| [Config] Asa 5505 possible NAT issue Hi,
Probally best to explain what I'm trying to achieve, my situation and my level of knowledge - if someone could offer some advice please I would be extremely grateful. Thank you.
Taken a career break to finally complete my Cisco Exams. I passed ICND 1 over 3 years ago and it expired never had the time to finish it due to work contstraints etc I've basically spent my payout from work on a LAB, want to start again get my CCNA, CCNA security and then onto my CCNP then back to work. I've given myself 6 months to do this. I come from a Sys Admin and the last 3 years network background....
I want to sit my Cisco network behind a Asa 5505 that sits behind my internal LAN connected to UK ISP.
(UK ISP)
|
|
Netgear router (Static route pointing traffic to Cisco network)
|
|
192.168.0.x /24 (Private Int network 1)
|
|
192.168.0.10 /24 (Outside Interface Asa 5505)
|
|
10.0.0.1 /24 (Inside Interface Asa 5505) Network 2
|
|
Cisco LAB sits behind inside interface
The ACL rules I have created are wide open for now just so I can get used to the feel of how everything works.... I will lock down once I know what I am doing 
I have created a basic outbound rule on the ASA to allow from Inside to Outside IP. I can ping from Inside to any device on the outside interface. NAT is in place and also policy match for outbound traffic. I've checked the logs and all looks ok and matches showing.
I've created a 2nd policy match from outside to inside IP any any, also created the ACL to allow from Outside to Inside IP. If I ping from outside network to inside it gets dropped. If I create a NAT rule to allow ICMP from outside to inside it still dosen't work and then it stops my outbound ping from inside to outside working. I am only comfortable with using the GUI at the moment, but I am really struggling.
I know interfaces with a lesser security rating are not allowed to pass traffic through to a higher security rating. But I would like to be able to ping from outside to an inside interface. Once I have this working I can then start building my rule base and lock everything down.
Running config of Asa as follows...
ASA5505# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password .4lg4Gn1SwM3un/v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group icmp-type ICMP_all
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 log
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 102 interface
nat (inside) 102 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inside-class
match any
class-map outside-class
match any
!
!
policy-map outside-policy
class outside-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
!
service-policy inside-policy interface inside
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum:f28f04275bb7e37719d8e502bd81be1f
: end
ASA5505# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group icmp-type ICMP_all
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 log
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 103 10.0.0.2-10.0.0.254 netmask 255.255.255.0
global (outside) 102 interface
nat (inside) 102 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inside-class
match any
class-map outside-class
match any
!
!
policy-map outside-policy
class outside-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
!
service-policy inside-policy interface inside
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum:9e8f53ab38d881567af5d0c02b5606ed
: end
ASA5505#
Many Thanks |
|
nocguy
join:2010-07-05
Renton, WA | Hello ciscoffc,
Please check this link hope it will help you achieve your goal.
»cisco.com/en/US/products/hw/vpnd···8a.shtml |
|
|
|
elnino
join:2006-08-27
Akron, OH | reply to ciscoffc
There are a few things I notice just at first glance.
1) Remove "no forward interface Vlan1" from VLAN2. Having this in the config would block anything sourced from VLAN2 to get to VLAN1.
2) If you're trying to get out to the internet from the 10.0.0.0/24 network, you'll need a default route on the ASA to your Netgear router.
3) You have NATing set up on the ASA to NAT 'any' inside network to your ASA's outside interface IP. So, you won't be able to ping any 10.0.0.0/24 from 192.168.0.0/24 |
|
| reply to ciscoffc
Thanks for the replies.
I removed the no forward from Vlan 2 to Vlan 1.
I'm seeing matches on the rule base now from 192.168.0.2 to 10.0.0.2 for icmp. But it still not getting through.
How do I resolve the NAT issue please?
I also tried adding a default route from 10.0.0.0 /24 to 192.168.0.0 /24 - ASA told me route already in place. Wouldn't the fact that I can ping outbound to 192.168.0.0/24 confirm that routing is working?
Thanks |
|
elnino
join:2006-08-27
Akron, OH
1 edit | said by ciscoffc:Thanks for the replies. I removed the no forward from Vlan 2 to Vlan 1. I'm seeing matches on the rule base now from 192.168.0.2 to 10.0.0.2 for icmp. But it still not getting through. How do I resolve the NAT issue please? I also tried adding a default route from 10.0.0.0 /24 to 192.168.0.0 /24 - ASA told me route already in place. Wouldn't the fact that I can ping outbound to 192.168.0.0/24 confirm that routing is working? Thanks ciscoffc,
You won't be able to ping the 10.0.0.x network until you disable NATing. Removing the following line should be enough "global (outside) 102 interface". You may also need to add the following line if it still doesn't work: "no nat-control"
Yes, you have a route for the 10.0.0.0/24 and 192.168.0.0/24 because they're connected routes. If you want to ping out to the internet, you'll need to add a default route (0.0.0.0) to your Netgear. Chances are, you'll only be able to access it while you have NATing enabled on your ASA.
Good luck!
Thanks,
Brandon |
|
| reply to ciscoffc
Hi Brandon, you beat me to it. I removed the Dynamic NAT rule on the Gui, can ping both ways now. I also added an NAT exempt rule inbound from outside. Not sure why I did this but the moment I did everything worked icmp wise.
I already have a default route on Netgear pointing 10.0.0.0/24 via Asa outside int 192.168.0.10
Trying to get outbound http working now from the 10.0.0.0/24 network. I ran a packet trace on the asa and 53/80/443 match and allow through just not getting a response back from the 192.168.0.1 netgear router.
Thanks
Toby |
|
elnino
join:2006-08-27
Akron, OH | Toby,
Post the new config from the ASA. Also, see if you ping a public IP like 4.2.2.2 from your ASA and also from something on the 10.0.0.0/24 network. |
|
| Brandon,
I've tried ping a public IP and hostname from the Asa and it fails. I have specified primary DNS on the Asa as the Netgear router. Also confirm that the Netgear has a default route of 0.0.0.0 0.0.0.0 to ISP gateway.
Thanks
Toby
Running config of Asa
SA5505# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password .4lg4Gn1SwM3un/v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group icmp-type ICMP_all
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 log
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 log
access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 10.0.0.2 netmask 255.255.255.0
global (outside) 102 interface
nat (outside) 0 access-list outside_nat0_outbound outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inside-class
match any
class-map outside-class
match any
!
!
policy-map outside-policy
class outside-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
!
service-policy inside-policy interface inside
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum:db4ad0b2ec9796323f53a6e91f701ef1
: end
ASA5505#
ASA5505#
ASA5505#
ASA5505#
ASA5505#
ASA5505# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.1
object-group icmp-type ICMP_all
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 log
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 log
access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 10.0.0.2 netmask 255.255.255.0
global (outside) 102 interface
nat (outside) 0 access-list outside_nat0_outbound outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inside-class
match any
class-map outside-class
match any
!
!
policy-map outside-policy
class outside-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
!
service-policy inside-policy interface inside
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum:db4ad0b2ec9796323f53a6e91f701ef1
: end
ASA5505# |
|
| reply to ciscoffc
Brandon, If I ping 88.221.176.170 (www.cisco.com) from my server on the Inside network (10.0.0.2) I get the following error message on the firewall logs....
The adaptive security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.
If I run a ping from the ASA via the outside interface, does this bypass access rules as it is direct from the box? |
|
1 edit | I configured my 1130ag with WPA on the 10.0.0.0 /24 network. DHCP/DNS coming from 2003 server also on the 10.0.0.0 /24 network. Everything was working fine with the exception of no outbound connectivity. Decided to give the Asa a reboot......
And wait for it.... I can now punch through the ASA onto the 192.168.0.0 /24 Network and then punch through again onto the WWW
All I added was a static route on the ASA 0.0.0.0 0.0.0.0 via 192.168.0.1 (Netgear router) and configured Primary and Secondary DNS on the ASA.
Why it has decided to work all of a sudden I don't know? Did a simple reboot after added the config above solve it? I simply don't know.
Next steps.....
1, Remove open ended ACL for any any IP outbound and define rule base
2, Remove open ended ACL for any any IP inbound and define rule base
3, Setup NAT on Netgear route for inbound Cisco VPN client to ASA and define encryption domain access
4, Setup NAT on Netgear for SSH via Asa onto Terminal Server router (2620xm with NM-32a/s module) for access to my lab.
I feel like I achieved something as I have never worked on an Asa firewall before, I'm at the beginning stage and will be for a while. But having fun all the same. Thanks for all the help and advice everyone and I'm sure I will be back again the next time I get stuck
Toby
Footnote: How embarrassing.... Sort of a red herring. My Airport on my Mac picked up the wireless network on the 192.168.0.0 network - thats why I had outbound connectivity. I didn't check until I ran some pings from my laptop to the 10.0.0.0 network and it was redirected back from 192.168.0.1 (Netgear router). Put myself back onto the Cisco AP and I am back to square one. So a lesson valuable lesson learnt The elation of seeing it working has been shortlived! So I am back with my begging bowl for help please - while I rescue my sanity from the Asa |
|
elnino
join:2006-08-27
Akron, OH
2 edits | Toby,
Glancing real quick at your config I picked up on two things:
route inside 0.0.0.0 0.0.0.0 192.168.0.1 1
should be
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
because 192.168.0.1 is on your 'outside' interface.
Also, add this back into your config:
nat (inside) 102 0.0.0.0 0.0.0.0
This specifies the IP addresses that will be NAT'd from inside => outside.
Edit: Also, I've always used the following class-map/policy-map globally instead of specifying them for inside and outside like you have. This should have been the "default" on the ASA
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Feel free to add icmp back in there if you need to.
-Brandon |
|
