ASA 8.4 - Configuration Help

nevilleleo · ‎05-15-2012

So, we've been trying to get our network ipv6 compatible and had to upgrade the IOS on our ASA 5510 to 8.4

Little did we know that upgrade to 8.4 would need me to change all out NATs and Access-lists. We have a 1-1 NAT configuration that I need to keep with a bunch of regular rules to different servers (http, ftp, rdp, etc..)

I've been able to change all of that and was able to test it out successfully in our test environment. But, when I moved this to our prod env, the servers aren't able to connect to the internet. I haven't changed any routes - no changes in IP's - just changing the ASA.

Any ideas why ?

Here is the "reduced" config file - Let me know what you guys think

: Saved

:

ASA Version 8.4(1)

!

hostname asafw01

enable password

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 20.x.x.250 255.255.255.0

ipv6 address 2400:8800:5f01:12::2/64

ipv6 enable

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN Failover Interface

!

interface Management0/0

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network 20.x.x.115

host 20.x.x.115

description vcenter server

object network 20.x.x.10

host 20.x.x.10

object network ang-ipv6

host 2400:8800:5f01:12::40:40

object network 20.x.x.222

host 20.x.x.222

object network 20.x.x.54

host 20.x.x.54

object network 192.168.1.10

host 192.168.1.10

object network 192.168.1.115

host 192.168.1.115

object network 192.168.1.210

host 192.168.1.210

object network 20.x.x.210

host 20.x.x.210

object network 192.168.1.222

host 192.168.1.222

object network 192.168.1.54

host 192.168.1.54

object network 192.168.1.235

host 192.168.1.235

object network 192.168.1.237

host 192.168.1.237

object network 20.x.x.235

host 20.x.x.235

object network 20.x.x.237

host 20.x.x.237

object network 192.168.1.100

host 192.168.1.100

object network 192.168.1.101

host 192.168.1.101

object network 192.168.1.102

host 192.168.1.102

object network 192.168.1.103

host 192.168.1.103

object network 192.168.1.104

host 192.168.1.104

object network 192.168.1.105

host 192.168.1.105

object network 192.168.1.106

host 192.168.1.106

object network 20.x.x.100

host 20.x.x.100

object network 20.x.x.101

host 20.x.x.101

object network 20.x.x.102

host 20.x.x.102

object network 20.x.x.103

host 20.x.x.103

object network 20.x.x.104

host 20.x.x.104

object network 20.x.x.105

host 20.x.x.105

object network 20.x.x.107

host 20.x.x.107

object network 20.x.x.110

host 20.x.x.110

object network 20.x.x.114

host 20.x.x.114

object network 20.x.x.116

host 20.x.x.116

object network 20.x.x.118

host 20.x.x.118

object network 192.168.1.107

host 192.168.1.107

object network 192.168.1.110

host 192.168.1.110

object network 192.168.1.114

host 192.168.1.114

object network 192.168.1.116

host 192.168.1.116

object network 192.168.1.118

host 192.168.1.118

object network 192.168.1.12

host 192.168.1.12

object network 192.168.1.120

host 192.168.1.120

object network 192.168.1.121

host 192.168.1.121

object network 192.168.1.122

host 192.168.1.122

object network 20.x.x.12

host 20.x.x.12

object network 20.x.x.120

host 20.x.x.120

object network 20.x.x.121

host 20.x.x.121

object network 20.x.x.122

host 20.x.x.122

object network 192.168.1.130

host 192.168.1.130

object network 192.168.1.131

host 192.168.1.131

object network 192.168.1.132

host 192.168.1.132

object network 20.x.x.130

host 20.x.x.130

object network 20.x.x.131

host 20.x.x.131

object network 20.x.x.132

host 20.x.x.132

object network 192.168.1.133

host 192.168.1.133

object network 192.168.1.135

host 192.168.1.135

object network 192.168.1.136

host 192.168.1.136

object network 20.x.x.133

host 20.x.x.133

object network 20.x.x.135

host 20.x.x.135

object network 192.168.1.140

host 192.168.1.140

object network 20.x.x.136

host 20.x.x.136

object network 20.x.x.140

host 20.x.x.140

object network 192.168.1.149

host 192.168.1.149

object network 192.168.1.150

host 192.168.1.150

object network 20.x.x.149

host 20.x.x.149

object network 20.x.x.150

host 20.x.x.150

object network 192.168.1.151

host 192.168.1.151

object network 20.x.x.151

host 20.x.x.151

object network 192.168.1.152

host 192.168.1.152

object network 192.168.1.153

host 192.168.1.153

object network 192.168.1.154

host 192.168.1.154

object network 192.168.1.155

host 192.168.1.155

object network 192.168.1.156

host 192.168.1.156

object network 192.168.1.157

host 192.168.1.157

object network 192.168.1.158

host 192.168.1.158

object network 192.168.1.159

host 192.168.1.159

object network 20.x.x.152

host 20.x.x.152

object network 20.x.x.153

host 20.x.x.153

object network 20.x.x.154

host 20.x.x.154

object network 20.x.x.155

host 20.x.x.155

object network 20.x.x.156

host 20.x.x.156

object network 20.x.x.157

host 20.x.x.157

object network 20.x.x.158

host 20.x.x.158

object network 20.x.x.159

host 20.x.x.159

object network 192.168.1.160

host 192.168.1.160

object network 20.x.x.160

host 20.x.x.160

object network 192.168.1.201

host 192.168.1.201

object network 192.168.1.206

host 192.168.1.206

object network 192.168.1.207

host 192.168.1.207

object network 20.x.x.201

host 20.x.x.201

object network 20.x.x.206

host 20.x.x.206

object network 20.x.x.207

host 20.x.x.207

object network 192.168.1.22

host 192.168.1.22

object network 192.168.1.23

host 192.168.1.23

object network 20.x.x.22

host 20.x.x.22

object network 20.x.x.23

host 20.x.x.23

object network 192.168.1.24

host 192.168.1.24

object network 192.168.1.25

host 192.168.1.25

object network 192.168.1.30

host 192.168.1.30

object network 192.168.1.31

host 192.168.1.31

object network 192.168.1.32

host 192.168.1.32

object network 192.168.1.33

host 192.168.1.33

object network 20.x.x.24

host 20.x.x.24

object network 20.x.x.25

host 20.x.x.25

object network 20.x.x.30

host 20.x.x.30

object network 20.x.x.31

host 20.x.x.31

object network 20.x.x.32

host 20.x.x.32

object network 20.x.x.33

host 20.x.x.33

object network 192.168.1.40

host 192.168.1.40

object network 192.168.1.41

host 192.168.1.41

object network 192.168.1.42

host 192.168.1.42

object network 192.168.1.43

host 192.168.1.43

object network 192.168.1.45

host 192.168.1.45

object network 192.168.1.47

host 192.168.1.47

object network 20.x.x.40

host 20.x.x.40

object network 20.x.x.41

host 20.x.x.41

object network 20.x.x.42

host 20.x.x.42

object network 20.x.x.43

host 20.x.x.43

object network 20.x.x.45

host 20.x.x.45

object network 20.x.x.47

host 20.x.x.47

object network 20.x.x.55

host 20.x.x.55

object network 20.x.x.57

host 20.x.x.57

object network 192.168.1.55

host 192.168.1.55

object network 192.168.1.57

host 192.168.1.57

object network 192.168.1.71

host 192.168.1.71

object network 192.168.1.73

host 192.168.1.73

object network 192.168.1.74

host 192.168.1.74

object network 192.168.1.75

host 192.168.1.75

object network 192.168.1.76

host 192.168.1.76

object network 20.x.x.71

host 20.x.x.71

object network 20.x.x.73

host 20.x.x.73

object network 192.168.1.77

host 192.168.1.77

object network 192.168.1.78

host 192.168.1.78

object network 192.168.1.79

host 192.168.1.79

object network 192.168.1.80

host 192.168.1.80

object network 20.x.x.74

host 20.x.x.74

object network 20.x.x.75

host 20.x.x.75

object network 20.x.x.76

host 20.x.x.76

object network 20.x.x.77

host 20.x.x.77

object network 20.x.x.78

host 20.x.x.78

object network 20.x.x.79

host 20.x.x.79

object network 20.x.x.80

host 20.x.x.80

object network 192.168.1.145

host 192.168.1.145

object network 192.168.1.16

host 192.168.1.16

object network 192.168.1.165

host 192.168.1.165

object network 192.168.1.183

host 192.168.1.183

object network 20.x.x.145

host 20.x.x.145

object network 20.x.x.16

host 20.x.x.16

object network 20.x.x.165

host 20.x.x.165

object network 20.x.x.183

host 20.x.x.183

object network 192.168.1.170

host 192.168.1.170

object network 192.168.1.171

host 192.168.1.171

object network 192.168.1.175

host 192.168.1.175

object network 192.168.1.181

host 192.168.1.181

object network 20.x.x.170

host 20.x.x.170

object network 20.x.x.171

host 20.x.x.171

object network 20.x.x.175

host 20.x.x.175

object network 20.x.x.181

host 20.x.x.181

object network 192.168.1.21

host 192.168.1.21

object network 20.x.x.21

host 20.x.x.21

object network 172.16.0.12

host 172.16.0.12

object network obj-192.168.1.12

host 192.168.1.12

object network obj-192.168.1.80

host 192.168.1.80

object network obj-192.168.1.79

host 192.168.1.79

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.1.100

host 192.168.1.100

object network obj-192.168.1.101

host 192.168.1.101

object network obj-192.168.1.102

host 192.168.1.102

object network obj-192.168.1.103

host 192.168.1.103

object network obj-192.168.1.104

host 192.168.1.104

object network obj-192.168.1.105

host 192.168.1.105

object network obj-192.168.1.107

host 192.168.1.107

object network obj-192.168.1.110

host 192.168.1.110

object network obj-192.168.1.114

host 192.168.1.114

object network obj-192.168.1.116

host 192.168.1.116

object network obj-192.168.1.118

host 192.168.1.118

object network obj-192.168.1.120

host 192.168.1.120

object network obj-192.168.1.121

host 192.168.1.121

object network obj-192.168.1.122

host 192.168.1.122

object network obj-192.168.1.130

host 192.168.1.130

object network obj-192.168.1.131

host 192.168.1.131

object network obj-192.168.1.132

host 192.168.1.132

object network obj-192.168.1.133

host 192.168.1.133

object network obj-192.168.1.135

host 192.168.1.135

object network obj-192.168.1.136

host 192.168.1.136

object network obj-192.168.1.155

host 192.168.1.155

object network obj-192.168.1.156

host 192.168.1.156

object network obj-192.168.1.157

host 192.168.1.157

object network obj-192.168.1.158

host 192.168.1.158

object network obj-192.168.1.159

host 192.168.1.159

object network obj-192.168.1.160

host 192.168.1.160

object network obj-192.168.1.16

host 192.168.1.16

object network obj-192.168.1.165

host 192.168.1.165

object network obj-192.168.1.170

host 192.168.1.170

object network obj-192.168.1.171

host 192.168.1.171

object network obj-192.168.1.175

host 192.168.1.175

object network obj-192.168.1.181

host 192.168.1.181

object network obj-192.168.1.183

host 192.168.1.183

object network obj-192.168.1.206

host 192.168.1.206

object network obj-192.168.1.207

host 192.168.1.207

object network obj-192.168.1.21

host 192.168.1.21

object network obj-192.168.1.210

host 192.168.1.210

object network obj-192.168.1.22

host 192.168.1.22

object network obj-192.168.1.23

host 192.168.1.23

object network obj-192.168.1.222

host 192.168.1.222

object network obj-192.168.1.235

host 192.168.1.235

object network obj-192.168.1.237

host 192.168.1.237

object network obj-192.168.1.24

host 192.168.1.24

object network obj-192.168.1.25

host 192.168.1.25

object network obj-192.168.1.30

host 192.168.1.30

object network obj-192.168.1.31

host 192.168.1.31

object network obj-192.168.1.32

host 192.168.1.32

object network obj-192.168.1.33

host 192.168.1.33

object network obj-192.168.1.40

host 192.168.1.40

object network obj-192.168.1.41

host 192.168.1.41

object network obj-192.168.1.42

host 192.168.1.42

object network obj-192.168.1.43

host 192.168.1.43

object network obj-192.168.1.45

host 192.168.1.45

object network obj-192.168.1.47

host 192.168.1.47

object network obj-192.168.1.54

host 192.168.1.54

object network obj-192.168.1.55

host 192.168.1.55

object network obj-192.168.1.57

host 192.168.1.57

object network obj-192.168.1.71

host 192.168.1.71

object network obj-192.168.1.73

host 192.168.1.73

object network obj-192.168.1.74

host 192.168.1.74

object network obj-192.168.1.75

host 192.168.1.75

object network obj-192.168.1.76

host 192.168.1.76

object network obj-192.168.1.77

host 192.168.1.77

object network obj-192.168.1.78

host 192.168.1.78

object-group network DM_INLINE_NETWORK_2

network-object object 20.x.x.31

network-object object 20.x.x.32

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_3 tcp

port-object eq ftp

port-object eq ftp-data

object-group network DM_INLINE_NETWORK_3

network-object object 20.x.x.76

network-object object 20.x.x.80

object-group network DM_INLINE_NETWORK_4

network-object object 192.168.1.40

network-object object 192.168.1.43

network-object 0.0.0.0 0.0.0.0

object-group service DM_INLINE_TCP_15 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_10

network-object object 20.x.x.155

network-object object 20.x.x.156

network-object object 20.x.x.157

object-group service DM_INLINE_TCP_16 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_17 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_18 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_19 tcp

port-object eq www

port-object eq ssh

object-group service DM_INLINE_TCP_20 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_12

network-object object 192.168.1.210

network-object object 192.168.1.23

object-group network DM_INLINE_NETWORK_13

network-object object 192.168.1.149

network-object object 192.168.1.150

network-object object 192.168.1.151

network-object object 192.168.1.152

network-object object 192.168.1.153

network-object object 192.168.1.154

object-group service DM_INLINE_TCP_21 tcp

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_14

network-object object 192.168.1.155

network-object object 192.168.1.156

network-object object 192.168.1.157

access-list outside_access_in remark DNS

access-list outside_access_in extended permit object-group TCPUDP any any eq domain

access-list outside_access_in remark DNS

access-list outside_access_in extended permit udp any any eq ntp

access-list outside_access_in extended deny tcp object-group DM_INLINE_NETWORK_1 object 192.168.1.75 eq www

access-list outside_access_in extended permit tcp any object 192.168.1.57 eq ssh

access-list outside_access_in extended permit tcp any object 192.168.1.140 eq www

access-list outside_access_in extended permit tcp any object 192.168.1.107 eq www

access-list outside_access_in extended permit tcp any object 192.168.1.114 eq ssh

access-list outside_access_in extended permit tcp any object 192.168.1.115 eq 3389

access-list outside_access_in extended permit tcp any object 192.168.1.165 eq www

access-list outside_access_in remark Webtrends

access-list outside_access_in extended permit tcp any object 192.168.1.16 eq www

access-list outside_access_in extended permit tcp any object 192.168.1.10 eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ipv6 route outside ::/0 2400:80:aaa:12::1

ipv6 access-list outside_access_ipv6_in permit tcp any host 2400:80:aaa:12:0:2:40:40 eq www

no failover

failover lan unit primary

failover lan interface failover Ethernet0/3

failover key *****

failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

!

object network 192.168.1.115

nat (inside,outside) static 20.x.x.115 dns

object network obj-192.168.1.12

nat (inside,outside) static 20.x.x.12 dns

object network obj-192.168.1.80

nat (inside,outside) static 20.x.x.80 dns

object network obj-192.168.1.79

nat (inside,outside) static 20.x.x.79 dns

object network obj-192.168.1.10

nat (inside,outside) static 20.x.x.10 dns

object network obj-192.168.1.78

nat (inside,outside) static 20.x.x.78 dns

access-group outside_access_in in interface outside

access-group outside_access_ipv6_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 20.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp inside

sysopt noproxyarp management

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

: end

asdm image disk0:/asdm-641.bin

no asdm history enable

Julio Carvajal · ‎05-15-2012

Hello Nevile,

1-Are you able to get to the internet from the ASA? ( Pinf 4.2.2.2 from the ASA)

2-Can you share the following packet tracer:

packet-tracer input inside tcp 192.168.1.115 1025 4.2.2.2 80

3-Is there any specific server unable to go to the internet or all the servers are unable to go to the outside

4- Is there any host behind the ASA being able to go to the internet.

Based on that we will do captures?

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nevilleleo · ‎05-15-2012

Hey Julio,

When I had the ASA hooked up to the prod network,:

1) I could ping out from the ASA to 8.8.8.8

2) I could ping the gateway 20.x.x.1

3) None of the servers behind the firewall could ping 8.8.8.8

4) servers could ping inside 192.168.1.1

So to answer your questions:

1) Yes- can ping out.

2) cannot current do packet-tracer as not connected to prod network.

3) All servers are disconnected from internet - no traffic coming in, and all traffic going out fails with a SYN timeout.

4) No host can go out.

Julio Carvajal · ‎05-15-2012

Hello Nevile,

We will need to determine via captures if the ASA is sending the traffic out to the outside ISP router and if he is getting any replay becauase it looks like that is the problem.

Is there a way you can reload the ISP router as soon as you have it connected to the Pro ASA the next time! It could be an ARP issue.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nevilleleo · ‎05-15-2012

Ok Julio,

I will try the packet tracer when I bring it back to prod (its a physically different location).

In the meantime - is my Static NAT configuration correct ?

I'm trying to setup a 1-1 NAT for a Class C network.

object network obj-192.168.1.78

nat (inside,outside) static 20.x.x.78 dns

Julio Carvajal · ‎05-15-2012

Hello Neville,

That would be great please share the packet tracer as soon as you have it, Yes the static one to one looks right.

With the capture we will determine if the ISP router is routing back to us.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nevilleleo · ‎05-15-2012

Julio,

Here is the output of the packet trace command from my test environment:

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network 192.168.1.12

nat (inside,outside) static 172.16.0.12 dns

Additional Information:

Static translate 192.168.1.12/1025 to 172.16.0.12/1025

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 161, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

nevilleleo · ‎05-15-2012

Also, No way that I can reload the ISP router.

I have the ISP connection come in to a Cisco 2900xl Switch on a seperate vlan, and from there it goes to the outside interface of the firewall.

lcambron · ‎05-15-2012

Neville,

Packet flow on the ASA looks good, it's been nat'ed to a private IP though (172.16.0.12) instead of

20.x.x.x, maybe you change it on the output for security reasons.

When you use NAT with IP different from the IP on the outside interface, it is a common issue to see that there is no reply from the ISP device like Julio said.

This is because the ISP does not have an arp entry on its arp table.

Other the reloading it, you can change the IP on the outside interface to the IP used on the NAT to force an arp entry, and then change it back.

example:

interface Ethernet0/0

nameif outside

ip address 20.x.x.250 255.255.255.0

object network obj-192.168.1.78

nat (inside,outside) static 20.x.x.78

interface Ethernet0/0

ip address 20.x.x.78 255.255.255.0

interface Ethernet0/0

ip address 20.x.x.250 255.255.255.0

You would need to have the ASA inline to take some captures and confirm if this is the issue.

Julio Carvajal · ‎05-15-2012

Hello Nevile,

Just to add to what Luis said. As soon as you change the outside interface of the ASA to the one used on the nat send a ICMP request to the ISP router so this updates its ARP table.

Afterwards change the outside ip address to the previously defined and then try to access the server one more time.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nevilleleo · ‎05-16-2012

Julio and Luis,

Are my access-lists correct ?

I noticed that in ASA 8.4+ we have to use the private IP address in the Outside-coming-In. Is that correct ?

I will be trying to install the ASA again later on today. This time I will be using another Switch for the outside interface. Hopefully it should work.

Julio Carvajal · ‎05-16-2012

Hello Nevile,

Yes, you are doing it right as you are using the Private ip address insted of the natted Ip.

Regards,

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC