12-06-2013 07:03 AM - edited 02-21-2020 07:22 PM
Hi everybody,
I have an issue configuring the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is successfully created between ASA and another non-CISCO router (hereinafter "Router"). I can send ping packets from Router to ASA, but ASA is NOT able to reply to those requests. Sending requests from ASA is also NOT possible.
I'm trying to interconnect to LANs 192.168.2.0/24 (CISCO, interface DMZ) and 192.168.3.0/24 (Router).
The CISCO ASA has a static public IP. The Router has a dynamic IP so I'm using dynamic-map option...
Here is the "show run" output:
---------------------------------------------------------------------------------------------------------------------------------------------
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password oBGOJTSctBcCGoTh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network webserver-external-ip
host Y.Y.Y.Y
object network webserver
host 192.168.2.100
object network vpn-local-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network vpn-remote-192.168.3.0
subnet 192.168.3.0 255.255.255.0
access-list outside_acl extended permit tcp any object webserver
access-list outside_acl extended permit tcp any object webserver eq www
access-list l2l-list extended permit ip object vpn-local-192.168.2.0 object vpn-remote-192.168.3.0
access-list dmz_acl extended permit icmp any any echo
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (DMZ,outside) source static vpn-local-192.168.2.0 vpn-local-192.168.2.0 destination static vpn-remote-192.168.3.0 vpn-remote-192.168.3.0
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network webserver
nat (DMZ,outside) static webserver-external-ip service tcp www www
access-group dmz_acl global
route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ikev1-trans-set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal 3des-midge
protocol esp encryption 3des
protocol esp integrity md5
crypto dynamic-map dynMidgeMap 1 match address l2l-list
crypto dynamic-map dynMidgeMap 1 set pfs
crypto dynamic-map dynMidgeMap 1 set ikev1 transform-set ikev1-trans-set
crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-midge
crypto dynamic-map dynMidgeMap 1 set security-association lifetime seconds 28800
crypto dynamic-map dynMidgeMap 1 set reverse-route
crypto map midgeMap 1 ipsec-isakmp dynamic dynMidgeMap
crypto map midgeMap interface outside
crypto isakmp identity hostname
crypto ikev2 policy 1
encryption 3des
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy midgeTrialPol internal
group-policy midgeTrialPol attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
ipsec-udp enable
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn general-attributes
default-group-policy midgeTrialPol
tunnel-group midgeVpn ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - public ASA IP address
Y.Y.Y.Y - some web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
PING from ASA:
ciscoasa# ping DMZ 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
PING from Router (debug on CISCO):
ciscoasa# nat: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
nat: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
nat: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=0 len=40
ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=1 len=40
ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=2 len=40
ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=3 len=40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa# show route outside
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected, outside
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outside
S* 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outside
-------------------------------------------------------------------------------------------------------------------------------
Don't you have any idea what do I have wrong? Probably some wrong NAT/ACL I guess, but I could always find something only for 8.4 iOS and not 8.6... Maybe and probably I already messed the configuration with unwanted commands, but I was trying various things...
Please, if you have any idea, let me know! Thanks a lot!
Solved! Go to Solution.
12-06-2013 11:30 AM
Hi,
I never used 'global' option in ACL but looks like this is causing the issue. From Cisco doc-
"Global access rules are defined as a special ACL that is processed for every interface on the device for traffic entering the interface. Thus, although the ACL is configured once on the device, it acts like a secondary interface-specific ACL defined for the In direction. (Global rules are always for the In direction, never the Out direction.) "
You ACL: access-list dmz_acl extended permit icmp any any echo
So, when you initiate from ASA, there is an echo-reply from router on outside interface --> global may be blocking.
When initiate from Router, the ASA initiates echo-reply being blocked again.
Try adding permit echo-reply as well.
Also, you can as well use 'inspect icmp' in global policy than ACLs.
If none work, you can initiate further t-shoot with packet-tracer command on ASA.
Thx
MS
12-06-2013 11:30 AM
Hi,
I never used 'global' option in ACL but looks like this is causing the issue. From Cisco doc-
"Global access rules are defined as a special ACL that is processed for every interface on the device for traffic entering the interface. Thus, although the ACL is configured once on the device, it acts like a secondary interface-specific ACL defined for the In direction. (Global rules are always for the In direction, never the Out direction.) "
You ACL: access-list dmz_acl extended permit icmp any any echo
So, when you initiate from ASA, there is an echo-reply from router on outside interface --> global may be blocking.
When initiate from Router, the ASA initiates echo-reply being blocked again.
Try adding permit echo-reply as well.
Also, you can as well use 'inspect icmp' in global policy than ACLs.
If none work, you can initiate further t-shoot with packet-tracer command on ASA.
Thx
MS
12-09-2013 05:04 AM
Hi,
Thanks for the reply... I have now a functional configuration:
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network webserver-external-ip
host Y.Y.Y.Y
object network webserver
host 192.168.2.100
object network vpn-local-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network vpn-remote-192.168.3.0
subnet 192.168.3.0 255.255.255.0
access-list outside_acl extended permit tcp any object webserver
access-list outside_acl extended permit tcp any object webserver eq www
access-list l2l-list extended permit ip object vpn-local-192.168.2.0 object vpn-remote-192.168.3.0
nat (DMZ,outside) source static vpn-local-192.168.2.0 vpn-local-192.168.2.0 destination static vpn-remote-192.168.3.0 vpn-remote-192.168.3.0
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network webserver
nat (DMZ,outside) static webserver-external-ip service tcp www www
route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
crypto ipsec ikev1 transform-set ikev1-trans-set esp-3des esp-md5-hmac
crypto dynamic-map dynMidgeMap 1 match address l2l-list
crypto dynamic-map dynMidgeMap 1 set pfs
crypto dynamic-map dynMidgeMap 1 set ikev1 transform-set ikev1-trans-set
crypto dynamic-map dynMidgeMap 1 set security-association lifetime seconds 28800
crypto dynamic-map dynMidgeMap 1 set reverse-route
crypto map midgeMap 1 ipsec-isakmp dynamic dynMidgeMap
crypto map midgeMap interface outside
crypto isakmp identity hostname
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
group-policy midgeTrialPol internal
group-policy midgeTrialPol attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
ipsec-udp enable
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn general-attributes
default-group-policy midgeTrialPol
tunnel-group midgeVpn ipsec-attributes
ikev1 pre-shared-key *****
!
(not all lines included)
------------------------------------------------------------------------
I removed almost everything unnecessary. I'm still UNABLE to ping DMZ interface, but I'm able to ping from the Router to the device connected via the DMZ interface (192.168.2.100).
I've tested whether I'm able to ping the device behind the DMZ interface even with the global ACL rule, and I was!
Resolution: I'm able to ping the device behind the DMZ interface, but I'm unable to ping the DMZ interface itself. Or from the DMZ interface to the router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide