Solved: ASA not letting me out

andrew-susag · ‎02-14-2008

Hi, We're configuring this ASA and we're having trouble getting our server on the inside access to the world. I thought it was maybe a NAT issue as is usually my case, but I just can't see anything wrong with it.... We're not able to pass IP traffic out of the firewall. Can anyone help me out?

ASA Version 7.2(2)

!

hostname ASA5505

domain-name

enable password

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.16.58.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.x.x.x 255.255.255.0

!

interface Ethernet0/0

description outside

switchport access vlan 2

!

interface Ethernet0/1

description inside

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

description pippin

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name indianafiber.net

access-list inside_outbound_nat0_acl extended permit ip 10.16.58.0 255.255.255.0 10.27.11.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 172.21.11.0 255.255.255.0 10.27.11.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 10.16.58.0 255.255.255.0 10.27.11.0 255.255.255.0

access-list outside_access_in extended permit ip 10.27.11.0 255.255.255.0 any

access-list outside_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging trap emergencies

logging debug-trace

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.16.58.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 HQ_2611 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 16

http server enable

http 64.x.x.x 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strongest esp-3des esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_20

crypto map outside_map 10 set peer 12.x.x.x

crypto map outside_map 10 set transform-set strongest

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp nat-traversal 20

tunnel-group 12.x.x.x type ipsec-l2l

tunnel-group 12.x.x.x ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 10.16.58.0 255.255.255.0 inside

ssh 64.x.x.x 255.255.255.0 outside

ssh timeout 5

console timeout 0

management-access outside

!

class-map inspection_default

match default-inspection-traffic

husycisco · ‎02-15-2008

Andrew,

Issue the following commands for getting ping to work first.

policy-map global_policy

class-map inspection_default

inspect icmp

Then issue the following

clear arp

clear xlate

If possible, clear the arp table also.

In windows server, issue arp -d in command line for 4-5 times simultaneously

Then try again

Regards

View solution in original post

husycisco · ‎02-14-2008

Hi Andrew

Two settings look suspicious.

1)You have a description of "description outside " for interface e0/0, and it is a member of vlan 2 but you configured an interface called vlan2 as outside. Might uplink be coming from a switch via trunk?

2)HQ_2611 is not specified. Are you sure it is the default gateway?

One last thing. Make sure you dont set ASA's interface IP as preferred DNS for your server. Set 4.2.2.2 as pref DNS in a server inside temporarily for troubleshooting purposes

Regards

abinjola · ‎02-14-2008

configuration looks good..

If this is a new setup did you cleared arp-cache on upstream router ?

can you ping 4.2.2.2 from the firewall ?

andrew-susag · ‎02-15-2008

I can ping 4.2.2.2 from the firewall.

When I do a "ping in 4.2.2.2" however, I can not. For some reason, ingress traffic on the inside interface, isn't getting to the outside interface.

HQ_2611 should be ok. I deleted the named hosts from my config before I posted it on the netpro site. It does have a valid public ip.

Thanks

abinjola · ‎02-15-2008

from internal host try to ping 4.2.2.2 and turn on logs at debug level

also if possible paste an output here for sh xlate det | inc

srue · ‎02-15-2008

clear configure access-list inside_access_in

(that ACL is useless)

you just negated your firewall with:

access-list outside_access_in extended permit ip any any

also, if you want to be able to ping from the inside to outside,

you need to explicitly allow echo-replies:

access-list outside_access_in permit icmp any any echo-reply

It wouldn't hurt to turn on nat-control.

husycisco · ‎02-15-2008

Andrew,

Issue the following commands for getting ping to work first.

policy-map global_policy

class-map inspection_default

inspect icmp

Then issue the following

clear arp

clear xlate

If possible, clear the arp table also.

In windows server, issue arp -d in command line for 4-5 times simultaneously

Then try again

Regards

andrew-susag · ‎02-15-2008

Thank You everyone, it is working now. I believe that NAT/PAT was the underlying issue. When I cleared xlate and arp it started working this morning. Wiped the config and rewrote it, then I started removing lines until it stopped working.

I guess it's a good learning experience.

I did remove that any any statement from my outside_in acl btw...

Thanks Again.

husycisco · ‎02-15-2008

Nice to see it works now.

You are welcome.