Solved: Re: ASA5510 not working properly from outside

tanpohmeng · ‎02-28-2012

Hi, I not familiar with the ASA 5510 product. I having trouble since last 24 hours and still cant find out the root cause yet.

Here is my scenario, my network should be

WAN --- ASA5510 (FW) --- SERVER (192.168.1.0/24)

Now I face the problem, all the NAT static 1-to-1 is working OK. All my public IP can be ping from outside internet. But the problem happen when I try to telnet to port 80 on each server. I had try telnet from my PC to public IP 124.xxx.179 80, it's work fine, but failed on 124.xxx.180 80, then on 124.xxx.181 80, its work fine.

Then I do try on my colleague PC, in same network as mine, I face another case where the public IP 124.xxx.179 80 cannot be telnet, but it's ok for 124.xxx.180, then failed on 124.xxx.181 80.

FYI.. all our PC can ping to the Public IP and no packet lose.

The scenario is very weird, I cant find any other solution as had review my configuration few times.

Please help me to check does my configuration is working perfectly or not.

Thanks. Any advise will do..

ASA Version 8.2(5)

!

hostname fw-asa

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

nameif untrust

security-level 0

ip address 124.xx.190 255.255.255.240

!

interface Ethernet0/1

nameif trust

security-level 100

ip address 192.168.1.1 255.255.255.128

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.11.203 255.255.255.0

management-only

!

ftp mode passive

clock timezone CST 8

access-list untrust_access_in extended permit icmp any 124.xxx.176 255.255.255.240

access-list untrust_access_in extended permit tcp any 124.xxx.176 255.255.255.240 eq www

access-list untrust_access_in extended permit tcp any 124.xxx.176 255.255.255.240 eq 8080

access-list untrust_access_in extended permit tcp any 124.xxx.176 255.255.255.240 eq telnet

access-list trust_access_in extended permit ip any any

pager lines 24

logging enable

logging trap debugging

logging asdm informational

mtu untrust 1500

mtu trust 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

static (trust,untrust) 124.xxx.182 192.168.1.122 netmask 255.255.255.255

static (trust,untrust) 124.xxx.178 192.168.1.15 netmask 255.255.255.255

static (trust,untrust) 124.xxx.180 192.168.1.17 netmask 255.255.255.255

static (trust,untrust) 124.xxx.181 192.168.1.18 netmask 255.255.255.255

static (trust,untrust) 124.xxx.186 192.168.1.116 netmask 255.255.255.255

static (trust,untrust) 124.xxx.187 192.168.1.117 netmask 255.255.255.255

static (trust,untrust) 124.xxx.188 192.168.1.118 netmask 255.255.255.255

static (trust,untrust) 124.xxx.189 192.168.1.119 netmask 255.255.255.255

static (trust,untrust) 124.xxx.179 192.168.1.16 netmask 255.255.255.255

access-group untrust_access_in in interface untrust

access-group trust_access_in in interface trust

route untrust 0.0.0.0 0.0.0.0 124.xxx.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.11.122 255.255.255.255 management

snmp-server host management 192.168.11.254 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca xxx

quit

telnet 192.168.11.0 255.255.255.0 management

telnet timeout 5

ssh 192.168.11.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access management

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password xxx encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:xxx

: end

johuggin · ‎02-28-2012

Hello,

Perhaps some captures would shed some light on the issue. Let's consider the case that you cannot telnet to .180 port 80.

fw-asa(config)# access-list capout permit tcp any host 124.x.x.180 eq 80

fw-asa(config)# access-list capout permit tcp host 124.x.x.180 eq 80 any

fw-asa(config)# access-list capin permit tcp any host 192.168.1.17 eq 80

fw-asa(config)# access-list capin permit tcp host 192.168.1.17 eq 80 any

fw-asa(config)# end

fw-asa# cap capout access-list capout interface untrust

fw-asa# cap capin access-list capin interface trust

** Now try to telnet to .180 from your PC on the outside and post the following output: **

fw-asa# show cap capout

fw-asa# show cap capin

Note: You can replace the 'any' above with the IP of your PC. Also, remember to turn off the captures after grabbing the output. You can do this by doing a 'no cap capout' and 'no cap capin'. You can remove the access-lists by using the 'no' form of these as well.

I hope this makes sense to you.

Thanks!

Joey

View solution in original post

clin · ‎02-29-2012

hi

try this

policy-map global_policy

class inspection_default

inspect icmp

after you inspect icmp , you should get ping works

thanks !

View solution in original post

johuggin · ‎02-28-2012

Hello,

Perhaps some captures would shed some light on the issue. Let's consider the case that you cannot telnet to .180 port 80.

fw-asa(config)# access-list capout permit tcp any host 124.x.x.180 eq 80

fw-asa(config)# access-list capout permit tcp host 124.x.x.180 eq 80 any

fw-asa(config)# access-list capin permit tcp any host 192.168.1.17 eq 80

fw-asa(config)# access-list capin permit tcp host 192.168.1.17 eq 80 any

fw-asa(config)# end

fw-asa# cap capout access-list capout interface untrust

fw-asa# cap capin access-list capin interface trust

** Now try to telnet to .180 from your PC on the outside and post the following output: **

fw-asa# show cap capout

fw-asa# show cap capin

Note: You can replace the 'any' above with the IP of your PC. Also, remember to turn off the captures after grabbing the output. You can do this by doing a 'no cap capout' and 'no cap capin'. You can remove the access-lists by using the 'no' form of these as well.

I hope this makes sense to you.

Thanks!

Joey

tanpohmeng · ‎02-29-2012

Hi,

Sorry for late reply,

I had success work out the Static NAT which is working.

access-list untrust_access_in extended permit tcp any host 124.xxx.180 eq www

access-list untrust_access_in extended permit tcp any host 124.xxx.179 eq www

static (trust,untrust) tcp 124.xxx.180 www 192.168.1.17 www netmask 255.255.255.255

static (trust,untrust) tcp 124.xxx.179 www 192.168.1.16 www netmask 255.255.255.255

And it's working fine..

But in this way, I could not solve the ping as the NAT does not go through for ping.

Thanks

clin · ‎02-29-2012

hi

try this

policy-map global_policy

class inspection_default

inspect icmp

after you inspect icmp , you should get ping works

thanks !

tanpohmeng · ‎03-01-2012

Hi,

I do try this command and seem not work. I only can ping the interface 124.xx.190.

Do had try with command

icmp permit any untrust

Still the luck not with me. Ping not work on 124.xxx.179 and others.

clin · ‎03-01-2012

are the rest servers pingable ? i mean somehow icmp could be blokced by windows firewall. did you try to ping these servers from internal ?

otherwise you try below

access-list untrust_access_in extended permit icmp any host 124.xxx.180

thanks

tanpohmeng · ‎03-01-2012

the rest of server not pingable from outside. If ping from internal to the server inside IP, then its work fine.

yes, the access-list do had implement as suggest but still failed.

I believe there is something missing in my static NAT as I set are

static (trust,untrust) tcp 124.xxx.180 www 192.168.1.17 www netmask 255.255.255.255

static (trust,untrust) tcp 124.xxx.179 www 192.168.1.16 www netmask 255.255.255.255

and not in

static (trust,untrust) 124.xxx.180 192.168.1.17 netmask 255.255.255.255

static (trust,untrust) 124.xxx.179 192.168.1.16 netmask 255.255.255.255

Wonder does there is a way to have static NAT which allow ICMP to go through?

Thanks

clin · ‎03-01-2012

actually , you are not depolying really NAT due to you defined protocal argument "TCP".

you just use static NAT form to handle a PAT translation.

yes , if you move "TCP" just like you presented secondary CLI , ICMP will works properly , that's really NAT.

thanks

tanpohmeng · ‎03-04-2012

Thanks for the explanation..

Look like I can close this topic for the moment first..

Thanks for all the contribution