Solved: Help with basic ASA config with NAT issue

Andrew White · ‎12-10-2013

Hello,

I'm just putting together a basic ASA config and there seems to be an issue with NAT. I'm trying to ping a router past the outside interface 10.10.10.2 from an inside PC 10.101.61.10.

The ASA can ping it, can you see anything wrong with the below config?

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 90.174.83.202 255.255.255.252

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.101.61.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network internal-10.101.61.0

subnet 10.101.61.0 255.255.255.0

object network Internal-0.0.0.0

subnet 0.0.0.0 0.0.0.0

access-list inside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

!

object network Internal-0.0.0.0

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 90.174.83.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa authorization exec LOCAL

http server enable

http 10.101.61.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.101.61.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.101.61.10-10.101.61.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username *** password *** encrypted privilege 15

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:4ce467cd868cc11bb408a997e3bf0fd2

: end

ciscoasa#

Thanks

Jouni Forss · ‎12-10-2013

Hi,

I would suggest adding a "permit ip any any" statement to the ACL as now its only allowing ICMP and nothing else. Or perhaps adding "permit ip 10.101.61.0 255.255.255.0 any"

You also seem to lack the default Policy Map configurations

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect skinny

inspect pptp

inspect esmtp

inspect icmp

inspect icmp error

inspect ftp

!

service-policy global_policy global

You probably need the ICMP inspections configured (like above) for the Echo Reply to get back through the firewall.

That or allowing ICMP return messages like Echo Reply, Time Exceeded, Unreachable through the "outside" interface.

- Jouni

View solution in original post

Julio Carvajal · ‎12-10-2013

Hello Andrew,

So the 10.10.10.2 is on the outside interface, is that what you are saying??

If that is correct let's add

fixup protocol icmp and try one more time.

If the PC is on the inside I do not see a route to that device, you will need that and also a static translation to the outside interface.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎12-10-2013

Hi,

I would suggest adding a "permit ip any any" statement to the ACL as now its only allowing ICMP and nothing else. Or perhaps adding "permit ip 10.101.61.0 255.255.255.0 any"

You also seem to lack the default Policy Map configurations

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect skinny

inspect pptp

inspect esmtp

inspect icmp

inspect icmp error

inspect ftp

!

service-policy global_policy global

You probably need the ICMP inspections configured (like above) for the Echo Reply to get back through the firewall.

That or allowing ICMP return messages like Echo Reply, Time Exceeded, Unreachable through the "outside" interface.

- Jouni

Andrew White · ‎12-10-2013

Adding the default policy map also fixed it, would you mind explaining what this does?

Julio Carvajal · ‎12-10-2013

Hello Andrew,

So the 10.10.10.2 is on the outside interface, is that what you are saying??

If that is correct let's add

fixup protocol icmp and try one more time.

If the PC is on the inside I do not see a route to that device, you will need that and also a static translation to the outside interface.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Andrew White · ‎12-10-2013

Thanks that did it.

Do I need to add a default inspection policy too as I don't have one? What does this do?

Thanks

Julio Carvajal · ‎12-10-2013

Hello Andrew,

I would recommend to add it.

Use the command

clear configure fixup to add the default policy map and then add the fixup protocol ICMP.

This will allow you to statefully inspect the specified traffic at a deep level (taking into consideration RFC standards, timeouts, packet-size, etc, etc, etc).

Now the thing with ICMP is that this protocol is not stateful as TCP is so when we enable this we basically let the ASA know save the ICMP sessions into your stateful session and monitor the returning traffic so get's allowed dynamically without the need of an ACL.

Then whenever we receice an ICMP echo reply for an echo request the session will be removed from the State table of the ASA.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC