Solved: Cisco ASA 5520 traffic between interfaces

cosmin.cucu · ‎08-24-2013

Hello,

I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.

ciscoasa# ping esx_management 192.168.10.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ping home_network 192.168.10.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Thank you in advance.

Jouni Forss · ‎08-24-2013

Ah sorry, so stupid of me Actually posted the wrong command myself.

I guess we should try Packet Capture next. Essentially what we would do is configure the ASA to capture all packets between 2 hosts on a certain ASA interface. In this case I guess we would be most interested in what is coming or not coming back from the "esx_management" interface

access-list CAPTURE permit ip host 192.168.5.5 host 192.168.10.100

access-list CAPTURE permit ip host 192.168.10.100 host 192.168.5.5

capture CAPTURE type raw-data access-list CAPTURE interface esx_management buffer 1000000 circular-buffer

Then try ICMP from the actual LAN host to the ESX host.

Then you can issue the following command to view if anything has been capture

show capture

Then you can issue the following command to view the actual capture contents on the CLI

show capture CAPTURE

If you wanted to copy these contents to a TFTP server and open the capture with Wireshark you can use this command

copy /pcap capture:CAPTURE tftp://x.x.x.x/CAPTURE.pcap

For captures other than simply capturing ICMP traffic I tend to copy the capture to my computer so it can be gone through more easily with Wireshark.

- Jouni

View solution in original post

Jouni Forss · ‎08-24-2013

Hi,

Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.

I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be

packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100

I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.

I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.

Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?

Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?

Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing

Static Identity NAT

static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0

static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0

static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0

OR

NAT0

access-list HOMENETWORK-NAT0 remark NAT0 to all local networks

access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0

access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0

access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0

nat (home_network) 0 access-list HOMENETWORK-NAT0

Hope this helps

- Jouni

cosmin.cucu · ‎08-24-2013

Hello,

This is a virtualising environment that i am setting up for testing purposes for myself. The 192.168.10.100 is actually the storage server. I ran the packet tracer you suggested, with or without the first set of NAT rules you suggested ( i changed mask to netmask ) . The result is at the end of this post, it sais that it is allowed.

Pings from the firewalls each network interface to the host works, so the local software firewall is out of the question.

ciscoasa# ping esx_management 192.168.10.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ping home_network 192.168.5.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa#

Default gateway is set to the firewalls interface ( ex. 192.168.5.1 )

Thank you for your response.

Jouni Forss · ‎08-24-2013

Hi,

You are using some 10-network in the "packet-tracer" command as the source now? I dont see any route for it configured on the ASA.

If you are only testing ICMP from the ASA, I would also suggest doing the same from the actual hosts.

If you really want to confirm if the ASA is stopping the ICMP then you can take an capture on the ASA for the traffic and this should tell us if the PINGed / ICMPed host is even sending anything back.

I have very limited knowledge of the IT side but I have seen situations where ICMP from connected network works just fine for servers but get blocked from any remote network. And the situation with these has very often been a firewall configuration on the actual host/server.

- Jouni

cosmin.cucu · ‎08-24-2013

Oh, i just pasted your initial command. I use at work a lot of 10.192.0.0 networks, so it didn't seem anything unusual.

I tried the correct command and attached the response here. Basically it allows it ., so it should work. From the hosts to the default gateway ( firewall interface) pings work. But when i ping something from the other network it does not work .

Marius Gunnerud · ‎08-24-2013

Are you trying to ping the server? If it is a Windows server or has a software firewall installed, this could be preventing the ICMP reply. Try disabling the firewall on the server and see if ping works then.

--
Please remember to select a correct answer and rate helpful posts

Jouni Forss · ‎08-24-2013

Ah sorry, so stupid of me Actually posted the wrong command myself.

I guess we should try Packet Capture next. Essentially what we would do is configure the ASA to capture all packets between 2 hosts on a certain ASA interface. In this case I guess we would be most interested in what is coming or not coming back from the "esx_management" interface

access-list CAPTURE permit ip host 192.168.5.5 host 192.168.10.100

access-list CAPTURE permit ip host 192.168.10.100 host 192.168.5.5

capture CAPTURE type raw-data access-list CAPTURE interface esx_management buffer 1000000 circular-buffer

Then try ICMP from the actual LAN host to the ESX host.

Then you can issue the following command to view if anything has been capture

show capture

Then you can issue the following command to view the actual capture contents on the CLI

show capture CAPTURE

If you wanted to copy these contents to a TFTP server and open the capture with Wireshark you can use this command

copy /pcap capture:CAPTURE tftp://x.x.x.x/CAPTURE.pcap

For captures other than simply capturing ICMP traffic I tend to copy the capture to my computer so it can be gone through more easily with Wireshark.

- Jouni

cosmin.cucu · ‎08-24-2013

Thanks for taking the time to explain how to debug, turns out there was a access point on my home network that was acting funny. Now all i have to do is configure the internet access throughout the interfaces, which is with NAT rules, correct?

Jouni Forss · ‎08-24-2013

Hi,

Yes, you will need a NAT configuration for all the interfaces for outbound connections to the Internet.

The most typical solution is ofcourse Dynamic PAT since theres rarely enough Public IP addresses to make a pool.

Your configuration would most likely be

global (internet) 1 interface

nat (home_network) 1 192.168.5.0 255.255.255.0

nat (esx_management) 1 192.168.10.0 255.255.255.0

nat (DMZ) 1 192.168.20.0 255.255.255.0

nat (management) 1 192.168.1.0 255.255.255.0

This if ofcourse presuming you want to have Dynamic PAT for all of the mentioned interfaces.

Since you have allowed all traffic with the interface ACLs, those networks should be able to access Internet. I would suggest either blocking all traffic in the "internet" interface inbound ACL or removing the whole ACL while making sure you change the "security-level" to value of "0" so that no connections will be allowed from that direction.

Then again you dont have any Static NAT/PAT configurations for inbound traffic at the moment. Though there might always be a risk with active Dynamic PAT translation that something might get through if I am not totally mistaken.

- Jouni