Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issue with ASA 5510

Hello Everyone,

I want to first say that this is my first time ever working on an ASA, so I appologize for the elementary questions.  My task today is allow incoming HTTP, and HTTPS traffic to my internal IP Address.

Currently this firewall is up, and working great.  There are several internal servers, and every service they are presenting to the internet are working fine.  Im using the graphic interface.  I added my server under the "Public Servers" like all of the other objects.  I can see it created the appropriate NAT statement, and access rule.  I applied my change, and saved the settings to flash.

The problem I'm having is the internal server is now essentially cut off from the internet.  I obviously cant access HTTP or HTTPS from the internet, but that server cant get from the lan to the internet either.  Every other server is working fine though.  I checked the order of how the nat rule and access rule are being applied, and I think they're fine.

The only thing I can think of is I need to restart the ASA, but that really surprises me.  I would think that adding a statement in an ASA would just work without a reboot.

Any thoughts?  I can provide screen shots of my Access Rules, NAT rules, and Public Servers list if it helps.

Thank you in advance.  I need to get this fixed asap.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Issue with ASA 5510

Hello,

Just reviewed both captures...

On the captures we can see that the ASA is doing the right nat translatio, the packets are being seeing on the outside interface so the packets are not being dropped.

Please contact your ISP ASAP and let them know that you are not getting any traffic to 65.208.141.68, as soon as they start sending the traffic to you. All will be working.

Please keep me posted!

Julio

Do rate helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: Issue with ASA 5510

Hello John,

Sure, It was a pleasure to work on this with you.

Please mark the question as answered so future users can learn from this.

Regards,

Julio!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
20 REPLIES
New Member

Re: Issue with ASA 5510

To add to my confusion, I just ran a ping from the ASA.  It can ping both the internal and external ip of the device I added.

If I try the same with a working server, I can ping the internal address, but not the external address.

Re: Issue with ASA 5510

Hello John,

I think the problem is that you have just port-forwarding enabled for that server, and thats works only for inbound connections not for outbound connections.

Please share the following:

-sh run nat

-sh run global

-sh run static

-sh run access-group

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

I guess I dont know the enable password, so I cant run the above commands.  I do get what your saying though.  From what I can see, side by side with other working services, I dont see any discrepancies.  Can I send you the screen shots for your analysis?

Re: Issue with ASA 5510

Hello John,

Sure, but lets try this first.

On the ASDM go to tools and then to command line interface.

Once you are there try to get the following outputs:

-sh run nat

-sh run global

-sh run static

-sh run access-group

If that does not work please attach the screenshots.

Julio

Do rate all the helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

Got it.  I can do it from the graphic interface.  The server Im trying to get to work is 10.130.1.68 (internal), and 65.208.141.68 (external)

Result of the command: "sh run nat"

nat (outside) 3 192.168.60.0 255.255.255.0

nat (outside) 3 192.168.70.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 10 172.31.10.0 255.255.255.0

nat (inside) 10 10.10.0.0 255.255.0.0

nat (inside) 10 10.130.0.0 255.255.0.0

nat (inside) 10 10.0.0.0 255.0.0.0

Result of the command: "sh run global"

global (outside) 10 65.208.141.66

global (outside) 3 interface

Result of the command: "sh run static"

static (inside,dmz96) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (dmz96,outside) 65.208.141.85 192.168.96.165 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.83 192.168.96.161 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.80 192.168.96.150 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.81 192.168.96.151 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.82 192.168.96.152 netmask 255.255.255.255

static (inside,dmz96) 10.160.10.0 10.160.10.0 netmask 255.255.255.0

static (dmz96,outside) 65.208.141.84 192.168.96.84 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.87 192.168.96.87 netmask 255.255.255.255

static (inside,outside) 65.208.141.120 10.133.1.20 netmask 255.255.255.255

static (inside,outside) 65.208.141.121 10.134.1.21 netmask 255.255.255.255

static (inside,outside) 65.208.141.68 10.130.1.68 netmask 255.255.255.255

Result of the command: "sh run access-group"

access-group outside in interface outside

access-group inside in interface inside

access-group DMZ96 in interface dmz96

access-group management in interface management

Re: Issue with ASA 5510

Hello John,

The configuration seems to be fine, only thing we are missing is the output of the acl

Can you provide the output of :

-show run access-list inside

-packet-tracer input inside tcp 10.130.1.68 1025 4.2.2.2 80

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

Here is what I get from those two commands:

Result of the command: "show run access-list inside"

access-list inside extended permit ip any 192.168.96.0 255.255.255.0

access-list inside extended permit icmp any any

access-list inside extended permit ip any 192.168.60.0 255.255.255.0

access-list inside extended permit ip any 192.168.70.0 255.255.255.0

access-list inside extended deny ip any object-group RFC1918

access-list inside extended permit ip any any

Result of the command: "packet-tracer input inside tcp 10.130.1.68 1025 4.2.2.2 80"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside in interface inside

access-list inside extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FILTER

Subtype: filter-url

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 65.208.141.68 10.130.1.68 netmask 255.255.255.255

  match ip inside host 10.130.1.68 outside any

    static translation to 65.208.141.68

    translate_hits = 130, untranslate_hits = 0

Additional Information:

Static translate 10.130.1.68/0 to 65.208.141.68/0 using netmask 255.255.255.255

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,dmz96) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

  match ip inside 10.0.0.0 255.0.0.0 dmz96 any

    static translation to 10.0.0.0

    translate_hits = 2706448, untranslate_hits = 17797187

Additional Information:

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 202578141, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Re: Issue with ASA 5510

Hello John,

As we could see on the last output, the configuration on the ASA is the one required.

Now, seems like something else is blocking it.

So I want you to create a capture and then we will be 100 % sure of what is going on ( I think I already know what is happening)

access-list capin permit tcp  host 10.130.1.68 any eq 80

access-list capin permit tcp any eq 80 host 10.130.1.68

access-list capout permit tcp host 65.208.141.68 any eq 80

access-list capout permit tcp any eq 80 host 65.208.141.68

capture capin access-list capin interface inside

capture capout access-list capout interface outside

http 0 0 inside

Then try to access a web-site like google from that inside host.

Afterwards go to a browser on one of your computers on your network and do the following:

https:x.x.x.x(inside_ip_of_asa)/capture/capin/pcap

https:x.x.x.x(inside_ip_of_asa)/capture/capout/pcap

Then you can upload the captures to this discussion and I will analize them using wireshark.

Regards,

Julio

Hope I was clear enough with the captures

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

Forgive my ignorance.  How do I run the above capture?  I'm assuming I need to turn it on, then turn it off?  Once its ran, how do I retrieve it?

Thank you so much Julio.  You've been extremley helpful.

New Member

Re: Issue with ASA 5510

Nevermind I figured it out.  Although I assume I do need to turn it off.

Captures are below

Re: Issue with ASA 5510

Hello John,

You do not need to turn it off.

We can erase it afterwards we use it.

So you already download them, you can attach them to this discussion or if you want you can send them to me via email.

Its all up to you.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

Files are attached in the above posted.  I had edited it.  I'll email them to you too though.

New Member

Re: Issue with ASA 5510

Actually I cant find your email.  This is my first time using this forum.

Re: Issue with ASA 5510

Hello,

Just reviewed both captures...

On the captures we can see that the ASA is doing the right nat translatio, the packets are being seeing on the outside interface so the packets are not being dropped.

Please contact your ISP ASAP and let them know that you are not getting any traffic to 65.208.141.68, as soon as they start sending the traffic to you. All will be working.

Please keep me posted!

Julio

Do rate helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

Weird, so everything appears to be fine then?

Alright, I'll contact my isp.  Do I need to turn off that catpure?

Re: Issue with ASA 5510

Hello John.

If you want, yes.

no capture capin

no capture capout

That should do it!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

Thanks very much for your help

Re: Issue with ASA 5510

Hello John,

My pleasure, let me know if you have any problem with the ISP.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Issue with ASA 5510

You've been very very helpful.  Rather than reinventing the wheel, I chose a different IP address I had available.  Everything is working perfect.

Re: Issue with ASA 5510

Hello John,

Sure, It was a pleasure to work on this with you.

Please mark the question as answered so future users can learn from this.

Regards,

Julio!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
516
Views
20
Helpful
20
Replies