Solved: ASA 5520 cannot access Internet

stavroskalamat · ‎08-07-2013

A few months ago I wasn't able to spell Cisco's name and here I am trying to configure an ASA 5520 on a small network I was tasked to put together. I saw this as a great learning opportunity, especially becoming familiar with Cisco's networking philosophy, so I went for it. I'm at a point though I need an expert's eye to give me a lead on the following issue:

Have VLANs 201, 202 and 203 physical and virtual machines on inside and dmz access the internet.

The guest network router has already configured with static routes to go from the non-routable 192.168.132.y to a public ip address. The laptop on the guest network (please see network.jpg) has internet access to confirm the aforementioned.

Also, the ASA 5520, with its config as shown on the log attached, can ping the laptop on 192.168.132.32, all 10.0.x.y interfaces (10.0.201.1, 10.0.202.1 and the 10.0.200.1), the outside FW interface (currently at 192.168.132.105) and the guest network router's public ip address. That, and a lot of packet tracing, led me to believe I'm missing something on my ACLs or my config is wrong somewhere I can't see.

Although the CLI is more convenient to me I attached a few screen-shots for clarification purposes.

The files attached carry self-explanatory names, however, if they miss pieces of info that'll expedite your assistance comments I'll be glad to follow up.

By the way, can somebody recommend a book (or books) on switching & routing that gradually introduce the concepts, (it's more than intutive that design exercises and hands-on experience are an absolute MUST to gain further knowledge) so a novice in the field will work slowly on building a theoretical foundation as a start?

Appreciate your help.

sk

Jouni Forss · ‎08-09-2013

Hi,

You have tested with the "packet-tracer" connection from network 192.168.132.0/24 to one of the 10-networks.

This is not possible with teh current configurations are you are doing Dynamic PAT from the LAN/DMZ interfaces to the "outside" interface.

To be able to access the 10-network from the 192.168.132.0/24 network directly you would need NAT0 configuration.

Notice that you CANT test return traffic with "packet-tracer". The "packet-tracer" always tests a incoming first packet for some connection. So if no Dynamic PAT translation is active at the moment on the firewall then you wont be able to test any return traffic for a non existing connection.

I can't see anything wrong with the firewall configuration at the moment.

I guess you can try the "packet-tracer" command from the CLI to simulate outbound Internet connection

packet-tracer input ins_cli tcp 10.0.201.100 12345 8.8.8.8 80

packet-tracer input ins_srv tcp 10.0.202.100 12345 8.8.8.8 80

Use the exact above commands and post the output from CLI

- Jouni

View solution in original post

Jouni Forss · ‎08-09-2013

Hi,

You dont have ACL on the INS_SRV interface allowing that traffic. To allow all traffic from INS_SRV you would need the following ACL rule

access-list ins_srv_access_in extended permit ip 10.0.201.0 255.255.255.0 any

- Jouni

View solution in original post

Jouni Forss · ‎08-07-2013

Hi,

So are you saying that you cant reach the Internet from the networks that are located behind the ASA firewall?

Whit what are you trying to test Internet connectivity?

Incase you are trying to test with ICMP try adding these configurations

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Then try ICMP again.

I would suggest doing the following changes.

Remove all the interface ACLs that are attached in the Outbound direction (out)

no access-group outout out interface outside

no access-group ins_srv_access_out out interface ins_srv

Its usually best to control the traffic entering an interface of the ASA and not the traffic leaving it.

To clarify

access-group out interface
- This would attach an ACL to an interface in the outbound direction. It would control traffic heading out from this interface. In other words, the traffic has already come from behind some other ASA interface and is now heading out of this interface.
access-group in interface
- This would attach an ACL to an inteface in the inbound direction. It would control traffic heading towards this interface. In other words, the traffic would just be entering the ASA through this interface

This is why using Inbound interface ACL would make the most sense. You very rarely need to apply Outbound ACLs. Most of the time they cause more problems and add complexity to the setup.

With regards to the NAT configurations, you seem to have a basic Dynamic PAT configuration for all the 3 LAN/DMZ networks. The PAT IP address seems to be from the network 192.168.132.0/24 which is directly connected to the Internet router also. This should already mean that there should be no problem with routing between the ASA and the Internet router. I would presume also that the Internet router is doing NAT for the ASAs "outside" interface IP address.

Can you clarify a bit what the situation is at the moment?

Hope this helps

- Jouni

stavroskalamat · ‎08-09-2013

Hello Jouni,

First of all I appreciate your prompt resourceful response.

Answers to your Qs follow:

Q>

So are you saying that you cant reach the Internet from the networks that are located behind the ASA firewall?

Answer: That is correct. In other words all machines (phys. & virtual) in 10.0.0.0/16 (covering 10.0.201.0, 10.0.202.0, and 10.0.200.0) can NOT access the internet.

Q>

what are you trying to test Internet connectivity?

Incase you are trying to test with ICMP try adding these configurations

Answer: My attempt to go out was by using icmp packets (ping), if I'm using the right terms. So, I go to various machines in 10.0.0.0/16 and try to ping beyond the gateway. For example, from machine with ip 10.0.201.215 I ping 10.0.201.1 successfully BUT when i try to ping 192.168.132.105 (outside interf. on the ASA5520) I get a "request timed out".

Also, from 10.0.201.215 machine, after a changing the ACL Rules (see latest copy of ASA5520 config) based upon the advice of your response, I can successfully ping the following in the guest network.

192.168.132.32 (laptop)

192.168.132.1 (gateway)

192.168.132.11 (switch)

From an ssh session on ASA5520 I can successfully ping all the above and more:

10.0.201.1

192.168.132.105 (outside interf. of ASA5520)

192.168.132.1

192.168.132.32

192.168.132.11

and the routable ip address on the outside interf. of the guest network router

Q>

Trying

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Answer: the above 4 icmp lines and the ACL Rule changes you recommended together, I presume, changed the response from the machines in the 10.0.0.0/16, in other words I can ping IP address in the 192.168.132.0/24 from 10.0.201.215 for example, as mentioned up above.

Still can NOT ping ASA's outside interf. from a machine located in a inside VLAN but according to the following thread

http://www.sadikhov.com/forum/index.php?/topic/150887-cant-ping-from-inside-to-outside-interface-with-asa5505/

I am not supposed to.

Q>

Remove all the interface ACLs that are attached in the Outbound direction (out)

no access-group outout out interface outside

no access-group ins_srv_access_out out interface ins_srv

Answer:

This comment makes absolute sense.

This is why using Inbound interface ACL would make the most sense. You very rarely need to apply Outbound ACLs. Most of the time they cause more problems and add complexity to the setup.

I should have thought of that.

Q>

With regards to the NAT configurations, you seem to have a basic Dynamic PAT configuration for all the 3 LAN/DMZ networks. The PAT IP address seems to be from the network 192.168.132.0/24 which is directly connected to the Internet router also.

Answer: the above statement is correct

Q>

This should already mean that there should be no problem with routing between the ASA and the Internet router. I would presume also that the Internet router is doing NAT for the ASAs "outside" interface IP address.

Answer: You are correct there's no problem routing between the ASA and the guest network router since I can ping the outside routable IP on the router from an ssh session on the ASA.

Indeed, the internet route is doing NAT for the ASAs outside interf. IP address.

I'm attaching the latest & greatest ASA5520 config.

Please ask me more Qs that'll clarify the env'nt and will expedite troubleshooting. Meanwhile, I'm thinking about this day and night and I am reading about Staic.Dynamic NAT/PAT, etc on cisco's web site continuously to educate myself so I figure out I'm doing wrong.

Thanks in advance,

Stavros

I cannot attach a doc so I'm copying & pasting the latest (Aug. 9th) ASA's config down below

ASA Version 8.2(1)

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.132.105 255.255.255.0

!

interface GigabitEthernet0/1

nameif ins_srv

security-level 100

ip address 10.0.201.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif ins_cli

security-level 100

ip address 10.0.202.1 255.255.255.0

!

interface GigabitEthernet0/3

nameif dmz

security-level 50

ip address 10.0.200.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 90

ip address 10.0.203.10 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup ins_srv

dns domain-lookup ins_cli

dns domain-lookup dmz

dns domain-lookup management

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service IBM_TivoliEndPointMngr tcp-udp

description Patch Mngt SW

port-object eq 52311

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service KiwiSyslog

description Solarwinds Kiwi

service-object udp eq syslog

object-group service TeredoPackets udp

description Blocks UDP port 3544 traffic inbound and outbound

port-object eq 3544

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object tcp eq echo

service-object tcp eq www

service-object udp eq www

service-object icmp

service-object icmp6

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

access-list ins_srv_nat0_outbound extended permit ip 10.0.202.0 255.255.255.0 any

access-list ins_srv_nat0_outbound extended permit ip 10.0.200.0 255.255.255.0 any

access-list outside_nat_outbound extended permit tcp 192.168.132.0 255.255.255.0 eq www 10.0.201.0 255.255.255.0 eq www

access-list ins_cli_access_in extended permit ip 10.0.202.0 255.255.255.0 any

access-list dmz_access_in extended permit ip any any

access-list ins_cli_nat0_outbound extended permit ip 10.0.202.0 255.255.255.0 10.0.201.0 255.255.255.0

access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 10.0.202.0 255.255.255.0

access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 10.0.200.0 255.255.255.0

access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 192.168.132.0 255.255.255.0

access-list dmz extended permit object-group KiwiSyslog host 10.0.200.100 host 10.0.201.215

access-list dmz extended permit object-group TCPUDP host 10.0.200.100 host 10.0.201.215 object-group IBM_TivoliEndPointMngr

access-list dmz extended deny ip 10.0.200.0 255.255.255.0 10.0.201.0 255.255.255.0

access-list dmz extended deny ip 10.0.200.0 255.255.255.0 10.0.202.0 255.255.255.0

access-list dmz extended permit ip 10.0.200.0 255.255.255.0 any

access-list ins_srv_mpc extended permit ip any any

access-list outside_mpc extended permit ip any any

access-list ins_cli_mpc extended permit ip any any

access-list dmz_mpc extended permit ip any any

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.132.0 255.255.255.0 10.0.201.0 255.255.255.0

access-list ins_srvnat0_outbound extended permit ip 10.0.201.0 255.255.255.0 10.0.201.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap debugging

logging asdm informational

logging mail emergencies

logging host ins_srv 10.0.201.215

mtu outside 1500

mtu ins_srv 1500

mtu ins_cli 1500

mtu dmz 1500

mtu management 1500

no failover

icmp unreachable rate-limit 10 burst-size 5

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (ins_srv) 0 access-list ins_srv_nat0_outbound

nat (ins_srv) 1 10.0.201.0 255.255.255.0

nat (ins_cli) 0 access-list ins_cli_nat0_outbound

nat (ins_cli) 1 10.0.202.0 255.255.255.0

nat (dmz) 1 10.0.200.0 255.255.255.0

access-group outside_access_in in interface outside

access-group ins_srv_access_in in interface ins_srv

access-group ins_cli_access_in in interface ins_cli

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 192.168.132.105 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa local authentication attempts max-fail 3

aaa authorization exec authentication-server

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

http server enable

http 0.0.0.0 0.0.0.0 management

http 10.0.201.0 255.255.255.0 ins_srv

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 10.0.201.0 255.255.255.0 ins_srv

ssh timeout 30

ssh version 2

console timeout 5

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp authentication-key 1 md5 *

ntp authenticate

ntp trusted-key 1

ntp server 64.90.182.55 key 1 source outside

ntp server 96.47.67.105 key 1 source outside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

vpn-tunnel-protocol svc webvpn

webvpn

url-list value OtherLinks

svc ask enable default webvpn

class-map ins_cli-class

match access-list ins_cli_mpc

class-map ins_srv-class

match access-list ins_srv_mpc

class-map inspection_default

match default-inspection-traffic

class-map dmz-class

match access-list dmz_mpc

class-map outside-class

match access-list outside_mpc

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

policy-map outside-policy

class outside-class

ips inline fail-open

policy-map dmz-policy

class dmz-class

ips inline fail-open

policy-map ins_cli-policy

class ins_cli-class

ips inline fail-open

policy-map ins_srv-policy

class ins_srv-class

ips inline fail-open

!

service-policy global_policy global

service-policy outside-policy interface outside

service-policy ins_srv-policy interface ins_srv

service-policy ins_cli-policy interface ins_cli

service-policy dmz-policy interface dmz

smtp-server 173.194.76.108

prompt hostname context

Jouni Forss · ‎08-09-2013

Hi,

Can you clarify if you are still having problems with ICMP from the LAN/DMZ networks to the Internet?

As you said in the above post already, you are NOT able to ICMP an ASA interface behind another interface.

Only hosts located behind an interface can ICMP that interface and receive a reply. Sending ICMP from a host to an ASA interface IP address that is NOT where the host is located at will always fail.

- Jouni

stavroskalamat · ‎08-09-2013

Hello Jouni,

Can you clarify if you are still having problems with ICMP from the LAN/DMZ networks to the Internet?

Answer: I cannot ICMP from the LAN/DMZ networks to the Internet. The way I try to do that is by opening a command prompt on

Windows of an internal host (10.0.201.215 in this case) and try to ping the outside IP address of the guest network router or ping yahoo.com for example. The response I get is "Request timed out".

As you said in the above post already, you are NOT able to ICMP an ASA interface behind another interface.

Answer: You're correct. I cannot ping 192.168.132.105 (ASA outside interf. IP address) from a windows prompt of an internal host, such as 10.0.201.215

Only hosts located behind an interface can ICMP that interface and receive a reply. Sending ICMP from a host to an ASA interface IP address that is NOT where the host is located at will always fail.

Answer: That's correct.

I also attached 3 images that show an ASA packet tracer image for IP packets travelling from 10.0.201.215 to 192.168.132.32 (guest network laptop) and back. The forward traffic stops at a NAT Rule and the reverse traffic stops at the impicit Deny any any Rule of the incoming ACL rules of the ins_srv internal.

However, a packet tracer monitoring TCP packets from the same source (10.0.201.215) to the same destination (192.168.132.32) goes all the way w/o a problem. The reverse traffic of TCP packets stops also at the impicit Deny any any Rule of the incoming ACL rules of the ins_srv internal.

I hope I answered your Qs.

Thanks in advance for your time and consultation.

Jouni Forss · ‎08-09-2013