Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1273
Views
0
Helpful
19
Replies

Please help ASA 8.6 version

Go to solution
Rohit Mangotra
Level 1
Level 1

‎09-23-2013 06:34 PM - edited ‎03-11-2019 07:42 PM

Hi,

I am using ASA 5525 with 8.6 version, and I am trying to ping through different interfaces, However I am not able to do that. My test results are

    - can PING between the outside interface and the next hop (same subnet)

    - cannot PING between the inside interface and the next hop (same subnet)

    - cannot PING between the DMZ interface and the next hop (same subnet)

Please see below configuration for firewall for reference.

--------------------------------------------------------------------------------

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 16.x.x.x 255.255.255.248

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/1.16

vlan 16

nameif inside

security-level 100

ip address 17.x.x.x 255.255.255.0

interface GigabitEthernet0/3

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/3.69

vlan 69

nameif dmz

security-level 50

ip address 18.x.x.x 255.255.255.0

2.     access-list o_inside extended permit icmp any any

        access-list o_inside extended permit icmp any any echo

        access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0   

        access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0

        access-list o_dmz extended permit icmp any any

        access-list outside extended permit icmp any any

        access-list outside extended permit icmp any any echo-reply

        icmp permit any outside

        icmp permit any dmz

        policy-map global_policy

        class inspection_default

               inspect icmp

               inspect icmp error

3.         route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1

            route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1

            route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1

If possible could anyone please tell me what is wrong with the configuration, and what I need to add to achive the above desired result.

Thank You,

Kind Regards

Rohit Mangotra.

Labels:
0 Helpful
6 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-24-2013 12:34 AM

Hi,

ASA should by default without any configurations accept ICMP on its interface to my understanding

Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎09-24-2013 06:03 AM

Hi,

If you are saying that after you ping the internal gateway/nexthop IP address and there is no ARP for it with the "show arp" command on the ASA then it would seem you have a problem with the connection between the ASA and the nexthop device/router.

Even if nothing else worked you should see the nexthop IP address/MAC address in the ARP table of the ASA

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-01-2013 02:03 AM

Hi,

Were you able to solve the original problems that you posted about? Since it seemed there was some problems with the ASAs connectivity to the rest of the network?

The 4 "static" configurations you have above are pretty basic but 2 of them are Static Identity NAT configurations that you probably wont need in the new software

The below 2 configurations probably wont need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, I will use generic "object" names.

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

object network STATIC-1

host 192.168.1.56

nat (dmz,outside) static 200.190.70.87

object network STATIC-2

host 192.168.1.85

nat (dmz,outside) static 200.190.70.85

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-02-2013 02:23 AM

Hi,

On a quick glance it would seem to me that the converted configurations would be correct.

Its harder to say without really looking into the original configurations compared to for example situations where I know the environment beforehand

I guess your best bet to find possible problems with the ASA configurations is to use the "packet-tracer" command

This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT

For a connection coming from behind "outside" you can use this format of the command

packet-tracer input outside tcp 12345

To test anything else you naturally just switch the "input " to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.

Taking the output of the following commands should help you troubleshoot possible problems

You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-03-2013 12:33 AM

Hi,

Well your original NAT configuration is not quite how I would configure the NAT to begin with so it might be that you would need some of the above configurations.

Mainly because you were doing Dynamic PAT from "inside" to "dmz"?

If this was true and you removed the above "static" commands that refer to "(inside,dmz)" then you wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why I never configure Dynamic PAT between local interfaces. It causes complexity for the NAT configurations when you have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT

For the "management" interface you probably need any new NAT configuration.

To be honest its a bit hard to say the exact configuration that are needed and which are not but I think the Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-03-2013 03:51 AM

Hi,

I think you might be fine with any of those Static Identity NAT configurations if you wouldnt use this Dynamic PAT configuration between "inside" and "dmz" interfaces

nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global

Is there a particular reason that you want all traffic from "inside" to the "dmz" to be visible with an IP address beloging to "dmz"?

In general when I migrate 8.2 (or lower) firewall configurations to a newer platform and software I only have to migrate the Dynamic PAT, Static NAT, NAT0 and possible Policy NAT configurations while leaving all Static Identity NAT configurations off the new configurations.

As I have said before in this discussion. I think if you were to remove the Dynamic PAT from "inside" to "dmz" then you should be safe to remove all the Static Identity NAT configurations from the new configuration.

Even if you left the Dynamic PAT between "inside" and "dmz" then I think you could still leave out the Static Identity NAT configuration regarding other interfaces (Static Indentity NAT configurations that have interfaces OTHER THAN "inside" and "dmz" interfaces mentioned)

- Jouni

View solution in original post

0 Helpful
19 Replies 19

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-24-2013 12:34 AM

Hi,

ASA should by default without any configurations accept ICMP on its interface to my understanding

Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.

- Jouni

0 Helpful

Go to solution
Rohit Mangotra
Level 1
Level 1
In response to Jouni Forss

‎09-24-2013 01:29 AM

Hi Jouni,

I can not see any entry in ARP table on firewall. From ASA I can only ping outside interface and only that enrtry is there in firewall. Any ideas what I am doing wrong?

Thank You,

Kind Regards

Rohit Mangotra.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎09-24-2013 06:03 AM

Hi,

If you are saying that after you ping the internal gateway/nexthop IP address and there is no ARP for it with the "show arp" command on the ASA then it would seem you have a problem with the connection between the ASA and the nexthop device/router.

Even if nothing else worked you should see the nexthop IP address/MAC address in the ARP table of the ASA

- Jouni

0 Helpful

Go to solution
Rohit Mangotra
Level 1
Level 1
In response to Jouni Forss

‎10-01-2013 01:51 AM

Hi Jouni,

Thanks a lot for all your help! I am a bit confused about the static nating for ASA 8.6. I will really appreciate, if you could please see how I can convert it into new ASA 5525 x version 8.6.

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

Thank You,

Kind Regards

Rohit Mangotra.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-01-2013 02:03 AM

Hi,

Were you able to solve the original problems that you posted about? Since it seemed there was some problems with the ASAs connectivity to the rest of the network?

The 4 "static" configurations you have above are pretty basic but 2 of them are Static Identity NAT configurations that you probably wont need in the new software

The below 2 configurations probably wont need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, I will use generic "object" names.

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

object network STATIC-1

host 192.168.1.56

nat (dmz,outside) static 200.190.70.87

object network STATIC-2

host 192.168.1.85

nat (dmz,outside) static 200.190.70.85

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
Rohit Mangotra
Level 1
Level 1
In response to Jouni Forss

‎10-01-2013 08:40 PM

Hi Jouni,

Thanks a lot for all your help. Yes, previous connection issue was resolved. Currently, we have an issue of accessing via web (http port 80) from inside network to dmz server,  however I am able to do sucessful pings to dmz server.

If possible could you please have a look at my firewall code (NAT) which I changed according to your recomendation. Once again I am really thankful for all your help.

Preview file
46 KB
0 Helpful

Go to solution
Rohit Mangotra
Level 1
Level 1
In response to Jouni Forss

‎10-01-2013 08:45 PM

Hi Jouni,

One more question if its ok

How can we test outside network can access DMZ server in order to test NAT actually works?

Thank you,

Kind Regards

Rohit Mangotra.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-02-2013 02:23 AM

Hi,

On a quick glance it would seem to me that the converted configurations would be correct.

Its harder to say without really looking into the original configurations compared to for example situations where I know the environment beforehand

I guess your best bet to find possible problems with the ASA configurations is to use the "packet-tracer" command

This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT

For a connection coming from behind "outside" you can use this format of the command

packet-tracer input outside tcp 12345

To test anything else you naturally just switch the "input " to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.

Taking the output of the following commands should help you troubleshoot possible problems

You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.

- Jouni

0 Helpful

Go to solution
Rohit Mangotra
Level 1
Level 1
In response to Jouni Forss

‎10-02-2013 06:51 PM

Hi Jouni,

If possible could you please confirm that the following configuration is not needed to add into new ASA 8.6? Sorry for asking too much.

static (inside,dmz) 172.16.5.131 172.16.5.131 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

static (dmz,inside) 192.168.1.73 192.168.1.73 netmask 255.255.255.255

static (dmz,inside) 192.168.1.84 192.168.1.84 netmask 255.255.255.255

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (dmz,inside) 192.168.1.86 192.168.1.86 netmask 255.255.255.255

static (dmz,inside) 192.168.1.89 192.168.1.89 netmask 255.255.255.255

static (dmz,inside) 192.168.1.91 192.168.1.91 netmask 255.255.255.255

static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,inside) 192.168.1.140 192.168.1.140 netmask 255.255.255.255

static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0

static (vpn_public,inside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

static (vpn_public,outside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

--------------------------------------------------------------------------------------

nat (management) 0 0.0.0.0 0.0.0.0

Any suggestion with this one ???

Thank You,

Kind Regards

Rohit.


0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-03-2013 12:33 AM

Hi,

Well your original NAT configuration is not quite how I would configure the NAT to begin with so it might be that you would need some of the above configurations.

Mainly because you were doing Dynamic PAT from "inside" to "dmz"?

If this was true and you removed the above "static" commands that refer to "(inside,dmz)" then you wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why I never configure Dynamic PAT between local interfaces. It causes complexity for the NAT configurations when you have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT

For the "management" interface you probably need any new NAT configuration.

To be honest its a bit hard to say the exact configuration that are needed and which are not but I think the Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.

- Jouni

0 Helpful

Go to solution
Rohit Mangotra
Level 1
Level 1
In response to Jouni Forss

‎10-03-2013 02:07 AM

Hi Jouni,

Thanks for the reply. If we change the current static NAT (Version 7.1) to the new NAT(Version 8.6) will it work? Is there any potential problem in this new configuration. Could you please check the code for VPN at the end.

------ static (dmz,inside) 192.168.1.73 192.168.1.73 netmask 255.255.255.255

object network obj-192.168.1.73-dmz-inside

host 192.168.1.73

nat (dmz,inside) static 192.168.1.73

----- static (dmz,inside) 192.168.1.84 192.168.1.84 netmask 255.255.255.255

object network obj-192.168.1.84-dmz-inside

host 192.168.1.84

nat (dmz,inside) static 192.168.1.84

---- static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

object network obj-192.168.1.85-dmz-inside

host 192.168.1.85

nat (dmz,inside) static 192.168.1.85

---- static (dmz,inside) 192.168.1.86 192.168.1.86 netmask 255.255.255.255

  object network obj-192.168.1.86-dmz-inside

host 192.168.1.86

nat (dmz,inside) static 192.168.1.86

static (dmz,inside) 192.168.1.89 192.168.1.89 netmask 255.255.255.255

object network obj-192.168.1.89-dmz-inside

host 192.168.1.89

nat (dmz,inside) static 192.168.1.89

---- static (dmz,inside) 192.168.1.91 192.168.1.91 netmask 255.255.255.255

  object network obj-192.168.1.91-dmz-inside

host 192.168.1.91

nat (dmz,inside) static 192.168.1.91

--- static (dmz,inside) 192.168.1.140 192.168.1.140 netmask 255.255.255.255

  object network obj-192.168.1.140-dmz-inside

host 192.168.1.140

nat (dmz,inside) static 192.168.1.140

--- static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

  object network obj-172.16.0.0-inside-dmz

subnet 172.16.0.0 255.255.0.0

nat (inside,dmz) static 172.16.0.0

--- static (inside,dmz) 172.16.5.131 172.16.5.131 netmask 255.255.255.255

object network obj-172.16.5.131-inside-dmz

host 172.16.5.131

nat (inside,dmz) static 172.16.5.131

--- static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  object network obj-192.168.1.0-dmz-vpn-pri

subnet 192.168.1.0 255.255.255.0

nat (dmz,vpn_private) static 192.168.1.0

--- static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  object network obj-192.168.1.0-dmz-vpn-pub

subnet 192.168.1.0 255.255.255.0

nat (dmz,vpn_public) static 192.168.1.0

--- static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0

  object network obj-172.31.0.0-vpn-pri-inside

subnet 172.31.0.0 255.255.0.0

nat (inside,vpn_private) static 172.31.0.0

--- static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

  object network obj-172.16.0.0-inside-vpn-pri

subnet 172.16.0.0 255.255.0.0

nat (inside,vpn_private) static 172.16.0.0

--- static (vpn_public,outside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

  object network obj-200.161.67.176-vpn-pub-outside

subnet 200.161.67.176 255.255.255.240

nat (vpn_public,outside) static 200.161.67.176

--- static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

  object network obj-172.16.0.0-inside-vpn-pub

subnet 172.16.0.0 255.255.0.0

nat (inside,vpn_public) static 172.16.0.0

--- static (vpn_public,inside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240

  object network obj-200.161.67.176-vpn-pub-inside

subnet 203.161.67.176 255.255.255.240

nat (vpn_public,inside) static 200.161.67.176

Notes:   VPN private subnet = 172.31.0.0/24

            VPN public subnet  = 200.161.67.176/28

            inside subnet        = 172.16.0.0/16

        dmz          subnet     = 192.168.1.0/24        

Thanks a lot for all your help

Kind Regards

Rohit.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-03-2013 03:51 AM

Hi,

I think you might be fine with any of those Static Identity NAT configurations if you wouldnt use this Dynamic PAT configuration between "inside" and "dmz" interfaces

nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global

Is there a particular reason that you want all traffic from "inside" to the "dmz" to be visible with an IP address beloging to "dmz"?

In general when I migrate 8.2 (or lower) firewall configurations to a newer platform and software I only have to migrate the Dynamic PAT, Static NAT, NAT0 and possible Policy NAT configurations while leaving all Static Identity NAT configurations off the new configurations.

As I have said before in this discussion. I think if you were to remove the Dynamic PAT from "inside" to "dmz" then you should be safe to remove all the Static Identity NAT configurations from the new configuration.

Even if you left the Dynamic PAT between "inside" and "dmz" then I think you could still leave out the Static Identity NAT configuration regarding other interfaces (Static Indentity NAT configurations that have interfaces OTHER THAN "inside" and "dmz" interfaces mentioned)

- Jouni

0 Helpful

Go to solution
Rohit Mangotra
Level 1
Level 1
In response to Jouni Forss

‎10-06-2013 11:16 PM

Thanks a lot Jouni. Really appraciate your help. The code is working fine now.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Rohit Mangotra

‎10-06-2013 11:45 PM

Hi,

Glad to hear its working

Did you end up using all the converted configurations or did you leave out any of the old configurations?

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card