Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1852
Views
10
Helpful
0
Comments

Troubleshooting OS 9.1 on ASA installations.

Anim Saxena
Level 1
Level 1

‎10-31-2014 12:00 AM - edited ‎03-08-2019 06:57 PM

 

Introduction

This document describes scenarios where user is facing basic problems with OS 9.1

Prerequisites

  1. ASA 
  2. OS 9.1
  3. ASDM 7.1

Scenario 1

Problem:

User have an ASA as default gateway in a DMZ and need let it act as router - redirecting back out of the same interface to another gw (which also is a ASA). User expected it to send an icmp redirect but as far as he can't see it.
User have defined "enabled traffic between two or mores interfaces with same sec level" and "enabled traffic between two or more hosts connected to the same interface" which must be the case here.

def gw (ASA1) = 192.168.1.1
second gw (ASA2) = 192.168.1.254

when he run trace on a client on 192.168.1.22 which is going to a nework behind ASA2 he don't find ICMP redirect - which gives him the problem that for eg. ping works fine but the tcp session he need to establish is not established. User would really prefer to avoid a router in front - and also he don't want to disable the tcp state handling trough MPF. 

Solution:

ICMP redirect would not be sent by the ASA device.
For U Turn of the Traffic from your Default GW ASA 1 , you might have to disable the TCP state check to get this traffic working in the current setup.
ASA's running 8.3 and higher have nat-control turned off and thus, no specific NATs are required to get the hairpinning/u-turning to work. There is one exception to this though:
If NAT rules such as the one below are present, then we would require some specific NAT'ing to be done on the ASA to allow the u-turning to occur.
 
object network obj-all-network
subnet 0.0.0.0 0.0.0.0.0
nat (inside,any) dynamic <ip address>
 
In the NAT statement above, the 'any' keyword will cause an issue due to which the u-turned traffic will fail the reverse-path check (RPF-Drop). To avoid this, one can issue a NAT statement 
 
For example:
nat (inside,inside) 1 source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0
 
where obj-192.168.1.0 and obj-192.168.2.0 are the network objects that contain the subnets 192.168.1.0/24 and 192.168.2.0/24 respectively.
 
This NAT rule is more specific and instructs the ASA as follows:
When a packet sourced from 192.168.1.0/24 and destined to 192.168.2.0/24 reaches the inside interface of the ASA, then statically NAT the source ip of the packet from 192.168.1.X to 192.168.1.X and statically NAT the destination ip of the packet from 192.168.2.X to 192.168.2.X. This rule can be used for the return traffic from 192.168.2.X to 192.168.1.X as well i.e. it is a bi-directional NAT rule. With the above configurations in place, the ASA will permit traffic to be hairpinned/u-turned off its interface.
 
Scenario 2
Problem:

User  recently purchased a new Cisco ASA 5515 running version 9.1 with ASDM 7.1. He was able to configure the firewall for internal access to the outside, and have  remote site-to-site VPN tunnels working. However, when he try to configure static PAT and ACL for access to Web Server and SSH server, incoming traffic is being dropped by an implicit rule.  Both hosts are on  inside interface as he wasn't able to put them in a DMZ at that time.  The hit counts stay at zero on his acl and no nat translations.  He has attached a running config as well as sh access-list and sh nat. 

 

 

 

 

Solution:

According to your present config traffic will be dropped,  you need to modify NAT config as shown below:

no nat (Inside,Outside) source dynamic any interface
nat (Inside,Outside) after-auto source dynamic any interface

outside IP x.x.x.x = 1.1.1.1
SEC(config)#   packet-tracer input outside tcp 4.2.2.2 5656 1.1.1.1 443 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.1.1.1         255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe55690630, priority=0, domain=nat-per-session, deny=false
        hits=21, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe56d6d520, priority=0, domain=permit, deny=true
        hits=4, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

 

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Confirmation

SEC(config)#   packet-tracer input outside tcp 4.2.2.2 5656 1.1.1.1 443 det

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network as400_https
 nat (Inside,Outside) static interface service tcp https https
Additional Information:
NAT divert to egress interface Inside
Untranslate 1.1.1.1/443 to 192.168.10.3/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE-IN in interface Outside
access-list OUTSIDE-IN extended permit tcp any object As400_host object-group SvcGrpAS400
object-group service SvcGrpAS400 tcp
 description: AS400 Services Group
 port-object eq 350
 port-object eq www
 port-object eq https
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe56db6fb0, priority=13, domain=permit, deny=false
        hits=1, user_data=0x7ffe4d6413c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.10.3, mask=255.255.255.255, port=443, tag=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffe56db9ea0, priority=6, domain=nat, deny=false
        hits=0, user_data=0x7ffe55f48b60, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=1.1.1.1, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=Outside, output_ifc=Inside

 

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

Source Discussion

Labels:
Preview file
35 KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents