Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Problem in ASA 5515 no traffic (information) passing through

Hello Guys i need a little help

I have configured several ASA 5505 some years ago, now it has fall into my lap an ASA 5515 with the the version 9.1

 Bellow you can find my current setup, can any one check if there is something wrong with it. From the firewall i am able to ping to machines in the outside and inside interfaces. But i am unable to ping from the machine in the inside to the outside and vice-versa. In the rules page i am able to see the hits count when i am pinging and in the output
I can see the icmp connection being started and soon after i see the connection teardown message. And no pings are passing throw. I tried any any rule but still no success, maybe is the NAT or this asa unit is faulty. Any help is appreciated.

 

I really dont know what is wrong in my configuration

 

:
ASA Version 9.1(2)
!
hostname XPTOFW
domain-name XPTO.local
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.7.0.5 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.195.151.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name XPTO.local
same-security-traffic permit intra-interface
object network D4K
 host 190.50.100.76
object network DOC01
 host 10.6.2.29
 description D4K SERVER
object network DOC01_NAT
 host 10.195.151.15
object-group service SQLPorts tcp-udp
 port-object eq 1433
 port-object eq 1434
object-group icmp-type PingGroup
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
access-list outside_access extended permit icmp object D4K object DOC01_NAT object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01_NAT object-group SQLPorts
access-list inside_access_in extended permit icmp object DOC01 object D4K object-group PingGroup
access-list inside_access_in extended permit object-group TCPUDP object DOC01 object D4K object-group SQLPorts
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network DOC01
 nat (inside,outside) static DOC01_NAT
access-group inside_access_in in interface inside
access-group outside_access in interface outside
route inside 10.6.0.0 255.255.0.0 10.7.0.3 1
route outside 190.50.0.0 255.255.0.0 10.195.151.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 20
  subscribe-to-alert-group configuration periodic monthly 20
  subscribe-to-alert-group telemetry periodic daily
: end
no asdm history enable

_______________________________________

Thanks and Regards

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

First, try adding "inspect

First, try adding "inspect icmp" to the class inspection_default in the global_policy. That should allow ICMP through. Your NAT config looks OK to me.

New Member

If everything works as you

If everything works as you want with no acls then that means your nat and routing is spot on.  The only thing left is your ACLs.  I want to just make sure I'm not assuming anything and verify that when you are running your tests from the Inside network you are only using a client with the ip 10.6.2.29.  Next I'd setup your logging to debug.

logging monitor debugging

terminal monitor

logging buffer debugging

Also, when you create your access-list end them with the log command so they will create an entry on match.  Make sure you see the hits when you are generating traffic.  As for the ACLs, I think this one is incorrect

access-list outside_access extended permit icmp object D4K object DOC01_NAT object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01_NAT object-group SQLPorts

ACLs map to the real IP not the mapped IP so it should be

access-list outside_access extended permit icmp object D4K object DOC01 object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01 object-group SQLPorts

16 REPLIES
New Member

First, try adding "inspect

First, try adding "inspect icmp" to the class inspection_default in the global_policy. That should allow ICMP through. Your NAT config looks OK to me.

New Member

Yes with that ping might go

Yes with that ping might go through, but what about the rest of the ports in this case the SQL ports group that i have, i just add the ping rule i could see if it was communicating, when the firewall goes to production all the ping rules will be disable

There must me something else wrong. Or i should add in the inspection_defaul all the ports/protocols i will use

 

Thanks

 

Best Regards

New Member

You won't have to add all

You won't have to add all ports and protocols to inspection_default, only ICMP.  TCP and UDP should go through anyway, as long as the interfaces and NAT are set up correctly. ICMP behaves a little differently through the ASA which is why you need the ASA to inspect it, to know that it needs to let the return traffic through. SQL should not be a problem.

So please clarify, have you tested and traffic is not flowing? For example, can you telnet through the ASA to something else (router or switch) on the outside, or HTTP through to a web server on the outside? I'm not seeing anything in your config that looks wrong -- NAT, routes, access lists, etc.

New Member

That is the main issue no

That is the main issue no information is passing through. I tried web server in the outside but no luck same as sql and http or rdp.

I had this same configuration working in the same place but in an old asa 5510. The only thing that changes i think is the nat, that is wahy i thought that the problem could be in the nat,  but from what i have see and read in foruns the nat looks ok. Nothing changed no ip addresses no new routes, just a new firewall.

 

regards

New Member

I would suggest opening your

I would suggest opening your inside-in ACL for testing purposes and see if traffic succeeds. Most of my customers don't configure inbound ACLs on the inside (although some do) but right now you're only allowing ICMP and SQL, so of course HTTP and telnet are going to be blocked. Also check "show xlate" to see what NATs are in the table.   

New Member

When o made the test i made

When o made the test i made it with the correct rules in the inside and not using the current rules.

Even if all the rules are in place, in the syslog messages from the ASDM i am only see the teardown of the icmp packages.

But i will try what you said.

 

Thanks

New Member

Is your destination in the

Is your destination in the subnet for which you have the static route pointing outside? I noticed you don't have a default route, only specific routes. 

Definitely check "show xlate" for translations. Also verify "inspect icmp" is in the class inspection_default. Maybe try NATing to the interface instead of the NAT address. That shouldn't make a difference as long as the DOC01_NAT address is reachable, but I'm running out of ideas.

You say ASDM logs are showing ICMP is being torn down, meaning it's not even being allowed through? Maybe check the inside-in ACL to see if you're getting hits on that (show access-list....). If I think of anything else I'll let you know.

New Member

One thing I see is the object

One thing I see is the object-group TCPUDP that you use in the access-lists is not defined above.  When I look at my existing asa deployments I have an object-group protocol TCPUDP that shows up in the config.  Maybe in the 9.0 it is a default config that doesn't show up in the running config but worth looking into.  Also, for simple troubleshooting like this I'd run the packet-tracer on the command line.

packet-tracer input inside icmp host 10.6.2.29 8 0 190.50.100.76 detailed

New Member

jmattbullen With that packet

 
With that packet tracer command this is the output:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a639130, priority=1, domain=permit, deny=false
    hits=53, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0100.0000.0000
    input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   190.50.0.0      255.255.0.0     outside

Phase: 3
Type: ACCESS-LIST

Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp object PGDOC01 object D4K_BUSINESS object-group PingGroup
object-group icmp-type PingGroup
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29d6eb60, priority=13, domain=permit, deny=false
    hits=2, user_data=0x7fff23768380, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
    src ip/id=10.6.2.29, mask=255.255.255.255, icmp-type=8, tag=0
    dst ip/id=190.50.100.76, mask=255.255.255.255, icmp-code=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network PGDOC01
 nat (inside,outside) static PGDOC01_NAT

Additional Information:
Static translate 10.6.2.29/0 to 10.195.151.15/0
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a65ebc0, priority=6, domain=nat, deny=false
    hits=2, user_data=0x7fff2a38f1a0, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=10.6.2.29, mask=255.255.255.255, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29b81660, priority=0, domain=nat-per-session, deny=true
    hits=18, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS

Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a60ada0, priority=0, domain=inspect-ip-options, deny=true
    hits=12, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a303de0, priority=70, domain=inspect-icmp, deny=false
    hits=3, user_data=0x7fff2a6a8a70, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
    src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a60abc0, priority=66, domain=inspect-icmp-error, deny=false
    hits=3, user_data=0x7fff2a63c130, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
    src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:

Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff29b81660, priority=0, domain=nat-per-session, deny=true
    hits=20, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff2a616420, priority=0, domain=inspect-ip-options, deny=true
    hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:

Result: ALLOW
Config:
Additional Information:
New flow created with id 432, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside

input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 
I am back to basic now, i erased all the rules, just leave the object group, nat and routes in place, rules are any any and every thing is ok, but when i put any rule for ping or ip or whatever doesn´t work.
 
There must be something that i am missing...
 
Best Regards
 
 
New Member

If everything works as you

If everything works as you want with no acls then that means your nat and routing is spot on.  The only thing left is your ACLs.  I want to just make sure I'm not assuming anything and verify that when you are running your tests from the Inside network you are only using a client with the ip 10.6.2.29.  Next I'd setup your logging to debug.

logging monitor debugging

terminal monitor

logging buffer debugging

Also, when you create your access-list end them with the log command so they will create an entry on match.  Make sure you see the hits when you are generating traffic.  As for the ACLs, I think this one is incorrect

access-list outside_access extended permit icmp object D4K object DOC01_NAT object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01_NAT object-group SQLPorts

ACLs map to the real IP not the mapped IP so it should be

access-list outside_access extended permit icmp object D4K object DOC01 object-group PingGroup
access-list outside_access extended permit object-group TCPUDP object D4K object DOC01 object-group SQLPorts

New Member

Hey guys sorry for the late

Hey guys sorry for the late response. jmattbullen  the problem was that i was using the nat ip instead of the real ip my bad.

And also i had to clear the ARP table from the swtiches connected to the outside and inside interfaces because they still had the mac address from the old firewall. One of my initial mistakes was that i just copy paste the config from the old firewall to the new one and the IOS version was older then 8.3.

when i contacted this cisco center in my region they said migrating to a new next generation firewall should be easy and with zero down time, this is not really true. In this case my costumer believes in this mambo jambo zero down time sh....t and was always demanding for a quick and fast response.

Lesson learned: Always prepare a firewall migration days before the job is done,

Thanks for the help guys.

 

Best Regards

New Member

I am having a similar issue

I am having a similar issue with asa5515. I can get to my cameras from outside with the old firewall(ASA5510)but i migrated the config to a ASA5515 IOS 9.2 and i cannot get to the cameras anymore. I had the Service provider(NTS) clear the mac address associations on their end,called cisco TAC to check the config and they it was perfect.Still i cannot access my camera from outside. Please any help will be appreciated. I ended up plugging the old firewall back in(ASA5510). Please help. I uploaded my config

New Member

Did you ever get this to work

Did you ever get this to work? I am having the same issue...

New Member

Yes mfernan91It did work

Yes mfernan91

It did work

 

Regards

New Member

If you don't mind can you

If you don't mind can you send me you config? I have been struggling with an ASA for the last two weeks. I cant get a ping reply from my NAT public IP from outside..Mask your PUBLIC IP's if you have to..

New Member

Above you can find a sample

Above you can find a sample of my current config, the only difference is that the real one has 100 times more rules, and of course the NAT was changed according to jmattbullen example

1705
Views
10
Helpful
16
Replies
CreatePlease to create content