We are configuring an ASA5510 for the first time. However, we seem to have hit a wall. There seems to be no communication between the interfaces at all. We have played with the static routes and access rules to no avail, it just seems like nothing can get in or out. At the moment, we have it opened up to pretty much anything, to try to get anything to work, but still nothing. (read: Any interface, any source any destination) Does anyone have any idea of what crucial step we might be missing? We are mostly using the ASDM, but have had to do a little with the CLI since that seems to be what everyone knows in any help docs.
I will assume the interfaces are set for different security levels. If that is true, then you will most likely need to have a static or nat statements.
Please see here:
It sounds like you have the acls and the routing in place. Let me know what you have set up for the natting/static side.
Well we've tried several different options. Right now just to try to get ANYTHING to work, we've created really open rules that would essentially allow anything in either direction. We've tried with and without NAT rules in place, but it doesn't seem to make a difference one way or another. I'm not sure if the "any interface, any source, any destination" type of NAT would do anything anyway. NAT control is no longer available in 8.3, so it seems that NAT is less likly to be holding us up, but we're so new to this that we couldn't be sure of that.
We've done the global ACL allows to open it up, and with our staic routes we've tried a myriad of ideas on how to communicate it's direction. It seems that the interfaces are just not passing information to one another. We have routes from 0.0.0.0 to the external interface, we've tried from the internal to external interfaces, and pretty much any combination you can think of, and to no effect.
Any ideas what to look at?
Can you post a running config for us to review? That will help determine the areas of the config that need to be focused on.
Is there a route back for internal ip addresses when they are hitting the outside since you are not natting?
Does your inside interface have higher security level than your outside?
If you are testing with pings, make sure you have icmp inspection enabled.
Let me know if they helped. And like mirober2 suggested, if not please provide your config.
here is our config file. It's a bit of a mess now because we've been trying so many different things (
none of which have worked)
ASA Version 8.3(2)
ip address 10.0.204.65 255.255.255.0
description INTERNAL INTERFACE
ip address 192.168.2.1 255.255.255.0
description DMZ INTERFACE
ip address STORAGECONTROLLERA 255.255.255.192
description LAN/STATE Failover Interface
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa823-k8.bin
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
access-list INSIDE_access_in extended permit tcp any any eq www
access-list OUTSIDE_access_in remark ALLOW SLO TESTERS TO COMMUNICATE WITH XWD.
access-list OUTSIDE_access_in extended permit object-group HTTPHTTPS 10.0.204.64 255.255.255.192 host 10.2.204.55
access-list INSIDE_nat0_outbound extended permit ip any 192.168.204.240 255.255.255.240
access-list global_access extended permit tcp any any eq www log errors
pager lines 24
logging console emergencies
logging asdm informational
logging class auth console errors
logging class sys console errors
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPBNIPPOOL 192.168.204.240-192.168.204.250 mask 255.255.255.0
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source static X_LAN X_LAN destination static mapped_public_pool mapped_public_pool
access-group INSIDE_access_in in interface INSIDE
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.204.65 1
route INSIDE 192.168.2.137 255.255.255.255 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-
SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface INSIDE
crypto isakmp policy 10
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 INSIDE
ssh 192.168.1.2 255.255.255.255 INSIDE
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
policy-map type inspect dns migrated_dns_map_1
message-length maximum client auto
message-length maximum 512
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email firstname.lastname@example.org
destination transport-method http
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Whoops I hadn't noticed that my co-worker deletedmost of the NAT and Route rules that were in place yesterday.
There would hve been a few "any, any, any" commands for the NAT and allow all services in the ACL
I would suggest taking on one issue at a time to make it easier to troubleshoot. Try removing your NAT rules and then configuring this:
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface
You may also need this if your DNS server is not in the 192.168.2.0 subnet:
access-list INSIDE_access_in extended permit udp any any eq 53
access-list global_access extended permit udp any any eq 53
Once those commands are configured, try to access the Internet from a host in the 192.168.2.0 subnet. If that works, let us know what other traffic is failing.
Hope that helps.
Thanks!! Your dynamic NAT statement is the key that we were looking for! As I understand it, it is the statement that allows the internal and external interfaces to communicate with one another, and that is the piece we were missing.
Now we need to start redoing our actual ACLs and see if they work.
Glad that worked for you. Keep in mind that in 8.3 you need to use the real IP (i.e. before NAT takes place) when you setup your access-lists. This is a significant change from the way it was done in pre-8.3 configurations.