lot of traffic 28/03/2014
object network blocked-85-195-109-0-24
 subnet 85.195.109.0 255.255.255.0
 description Lot of traffic 28/03/2014
object network blocked-193-8-246-25
 host 193.8.246.25
 description Lot of traffic 28/03/2014
object network blocked-192-168-1-0-24
 subnet 192.168.1.0 255.255.255.0
 description Traffic 28/03/2014
object network blocked-77-68-44-42
 host 77.68.44.42
 description Traffic to 3389 on 28/03/2014
object network blocked-98-158-100-0-24
 subnet 98.158.100.0 255.255.255.0
object network 213-133-135-221-host
 host 213.x.x.221
object-group service rdp tcp
 description Remote Desktop
 port-object eq 3389
object-group network blocked
 description Blocked IP Addresses
 network-object object blocked-85-195-109-0-24
 network-object object blocked-193-8-246-25
 network-object object blocked-192-168-1-0-24
 network-object object blocked-77-68-44-42
 network-object object blocked-85-195-114-0-24
 network-object object blocked-98-158-100-0-24
access-list ACCESS-IN extended permit ip any any
access-list ACCESS-5 extended deny ip object-group blocked any4 log disable
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 eq https
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 eq www
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 eq ftp
access-list ACCESS-5 extended permit tcp any4 5.x.x.160 255.255.255.240 object-group rdp
access-list ACCESS-5 extended permit object drac-console any4 5.x.x.160 255.255.255.240
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 echo-reply
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 source-quench
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 unreachable
access-list ACCESS-5 extended deny icmp any4 5.x.x.160 255.255.255.240 time-exceeded
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 eq https
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 eq www
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 eq ftp
access-list ACCESS-5 extended permit tcp any4 172.16.100.0 255.255.255.0 object-group rdp
access-list ACCESS-5 extended permit object drac-console any4 172.16.100.0 255.255.255.0
access-list ACCESS-5 extended permit ip 5.x.x.160 255.255.255.240 any4
access-list ACCESS-5 extended permit ip 172.16.100.0 255.255.255.0 any4
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 213.x.x.222 / gds-00004 *****
mtu 5-Internet 1500
mtu vlan-100 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
!
object network 172-16-100-10-host
 nat (vlan-100,outside) static 5-102-189-166-host
!
nat (outside,5-Internet) after-auto source static any any destination static 5-Subnet 5-Subnet no-proxy-arp
access-group ACCESS-5 in interface 5-Internet
access-group ACCESS-5 in interface vlan-100
access-group ACCESS-5 in interface outside
route outside 0.0.0.0 0.0.0.0 213.x.x.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
http 213.x.x.180 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp 5-Internet
sysopt noproxyarp vlan-100
sysopt noproxyarp outside
sysopt noproxyarp management
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 213.x.x.180 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.29 source outside prefer
webvpn
 anyconnect-essentials
username xxxxxxxxx password yQYwRFnycPq37kzA encrypted
!
class-map inspection_default
 match default-inspection-traffic
class-map tcp_bypass
 match access-list ACCESS-5
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
policy-map 5-policy
 class tcp_bypass
  set connection timeout idle 0:15:00
  set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy 5-policy interface 5-Internet
service-policy 5-policy interface vlan-100
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:69aa7a13a6048cccb567f65f0fc785f2
: end
asdm image disk0:/asdm-711.bin
no asdm history enable

 

 

 

Community Member

object network 172-16-100-10

object network 172-16-100-10-host
 nat (vlan-100,outside) static 5-102-189-166-host

Community Member

The nat to the outside

The nat to the outside interface is correct. We want to use some 5.x.x.x addresses directly, in which case 5-Internet is used, but when the VLAN is in use, we want to NAT the 5.x.x.x address directly to the 172.16.100.x address, which it seems to be doing, except the traffic is never getting there.

Community Member

I figured this out in the end

I figured this out in the end. The ASA was OK, it was the switch that was wrong. I had not included the port that the ASA was connected to in VLAN 100.

Therefore the traffic was presumably leaving the ASA, but then was getting bounced by the switch.

323
Views
0
Helpful
5
Replies
CreatePlease to create content