Solved: ASA basic configuration help

vincehgov · ‎07-08-2013

I'm running into an issue where I cannot even access the internet from the inside network. I did a capture on the ASA. The inside interface shows pings from the internal host to the internet but nothing coming back. The same capture on the outside interface shows the host natted to the outside interface's IP address. It shows the host sending the pings to the internet and it also shows the ping replies coming back to the outside interface's IP address. So, I know the pings are going from inside to outside and natted properly. But for some reason, the ASA is not allow the traffic back in. Here's my configuration. Can someone enlighten me? This is for a client so I hid his IP address.

: Saved

:

ASA Version 8.2(5)

!

hostname ASA

domain-name x.org

names

!

interface Ethernet0/0

switchport access vlan 98

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.148.2 255.255.255.0

!

interface Vlan98

nameif outside

security-level 0

ip address <>

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name x

access-list CAP1 extended permit ip any host 8.8.8.8

access-list CAP1 extended permit ip host 8.8.8.8 any

pager lines 24

logging enable

logging timestamp

logging buffer-size 51200

logging asdm-buffer-size 500

logging monitor informational

logging buffered errors

logging history errors

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 <> 1

route inside 192.168.150.0 255.255.255.0 192.168.148.1 1

route inside 192.168.151.0 255.255.255.0 192.168.148.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 8443

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

prompt hostname context

no call-home reporting anonymous

Jouni Forss · ‎07-08-2013

Hi,

Like in another thread it would seem that you are missing the inspection configurations. Have you completely removed the "policy-map" configurations.

If you have then you could try adding the following

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect icmp error

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect skinny

inspect icmp

inspect esmtp

service-policy global_policy global

- Jouni

View solution in original post

Jouni Forss · ‎07-08-2013

Hi,

Like in another thread it would seem that you are missing the inspection configurations. Have you completely removed the "policy-map" configurations.

If you have then you could try adding the following

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect icmp error

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect skinny

inspect icmp

inspect esmtp

service-policy global_policy global

- Jouni

vincehgov · ‎07-09-2013

Thank you. that was it.

Jouni Forss · ‎07-09-2013

Hi,

Basically what was causing the ICMP not to go through completely was missing the "inspect icmp" configurations.

Without them the ASA will let the ICMP Echo messages from behind the ASA pass to the Internet. Provided ofcourse the "security-level" or the "access-list" allow that.

However, the Echo Reply message would be blocked by default.

The solution to that is the above adding of "inspect icmp" (although the above contains a lot more)

Other alternative would have been to allow "echo-reply" messages in a "outside" interface ACL.

- Jouni

vincehgov · ‎07-09-2013

Thanks for the explanation. I suspected it was something like this. I looked up as many ASA "basic" configuration for Internet connectivity I could find and all they had were dynamic pat. Thanks!