Re: unable to configure static nat

Allan Choo · ‎08-01-2013

Hi, i am totally new to ASA, can someone help me out with Static NAT translation? what i am trying to do here is translate an inside address to an outside address to allow our video conference equipment to be access from the outside. I thought i had all the setting correct, but i keep hitting the "Implicit deny rule" when tracing from packet-tracer. I have even try to add allow any any and it would still be deny.

the red highlight is what i have entered. after what i have entered, i am still unable to ping the global address (external address) from the internet. am i missing something in the global statement?

Here is my config: along with the packet-tracer trace:

bvvpn# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname bvvpn
domain-name printronix.com
enable password Q1.OQcJ/6fqsxv3R encrypted
names
dns-guard
!
interface Ethernet0/0
description DMZ
nameif DMZ
security-level 50
ip address 10.254.88.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.254.32.250 255.255.224.0
ospf cost 10
!
interface Ethernet0/2
description 50mbit fiber optic line
nameif Outside10
security-level 0
ip address 87.213.234.130 255.255.255.248
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd GtIZCFM9KgO1EscB encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Inside
dns domain-lookup Outside10
dns server-group DefaultDNS
name-server 10.254.41.28
name-server 194.151.228.18
name-server 194.151.228.34
domain-name printronix.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MAILDMZ
description Ports for OWA DMZ
//omited//
object-group network DowloadSiteFTP
//omited//
object-group network BVMonitoring
//omited//

object-group service video_conference tcp-udp
description tcp-udp ports for Lifesize video conference
port-object eq 1720
port-object range 60000 64999
port-object range 3230 3235
port-object eq www
object-group service video_conference_tcp tcp
description tcp ports used for Lifesize video conference
port-object range 60000 64999
port-object eq h323
port-object eq 1503
port-object eq 1731
port-object range 3230 3235
port-object range 1718 1719
port-object eq 1002
port-object range sip 5061
port-object eq www
object-group network video_conference_endpoints
network-object host 87.213.234.132
object-group service video_conference_udp udp
description udp ports used for Lifesize video conference
port-object eq sip
port-object range 3230 3235
port-object range 1718 1719
port-object range 60000 64999
port-object eq www

access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list Inside_nat0_outbound extended permit ip host 172.31.255.33 host 172.31.255.1
access-list Inside_nat0_outbound remark Midl_3PL
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.60.0 255.255.255.0
access-list Inside_pnat_outbound_V1 extended permit ip 10.0.0.0 255.0.0.0 any
access-list BV standard permit 10.0.0.0 255.0.0.0
access-list Outside10_access_in extended permit icmp any any echo-reply
access-list Outside10_access_in extended permit icmp any any echo
access-list Outside10_access_in extended permit icmp any any unreachable
access-list Outside10_access_in extended permit icmp any any time-exceeded
access-list Outside10_access_in extended permit tcp any interface Outside10 eq https
access-list Outside10_access_in extended permit tcp any interface Outside10 eq www
access-list Outside10_access_in extended permit ip 10.254.33.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list Outside10_access_in extended permit ip 10.254.96.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list Outside10_access_in extended permit tcp any object-group video_conference_tcp object-group video_conference_endpoints object-group video_conference_tcp
access-list Outside10_access_in extended permit udp any object-group video_conference_udp object-group video_conference_endpoints object-group video_conference_udp
access-list Outside10_access_in extended permit icmp any object-group video_conference_endpoints
access-list Inside_access_out extended permit icmp any any echo
access-list Inside_access_out extended permit icmp any any
access-list Inside_access_out extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list DMZ_nat_outbound extended permit ip 10.254.88.0 255.255.255.0 interface Inside
access-list DMZ_access_in remark To BVSQL
access-list DMZ_access_in extended permit tcp host 10.254.88.10 host 10.254.41.32 eq 1433
access-list DMZ_access_in extended permit icmp host 10.254.88.10 object-group MAILDMZ echo-reply
access-list DMZ_access_in remark DFS?
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group DowloadSiteFTP eq 4958
access-list DMZ_access_in remark SQL 2005 Express 2
access-list DMZ_access_in extended permit udp host 10.254.88.10 host 10.1.3.13 eq 1434
access-list DMZ_access_in remark Allow for DFSR Traffic
access-list DMZ_access_in extended permit tcp host 10.254.88.10 gt 1024 object-group DowloadSiteFTP gt 1024
access-list DMZ_access_in remark LDAP Traffic
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group DowloadSiteFTP eq ldap
access-list DMZ_access_in extended permit icmp host 10.254.88.10 object-group DowloadSiteFTP echo
access-list DMZ_access_in remark DFS Traffic
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group DowloadSiteFTP eq 135
access-list DMZ_access_in extended permit udp host 10.254.88.10 eq ntp host 10.254.41.30 eq ntp
access-list DMZ_access_in remark Alle echo ICMP
access-list DMZ_access_in extended permit icmp host 10.254.88.10 object-group MAILDMZ echo
access-list DMZ_access_in remark Allow ping from BVMIS to monitor
access-list DMZ_access_in extended permit icmp host 10.254.88.10 object-group BVMonitoring echo-reply
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq https
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq 691
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq ldap
access-list DMZ_access_in extended permit udp host 10.254.88.10 object-group MAILDMZ eq 389
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq 3268
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq 88
access-list DMZ_access_in extended permit udp host 10.254.88.10 object-group MAILDMZ eq 88
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq domain
access-list DMZ_access_in extended permit udp host 10.254.88.10 object-group MAILDMZ eq domain
access-list DMZ_access_in extended permit ip host 10.254.88.10 interface Outside10
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq 135
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ range 1024 1050
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq netbios-ssn
access-list DMZ_access_in extended permit udp host 10.254.88.10 object-group MAILDMZ eq netbios-ns
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq 445
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq www
access-list DMZ_access_in remark AutomaticUpdates
access-list DMZ_access_in extended permit tcp host 10.254.88.10 host 10.254.41.3 eq www
access-list DMZ_access_in remark SQL
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group DowloadSiteFTP eq 1433
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq smtp
access-list DMZ_access_in extended permit ip 10.0.0.0 255.0.0.0 host 10.254.88.10 inactive
access-list DMZ_access_in extended permit tcp host 10.254.88.10 eq telnet object-group MAILDMZ
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group DowloadSiteFTP eq ftp
access-list DMZ_access_in extended permit tcp host 10.254.88.10 object-group MAILDMZ eq nntp
access-list DMZ_access_in extended permit tcp host 10.254.88.10 eq smtp object-group MAILDMZ
access-list DMZ_nat_outbound_1 extended permit ip host 10.254.88.10 interface Outside10
access-list DMZ_access_out extended permit udp host 10.254.41.30 eq netbios-ns host 10.254.88.10 eq netbios-ns
access-list DMZ_access_out extended permit tcp object-group MAILDMZ eq ldap host 10.254.88.10
access-list DMZ_access_out extended permit icmp object-group MAILDMZ host 10.254.88.10 echo
access-list DMZ_access_out remark Allow for DFSR Traffic
access-list DMZ_access_out extended permit tcp object-group DowloadSiteFTP gt 1024 host 10.254.88.10 eq 4900
access-list DMZ_access_out extended permit tcp object-group DowloadSiteFTP eq 4584 host 10.254.88.10 gt 1024
access-list DMZ_access_out extended permit tcp object-group DowloadSiteFTP host 10.254.88.10 eq 135
access-list DMZ_access_out remark Allow retieving of event logs from BVMIS
access-list DMZ_access_out extended permit tcp object-group BVMonitoring host 10.254.88.10
access-list DMZ_access_out remark Allow Echo reply
access-list DMZ_access_out extended permit icmp object-group MAILDMZ host 10.254.88.10 echo-reply
access-list DMZ_access_out remark Allow ping from BVMIS to monitor
access-list DMZ_access_out extended permit icmp object-group BVMonitoring host 10.254.88.10 echo
access-list DMZ_access_out remark DFS for downloadsystem
access-list DMZ_access_out extended permit udp object-group DowloadSiteFTP eq netbios-ns host 10.254.88.10 eq netbios-ns
access-list DMZ_access_out remark DFS for downloadsystem
access-list DMZ_access_out extended permit tcp object-group DowloadSiteFTP host 10.254.88.10 eq netbios-ssn
access-list DMZ_access_out remark DFS for downloadsystem
access-list DMZ_access_out extended permit tcp object-group DowloadSiteFTP host 10.254.88.10 eq 445
access-list DMZ_access_out extended permit tcp object-group MAILDMZ host 10.254.88.10 eq smtp
access-list DMZ_access_out extended permit tcp any host 10.254.88.10 eq www
access-list DMZ_access_out extended permit tcp any host 10.254.88.10 eq https
access-list DMZ_access_out remark Allow all trafic
access-list DMZ_access_out extended permit ip host 10.254.33.1 host 10.254.88.10
access-list DMZ_nat0_outbound extended permit ip 10.254.88.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list DMZ_mpc remark Outgoing HTTP Traffic
access-list DMZ_mpc extended permit tcp host 10.254.88.10 eq www any
access-list HOLVPN extended deny ip 10.254.32.0 255.255.224.0 10.254.96.0 255.255.255.0
access-list HOLVPN extended deny ip 10.254.96.0 255.255.255.0 10.254.32.0 255.255.224.0
access-list HOLVPN extended deny ip 10.254.64.0 255.255.224.0 10.254.96.0 255.255.255.0
access-list HOLVPN extended deny ip 10.254.96.0 255.255.255.0 10.254.64.0 255.255.224.0
access-list HOLVPN extended deny ip 10.254.97.0 255.255.255.0 10.254.96.0 255.255.255.0
access-list HOLVPN extended deny ip 10.254.96.0 255.255.255.0 10.254.97.0 255.255.255.0
access-list HOLVPN extended permit ip 10.254.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list HOLVPN extended permit gre host 172.31.255.33 host 172.31.255.1
access-list Default webtype permit tcp host 10.252.41.1 log default
pager lines 40
//omited//
mtu DMZ 1500
mtu Inside 1500
mtu Outside10 1500
mtu management 1500
ip local pool Roaming 10.254.96.2-10.254.96.254 mask 255.255.255.0
ip verify reverse-path interface DMZ
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400

nat-control

global (Inside) 1 interface
global (Outside10) 5 interface
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 5 access-list DMZ_nat_outbound_1
nat (DMZ) 1 access-list DMZ_nat_outbound outside
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 5 access-list Inside_pnat_outbound_V1
nat (Inside) 1 0.0.0.0 0.0.0.0

static (DMZ,Outside10) tcp interface https 10.254.88.10 https netmask 255.255.255.255
static (DMZ,Outside10) tcp interface www 10.254.88.10 www netmask 255.255.255.255
static (Inside,Outside10) 87.213.234.132 10.254.97.240 netmask 255.255.255.255

access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Inside_access_out out interface Inside
access-group Outside10_access_in in interface Outside10

route Inside 10.224.0.0 255.224.0.0 10.254.32.254 1
route Inside 10.254.0.0 255.255.0.0 10.254.32.254 1
route Inside 172.31.255.33 255.255.255.255 10.254.32.254 1
route Inside 10.0.0.0 255.0.0.0 10.254.32.254 1
route Outside10 0.0.0.0 0.0.0.0 87.213.234.129 1
route Outside10 10.249.0.0 255.255.0.0 87.213.234.129 1
route Outside10 10.250.0.0 255.255.0.0 87.213.234.129 1
route Outside10 10.252.0.0 255.255.0.0 87.213.234.129 1
route Outside10 10.251.0.0 255.255.0.0 87.213.234.129 1
route Outside10 10.254.96.0 255.255.255.0 87.213.234.129 1
route Outside10 172.31.255.1 255.255.255.255 87.213.234.129 1
////omited////
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
class-map OutgoingHTTP
match access-list DMZ_mpc
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map DMZ-policy
class OutgoingHTTP
police input 6000000 100000
!
service-policy global_policy global
service-policy DMZ-policy interface DMZ
ntp server 10.254.41.30

ssl trust-point BV Outside10

smtp-server 10.254.41.24
prompt hostname context
Cryptochecksum:adc66f358665cdffc56d24e15b03444c
: end
bvvpn#
bvvpn#

from Packet-tracer:

bvvpn# pac i o tcp 4.2.2.2 80 87.213.234.132 80 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside10) 87.213.234.132 10.254.97.240 netmask 255.255.255.255
nat-control
match ip Inside host 10.254.97.240 Outside10 any
static translation to 87.213.234.132
translate_hits = 0, untranslate_hits = 12178
Additional Information:
NAT divert to egress interface Inside
Untranslate 87.213.234.132/0 to 10.254.97.240/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside10_access_in in interface Outside10
access-list Outside10_access_in extended permit tcp any object-group video_conference_tcp object-group video_conference_endpoints object-group video_conference_tcp
object-group service video_conference_tcp tcp
description: tcp ports used for Lifesize video conference
port-object range 60000 64999
port-object eq h323
port-object eq 1503
port-object eq 1731
port-object range 3230 3235
port-object range 1718 1719
port-object eq 1002
port-object range sip 5061
port-object eq www
object-group network video_conference_endpoints
network-object host 87.213.234.132
object-group service video_conference_tcp tcp
description: tcp ports used for Lifesize video conference
port-object range 60000 64999
port-object eq h323
port-object eq 1503
port-object eq 1731
port-object range 3230 3235
port-object range 1718 1719
port-object eq 1002
port-object range sip 5061
port-object eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0x926ff58, priority=12, domain=permit, deny=false
        hits=14, user_data=0x926ff18, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=80
        dst ip=87.213.234.132, mask=255.255.255.255, port=80

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3bfcea8, priority=0, domain=permit-ip-option, deny=true
        hits=43497450, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3d9b050, priority=11, domain=permit, deny=true
        hits=265, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: Outside10
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

bvvpn#
bvvpn#

Jouni Forss · ‎08-01-2013

Hi,

This ACL is blocking the traffic

access-list Inside_access_out extended permit icmp any any echo

access-list Inside_access_out extended permit icmp any any

access-list Inside_access_out extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-group Inside_access_out out interface Inside

As you can see it has no rule that would allow the traffic. The traffic in the "packet-tracer" first hits the WAN interface ACL and then hits this ACL and gets blocked.

You either have to remove the ACL from the interface or add rules to this ACL to allow the traffic you are attempting.

Personally I dont use ACLs that are attached in the direction "out" at all.

- Jouni

Allan Choo · ‎08-01-2013

Hi Jouni,

I have tried adding:

access-list Inside_access_out extended permit ip host 10.254.97.240 host 87.213.234.132

but still is getting blocked when tracing from packet-tracer.

any other suggestion?

Jouni Forss · ‎08-01-2013

Hi,

That ACL statement doesnt match what you are attempting with the "packet-tracer"

The ACL that I mentioned above will prevent connections coming from any public IP address to reach any internal resource because you have only allowed ICMP and some traffic between private networks.

I am not sure what the purpose of this ACL is alltogether.

You would basically need to add the same ACL rules to this ACL that you added on the external interface ACL or you would have to remove the ACL from the "inside" interface.

Or you could simply add

access-list Inside_access_out extended permit ip any host 10.254.97.240

- Jouni

Allan Choo · ‎08-01-2013

so because i am using ACL, i would need a matching one for the inside interface? Ok it seems am a bit futher along now

by adding what you suggested in, now allows packet-tracer to complete successfully. but how come i am still not able to ping that external address from the internet? wouldnt the permit icmp any any and the permit icmp any any echo allow me to ping that address if i have it staticly nat?

Jouni Forss · ‎08-01-2013

Hi,

You seem to already have a ICMP rule that allows ICMP Echo from any source address to any destination address in the above configuration. In both of the ACLs in question.

You could perhaps add this

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

You could also try the ICMP with the "packet-tracer"

packet-tracer input Outside10 icmp 1.1.1.1 8 0 87.213.234.132

The ICMP not going through can also be because of the server itself. It might be blocking ICMP Echo and not replying to them at all.

- Jouni

Allan Choo · ‎08-01-2013

Hi Jouni,

running packet-tracer shows that it is allowing icmp. I am able to ping the equipment from the inside address and connect to it via http from the inside, but when trying the external address i am not getting a response. If i try a ping from the internet router box to 87.213.234.132, my reply is from 10.254.97.240 which doesnt seem right. shouldnt the reply be from 87.213.234.132?

superuser@lan

-> ping 87.213.234.132

ping: reply from 10.254.97.240: bytes=56 (data), icmp_seq=1, time=1 ms

ping: reply from 10.254.97.240: bytes=56 (data), icmp_seq=2, time=1 ms

ping: reply from 10.254.97.240: bytes=56 (data), icmp_seq=3, time=1 ms

ping: reply from 10.254.97.240: bytes=56 (data), icmp_seq=4, time=1 ms

ping: reply from 10.254.97.240: bytes=56 (data), icmp_seq=5, time=1 ms

ping: packets sent 5, packets received 5, packets lost 0 (0% loss)

Minimum = 1 msecs Maximum = 1 msecs Average = 1 msecs

bvvpn# pac i o i 1.1.1.1 8 0 87.213.234.132 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside10) 87.213.234.132 10.254.97.240 netmask 255.255.255.255
nat-control
match ip Inside host 10.254.97.240 Outside10 any
static translation to 87.213.234.132
translate_hits = 0, untranslate_hits = 14275
Additional Information:
NAT divert to egress interface Inside
Untranslate 87.213.234.132/0 to 10.254.97.240/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside10_access_in in interface Outside10
access-list Outside10_access_in extended permit icmp any any echo
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3d9d8b0, priority=12, domain=permit, deny=false
        hits=19940, user_data=0x3d9b2e8, cs_id=0x0, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=2048

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3bfcea8, priority=0, domain=permit-ip-option, deny=true
        hits=43519042, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3d55e48, priority=70, domain=inspect-icmp, deny=false
        hits=39, user_data=0x9a16410, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x9266ab8, priority=70, domain=inspect-icmp-error, deny=false
        hits=33, user_data=0x45a6088, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_out out interface Inside
access-list Inside_access_out extended permit icmp any any echo
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3d9ac00, priority=12, domain=permit, deny=false
        hits=25757, user_data=0x3d9abc0, cs_id=0x0, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=2048

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Outside10) 87.213.234.132 10.254.97.240 netmask 255.255.255.255
nat-control
match ip Inside host 10.254.97.240 Outside10 any
    static translation to 87.213.234.132
    translate_hits = 0, untranslate_hits = 14283
Additional Information:
Forward Flow based lookup yields rule:
out id=0x9957be0, priority=5, domain=nat-reverse, deny=false
        hits=14113, user_data=0x91ccdf8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.254.97.240, mask=255.255.255.255, port=0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Outside10) 87.213.234.132 10.254.97.240 netmask 255.255.255.255
nat-control
match ip Inside host 10.254.97.240 Outside10 any
    static translation to 87.213.234.132
    translate_hits = 0, untranslate_hits = 14283
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x91cce68, priority=5, domain=host, deny=false
        hits=14128, user_data=0x91ccdf8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.254.97.240, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3bc78b8, priority=0, domain=permit-ip-option, deny=true
        hits=8988672, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 47517186, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.254.32.254 using egress ifc Inside
adjacency Active
next-hop mac address 001d.a29c.747a hits 1309

Result:
input-interface: Outside10
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

bvvpn#

Jouni Forss · ‎08-01-2013

Hi,

I think you should probably configure a traffic capture on the ASA

access-list SERVER-CAP permit ip any host 10.254.97.240

access-list SERVER-CAP permit ip host 10.254.97.240 any

capture SERVER-CAP type raw-data access-list SERVER-CAP interface Inside buffer 1000000 circular-buffer

Then try ICMP from the Internet router once and then issue the following command and share the output

show capture SERVER-CAP

- Jouni

Allan Choo · ‎08-01-2013

here is the result:

bvvpn(config)# sh cap SERVER-CAP

13 packets captured

1: 22:32:38.052594 65.60.104.194 > 10.254.97.240: icmp: echo request

2: 22:32:43.053219 65.60.104.194 > 10.254.97.240: icmp: echo request

3: 22:32:48.053113 65.60.104.194 > 10.254.97.240: icmp: echo request

4: 22:32:53.057110 65.60.104.194 > 10.254.97.240: icmp: echo request

5: 22:32:58.077983 65.60.104.194 > 10.254.97.240: icmp: echo request

6: 22:32:58.648724 87.213.234.129 > 10.254.97.240: icmp: echo request

7: 22:32:59.648617 87.213.234.129 > 10.254.97.240: icmp: echo request

8: 22:33:00.648617 87.213.234.129 > 10.254.97.240: icmp: echo request

9: 22:33:01.648648 87.213.234.129 > 10.254.97.240: icmp: echo request

10: 22:33:02.648663 87.213.234.129 > 10.254.97.240: icmp: echo request

11: 22:33:03.058270 65.60.104.194 > 10.254.97.240: icmp: echo request

12: 22:33:08.053418 65.60.104.194 > 10.254.97.240: icmp: echo request

13: 22:33:13.052762 65.60.104.194 > 10.254.97.240: icmp: echo request

13 packets shown

Jouni, thank you for taking your time to help me out on this..

Jouni Forss · ‎08-01-2013

Hi,

Well we can see that ICMP Echo are coming from the WAN / Internet through the ASA towards the server. Somewhere along the way the ICMP Echo is either blocked or the ICMP Echo Reply are forwarded to the wrong place.

I would make sure that the LAN host in question has the correct default gateway configurations and that otherwise the routing back towards the ASA "Inside" interface is fine.

It might be that the traffic from the server is forwarded somewhere else BUT NOT the ASA "Inside" interface?

- Jouni

Allan Choo · ‎08-01-2013

Thank you for all your help, i will look into the default gateway on the video equipment. I will let you know what i find out.

Regards,

Allan

turbo_engine26 · ‎08-01-2013

Hi Allan,

You should not use the "out" keyword in your ACL that is applied to the Inside interface. This ACL is equivalent to an ACL applied to Outside interface in Inbound direction. So, by using this ACL, you are actually allowing traffic coming from Outside to Inside that leaves the Inside interface and going toward an Inside host. Do not think that this ACL is used to allow outbound traffic from inside to outside. Because you are new to ASA as you said, you seem have some issues with ACL directions. I will be glad to explain further at any time the difference between Traffic Directions and ACL Directions.

As Jouni said, you should either remove this Inside ACL and take advantage of the implicit ALLOW rule from inside to outside or keep it as it is and add "access-list Inside_access_out extended permit ip any host 10.254.97.240".

AM

Allan Choo · ‎08-01-2013

Yes there is a lot I still do not understand on the ASA, but I am learning slowing. I guess I can test this weekend by removing "out" from the inside interface and see what I break. I need to be very careful since this is in production.

With jouni's help I am now able to use packet-tracer to trace a packet from the outside to inside successfully. Now the issue I am looking into is why my host device is not sending the ping back, even though I can ping from the internal network perfectly fine, pinging from the external address is not working yet.

Sent from Cisco Technical Support iPad App

turbo_engine26 · ‎08-01-2013

Can you try to apply a new ACL on the inside interface but this time in the inbound direction and add an icmp type echo reply?

For example,

access-list IN_Inside permit icmp any any echo-reply

access-group IN_Inside in interface inside

Actually, this ACL just for testing to know if the server can reply anyways. If still no reply, so it is definitely a server connectivity problem.

Normally, the ASA's normal behavior is to allow automatically any traffic coming from higher interface (sec-level 100) to a lower interface (sec-level 0) using an implicit ALLOW ACL. So in this case, the server should respond without any ACL applied on the inside interface. But let's knock on all doors.

AM