ASA won't let anything through!

Discussion in 'Cisco' started by K.J. 44, Sep 8, 2006.

  1. K.J. 44

    K.J. 44 Guest

    I am having a tough time with my ASA. It will not let anything
    through. My ACLs are in place and there are no hits on most of them.
    I can ping the interfaces in the same segment but not across the ASA.
    When I bypass the ASA and go directly into the router everything is
    fine. My inside interface has a security level of 100 and the outside
    of 0. There are ACLs in place on the inside interface IN to let
    traffic through and the outside interface IN to let traffic back
    through from the outside world.

    >From the command line in the console port of the ASA, I can ping

    everything on the interior network and the outside interface on my
    gateway router.

    Below is my running config and the routing table, with non important
    critical data X'ed out and important critical data with an explanation
    in its place.

    Thanks you very much in advance.

    ---------------------------------------------

    sh running:

    ASA Version XX
    !
    hostname XXXX
    domain-name XXXX
    enable password XXXXX
    names
    dns-guard
    !
    interface Ethernet0/0
    description INside interface. NAT to private IPs
    nameif inside
    security-level 100
    ip address PRIVATE IP POINT-TO-POINT TO MULTIHOMED SERVER
    !
    interface Ethernet0/1
    description Outside Interface. Private IP to router, NAT to public
    IP.
    nameif outside
    security-level 0
    ip address PRIVATE IP POINT-TO-POINT TO ROUTER
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address XXXX
    management-only
    !
    passwd XXXX
    banner exec You are logging into a corporate device. Unauthorized
    access is prohibited
    banner motd "We are what we repeatedly do. Excellence, then, is not an
    act, but
    a habit." - Aristotle
    ftp mode passive
    clock timezone XXX -5
    clock summer-time EDT recurring
    object-group service NecessaryServices tcp
    port-object eq echo
    port-object eq www
    port-object eq domain
    port-object eq ssh
    port-object eq smtp
    port-object eq ftp-data
    port-object eq pop3
    port-object eq aol
    port-object eq ftp
    port-object eq https
    object-group service UDPServices udp
    port-object eq nameserver
    port-object eq www
    port-object eq isakmp
    port-object eq domain
    object-group service TCP-UDPServices tcp-udp
    port-object eq echo
    port-object eq www
    port-object eq domain
    access-list inbound_on_outside remark This ACL filters traffic on the
    outside in
    terface into the network
    access-list inside_access_in extended permit tcp PRIVATE.NETWORK.0.0
    255.255.0.0 any obj
    ect-group NecessaryServices
    access-list inside_access_in extended permit icmp PRIVATE.NETWORK.0.0
    255.255.0.0 any
    access-list inside_access_in extended permit udp PRIVATE.NETWORK.0.0
    255.255.0.0 any obj
    ect-group TCP-UDPServices
    access-list inside_access_in remark log implicit deny
    access-list inside_access_in extended deny ip any any log
    access-list outside_access_in extended permit udp any object-group
    UDPServices h
    ost PUBLIC.IP
    access-list outside_access_in extended permit tcp any object-group
    NecessaryServ
    ices host PUBLIC.IP
    access-list outside_access_in extended permit udp any object-group
    TCP-UDPServic
    es host PUBLIC.IP
    access-list outside_access_in extended permit icmp any host PUBLIC.IP
    echo-re
    ply
    access-list outside_access_in remark log implicit deny
    access-list outside_access_in extended deny ip any any log
    access-list policy_PAT_SMTP extended permit tcp host
    PRIVATE.IP.OF.PROXY eq smtp any eq
    smtp
    pager lines 24
    logging enable
    logging monitor notifications
    logging asdm informational
    mtu management 1500
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp permit any inside
    asdm image disk0:/asdm505.bin
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 PRIVATE.IP
    global (outside) 2 PRIVATE.IP
    nat (inside) 1 access-list policy_PAT_SMTP
    nat (inside) 2 PRIVATE.IP
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 ROUTER.IP
    !
    router ospf 1
    network XXXX
    network XXXX
    network XXXX
    network XXXX
    network XXXX
    area 0
    log-adj-changes
    !
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http XXXX
    http XXXX
    http XXXX
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet XXXX
    telnet timeout 5
    ssh XXXX
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 50
    !
    class-map global-class
    match default-inspection-traffic
    !
    !
    policy-map global-policy
    class global-class
    inspect icmp error
    inspect http
    inspect icmp
    inspect ftp
    inspect dns
    !
    service-policy global-policy global
    smtp-server XXXX
    Cryptochecksum:e726e8ffd29f3efb9af2c6b4bd07dfbd
    : end

    ---------------------------

    sh route

    O PUBLIC IP NETWORK [110/11] via ROUTER'S INSIDE INTERFACE, 0:36:06,
    outside
    C XXXXX is directly connected, management
    C PRIVATE NETWORK IP CONNECTED TO PROXY SERVER 255.255.255.252 is
    directly connected, inside
    C PRIVATE NETWORK IP CONNECTED TO ROUTER 255.255.255.252 is directly
    connected, outside
    S* 0.0.0.0 0.0.0.0 [1/0] via ROUTER'S INSIDE INTERFACE, outside
     
    K.J. 44, Sep 8, 2006
    #1
    1. Advertising

  2. K.J. 44

    response3 Guest

    Most likely, it's something with the ACL's. What happens if you remove
    the ACL's from being applied to their respective interfaces? Without
    an ACL in place, by default the higher security level traffic should
    pass to the lower level interface. When you do a show access-list,
    which lines are showing hits?

    - B
    K.J. 44 wrote:
    > I am having a tough time with my ASA. It will not let anything
    > through. My ACLs are in place and there are no hits on most of them.
    > I can ping the interfaces in the same segment but not across the ASA.
    > When I bypass the ASA and go directly into the router everything is
    > fine. My inside interface has a security level of 100 and the outside
    > of 0. There are ACLs in place on the inside interface IN to let
    > traffic through and the outside interface IN to let traffic back
    > through from the outside world.
    >
    > >From the command line in the console port of the ASA, I can ping

    > everything on the interior network and the outside interface on my
    > gateway router.
    >
    > Below is my running config and the routing table, with non important
    > critical data X'ed out and important critical data with an explanation
    > in its place.
    >
    > Thanks you very much in advance.
    >
    > ---------------------------------------------
    >
    > sh running:
    >
    > ASA Version XX
    > !
    > hostname XXXX
    > domain-name XXXX
    > enable password XXXXX
    > names
    > dns-guard
    > !
    > interface Ethernet0/0
    > description INside interface. NAT to private IPs
    > nameif inside
    > security-level 100
    > ip address PRIVATE IP POINT-TO-POINT TO MULTIHOMED SERVER
    > !
    > interface Ethernet0/1
    > description Outside Interface. Private IP to router, NAT to public
    > IP.
    > nameif outside
    > security-level 0
    > ip address PRIVATE IP POINT-TO-POINT TO ROUTER
    > !
    > interface Ethernet0/2
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Management0/0
    > nameif management
    > security-level 100
    > ip address XXXX
    > management-only
    > !
    > passwd XXXX
    > banner exec You are logging into a corporate device. Unauthorized
    > access is prohibited
    > banner motd "We are what we repeatedly do. Excellence, then, is not an
    > act, but
    > a habit." - Aristotle
    > ftp mode passive
    > clock timezone XXX -5
    > clock summer-time EDT recurring
    > object-group service NecessaryServices tcp
    > port-object eq echo
    > port-object eq www
    > port-object eq domain
    > port-object eq ssh
    > port-object eq smtp
    > port-object eq ftp-data
    > port-object eq pop3
    > port-object eq aol
    > port-object eq ftp
    > port-object eq https
    > object-group service UDPServices udp
    > port-object eq nameserver
    > port-object eq www
    > port-object eq isakmp
    > port-object eq domain
    > object-group service TCP-UDPServices tcp-udp
    > port-object eq echo
    > port-object eq www
    > port-object eq domain
    > access-list inbound_on_outside remark This ACL filters traffic on the
    > outside in
    > terface into the network
    > access-list inside_access_in extended permit tcp PRIVATE.NETWORK.0.0
    > 255.255.0.0 any obj
    > ect-group NecessaryServices
    > access-list inside_access_in extended permit icmp PRIVATE.NETWORK.0.0
    > 255.255.0.0 any
    > access-list inside_access_in extended permit udp PRIVATE.NETWORK.0.0
    > 255.255.0.0 any obj
    > ect-group TCP-UDPServices
    > access-list inside_access_in remark log implicit deny
    > access-list inside_access_in extended deny ip any any log
    > access-list outside_access_in extended permit udp any object-group
    > UDPServices h
    > ost PUBLIC.IP
    > access-list outside_access_in extended permit tcp any object-group
    > NecessaryServ
    > ices host PUBLIC.IP
    > access-list outside_access_in extended permit udp any object-group
    > TCP-UDPServic
    > es host PUBLIC.IP
    > access-list outside_access_in extended permit icmp any host PUBLIC.IP
    > echo-re
    > ply
    > access-list outside_access_in remark log implicit deny
    > access-list outside_access_in extended deny ip any any log
    > access-list policy_PAT_SMTP extended permit tcp host
    > PRIVATE.IP.OF.PROXY eq smtp any eq
    > smtp
    > pager lines 24
    > logging enable
    > logging monitor notifications
    > logging asdm informational
    > mtu management 1500
    > mtu inside 1500
    > mtu outside 1500
    > ip verify reverse-path interface inside
    > ip verify reverse-path interface outside
    > icmp permit any inside
    > asdm image disk0:/asdm505.bin
    > asdm history enable
    > arp timeout 14400
    > nat-control
    > global (outside) 1 PRIVATE.IP
    > global (outside) 2 PRIVATE.IP
    > nat (inside) 1 access-list policy_PAT_SMTP
    > nat (inside) 2 PRIVATE.IP
    > access-group inside_access_in in interface inside
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 ROUTER.IP
    > !
    > router ospf 1
    > network XXXX
    > network XXXX
    > network XXXX
    > network XXXX
    > network XXXX
    > area 0
    > log-adj-changes
    > !
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > http server enable
    > http XXXX
    > http XXXX
    > http XXXX
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > telnet XXXX
    > telnet timeout 5
    > ssh XXXX
    > ssh timeout 5
    > console timeout 0
    > dhcpd lease 3600
    > dhcpd ping_timeout 50
    > !
    > class-map global-class
    > match default-inspection-traffic
    > !
    > !
    > policy-map global-policy
    > class global-class
    > inspect icmp error
    > inspect http
    > inspect icmp
    > inspect ftp
    > inspect dns
    > !
    > service-policy global-policy global
    > smtp-server XXXX
    > Cryptochecksum:e726e8ffd29f3efb9af2c6b4bd07dfbd
    > : end
    >
    > ---------------------------
    >
    > sh route
    >
    > O PUBLIC IP NETWORK [110/11] via ROUTER'S INSIDE INTERFACE, 0:36:06,
    > outside
    > C XXXXX is directly connected, management
    > C PRIVATE NETWORK IP CONNECTED TO PROXY SERVER 255.255.255.252 is
    > directly connected, inside
    > C PRIVATE NETWORK IP CONNECTED TO ROUTER 255.255.255.252 is directly
    > connected, outside
    > S* 0.0.0.0 0.0.0.0 [1/0] via ROUTER'S INSIDE INTERFACE, outside
     
    response3, Sep 9, 2006
    #2
    1. Advertising

  3. K.J. 44

    Darren Green Guest

    "K.J. 44" <> wrote in message
    news:...
    >I am having a tough time with my ASA. It will not let anything
    > through. My ACLs are in place and there are no hits on most of them.
    > I can ping the interfaces in the same segment but not across the ASA.
    > When I bypass the ASA and go directly into the router everything is
    > fine. My inside interface has a security level of 100 and the outside
    > of 0. There are ACLs in place on the inside interface IN to let
    > traffic through and the outside interface IN to let traffic back
    > through from the outside world.
    >
    >>From the command line in the console port of the ASA, I can ping

    > everything on the interior network and the outside interface on my
    > gateway router.
    >
    > Below is my running config and the routing table, with non important
    > critical data X'ed out and important critical data with an explanation
    > in its place.
    >


    snip

    K.J,

    Hi.

    I have been messing around with a couple of ASA's for the last few days,
    setting up failover, LAN-to-LAN connectivity and remote VPN access into it.

    One thing that helped me greatly when trying to sort out my identity nat
    (Nat 0) and Access-List woes was the Monitoring screen on the front of the
    ASDM Gui. On many occasions I started Pings, Telnet sessions etc from remote
    hosts and waited to see what the Monitoring screen reported There is also
    an excellent tool for simulating traffic in ASDM as well.

    I have always been a lover of the command line, but mixing the two in this
    instance has been invaluable. Try it, also look at the Security Tab and try
    and follow the logic of you access lists and NAT.

    Hope you get it sorted.

    Regards

    Darren
     
    Darren Green, Sep 9, 2006
    #3
  4. K.J. 44

    K.J. 44 Guest

    I will try that. The only hits I have seen on the ACLs were a couple
    of pings but when I tried pinging, the counters didn't increase. I
    will try those things. Thanks for your help..


    Darren Green wrote:
    > "K.J. 44" <> wrote in message
    > news:...
    > >I am having a tough time with my ASA. It will not let anything
    > > through. My ACLs are in place and there are no hits on most of them.
    > > I can ping the interfaces in the same segment but not across the ASA.
    > > When I bypass the ASA and go directly into the router everything is
    > > fine. My inside interface has a security level of 100 and the outside
    > > of 0. There are ACLs in place on the inside interface IN to let
    > > traffic through and the outside interface IN to let traffic back
    > > through from the outside world.
    > >
    > >>From the command line in the console port of the ASA, I can ping

    > > everything on the interior network and the outside interface on my
    > > gateway router.
    > >
    > > Below is my running config and the routing table, with non important
    > > critical data X'ed out and important critical data with an explanation
    > > in its place.
    > >

    >
    > snip
    >
    > K.J,
    >
    > Hi.
    >
    > I have been messing around with a couple of ASA's for the last few days,
    > setting up failover, LAN-to-LAN connectivity and remote VPN access into it.
    >
    > One thing that helped me greatly when trying to sort out my identity nat
    > (Nat 0) and Access-List woes was the Monitoring screen on the front of the
    > ASDM Gui. On many occasions I started Pings, Telnet sessions etc from remote
    > hosts and waited to see what the Monitoring screen reported There is also
    > an excellent tool for simulating traffic in ASDM as well.
    >
    > I have always been a lover of the command line, but mixing the two in this
    > instance has been invaluable. Try it, also look at the Security Tab and try
    > and follow the logic of you access lists and NAT.
    >
    > Hope you get it sorted.
    >
    > Regards
    >
    > Darren
     
    K.J. 44, Sep 9, 2006
    #4
  5. K.J. 44

    K.J. 44 Guest

    All right. Nothing seems to be showing hits when I try to ping across
    the ASA. I even tried to set a single ACL on the inside and outside
    interfaces to say allow anything. When I am on one side of the ASA I
    can ping to the interface from anywhere on that side of the ASA but I
    cannot ping across it. I tried to monitor but no traffic was even
    showing up when I tried to ping across. There are no hits on the deny
    all or the allow all ACL. I am very confused. When I pull the ASA
    out of the mix everything works great.

    Any other suggestions?

    K.J. 44 wrote:
    > I will try that. The only hits I have seen on the ACLs were a couple
    > of pings but when I tried pinging, the counters didn't increase. I
    > will try those things. Thanks for your help..
    >
    >
    > Darren Green wrote:
    > > "K.J. 44" <> wrote in message
    > > news:...
    > > >I am having a tough time with my ASA. It will not let anything
    > > > through. My ACLs are in place and there are no hits on most of them.
    > > > I can ping the interfaces in the same segment but not across the ASA.
    > > > When I bypass the ASA and go directly into the router everything is
    > > > fine. My inside interface has a security level of 100 and the outside
    > > > of 0. There are ACLs in place on the inside interface IN to let
    > > > traffic through and the outside interface IN to let traffic back
    > > > through from the outside world.
    > > >
    > > >>From the command line in the console port of the ASA, I can ping
    > > > everything on the interior network and the outside interface on my
    > > > gateway router.
    > > >
    > > > Below is my running config and the routing table, with non important
    > > > critical data X'ed out and important critical data with an explanation
    > > > in its place.
    > > >

    > >
    > > snip
    > >
    > > K.J,
    > >
    > > Hi.
    > >
    > > I have been messing around with a couple of ASA's for the last few days,
    > > setting up failover, LAN-to-LAN connectivity and remote VPN access into it.
    > >
    > > One thing that helped me greatly when trying to sort out my identity nat
    > > (Nat 0) and Access-List woes was the Monitoring screen on the front of the
    > > ASDM Gui. On many occasions I started Pings, Telnet sessions etc from remote
    > > hosts and waited to see what the Monitoring screen reported There is also
    > > an excellent tool for simulating traffic in ASDM as well.
    > >
    > > I have always been a lover of the command line, but mixing the two in this
    > > instance has been invaluable. Try it, also look at the Security Tab and try
    > > and follow the logic of you access lists and NAT.
    > >
    > > Hope you get it sorted.
    > >
    > > Regards
    > >
    > > Darren
     
    K.J. 44, Sep 11, 2006
    #5
  6. K.J. 44

    James Guest


    > global (outside) 1 PRIVATE.IP
    > global (outside) 2 PRIVATE.IP
    > nat (inside) 1 access-list policy_PAT_SMTP
    > nat (inside) 2 PRIVATE.IP


    Shouldn't you be natting from a private ip to a public IP?

    > router ospf 1
    > network XXXX
    > network XXXX
    > network XXXX
    > network XXXX
    > network XXXX
    > area 0
    > log-adj-changes


    Do the devices that connect to the ASA see a default route via OSPF?
    Why so many network statements?

    James
     
    James, Sep 11, 2006
    #6
  7. K.J. 44

    K.J. 44 Guest

    My apologies, that should read
    global (outside) 1 PUBLIC.IP
    global (outside) 2 PUBLIC.IP
    nat (inside) 1 access-list policy_PAT_SMTP
    nat (inside) 2 PRIVATE.IP

    When I was editing the config to obscure it I messed that up.


    James wrote:
    > > global (outside) 1 PRIVATE.IP
    > > global (outside) 2 PRIVATE.IP
    > > nat (inside) 1 access-list policy_PAT_SMTP
    > > nat (inside) 2 PRIVATE.IP

    >
    > Shouldn't you be natting from a private ip to a public IP?
    >
    > > router ospf 1
    > > network XXXX
    > > network XXXX
    > > network XXXX
    > > network XXXX
    > > network XXXX
    > > area 0
    > > log-adj-changes

    >
    > Do the devices that connect to the ASA see a default route via OSPF?
    > Why so many network statements?
    >
    > James
     
    K.J. 44, Sep 11, 2006
    #7
  8. K.J. 44

    Darren Green Guest

    "K.J. 44" <> wrote in message
    news:...
    > All right. Nothing seems to be showing hits when I try to ping across
    > the ASA. I even tried to set a single ACL on the inside and outside
    > interfaces to say allow anything. When I am on one side of the ASA I
    > can ping to the interface from anywhere on that side of the ASA but I
    > cannot ping across it. I tried to monitor but no traffic was even
    > showing up when I tried to ping across. There are no hits on the deny
    > all or the allow all ACL. I am very confused. When I pull the ASA
    > out of the mix everything works great.
    >
    > Any other suggestions?
    >

    KJ,

    Just looked at my config. A snippet is enclosed:

    interface Ethernet0/0
    description Interface to ISP
    nameif outside
    security-level 0
    ip address X.X.X.X + mask
    !
    interface Ethernet0/1
    description LAN Interface To Private Network
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 172.29.1.1 255.255.255.0
    !
    interface Ethernet0/2
    description DMZ Port
    speed 100
    duplex full
    nameif DMZ
    security-level 50
    ip address 172.28.1.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address

    object-group network public-subnets (i.e. the public subnets that I will
    access the device from on the outside)
    network-object X.X.X.X + subnet mask
    network-object X.X.X.X + subnet mask

    object-group icmp-type icmp
    icmp-object echo
    icmp-object echo-reply
    icmp-object time-exceeded
    icmp-object traceroute
    icmp-object unreachable

    object-group network managed-devices
    network-object X.X.X.X + subnet mask
    network-object X.X.X.X + subnet mask

    access-list outside extended permit icmp object-group public-subnets
    object-group managed-devices object-group icmp

    static (inside, outside) mapped_address real_address + subnet mask

    This allows the public subnets I am coming from to access my managed devices
    which have a static translation on the outside of my firewall using the
    static (inside, outside) command. Pinging the public IP of the inside
    translated device works fine for me. If you are not getting any matches I
    would hazzard a guess and say that NAT could be the issue as the matches may
    be against something else.

    You also need to apply the access-list to the outside interface with the
    access-group command. I note that you have done this in your original post.

    Regards

    Darren
     
    Darren Green, Sep 12, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pastor Dave

    M$ let's spyware through now.

    Pastor Dave, Jul 23, 2005, in forum: Firefox
    Replies:
    6
    Views:
    441
    Feather Forestwalker
    Jul 26, 2005
  2. G
    Replies:
    1
    Views:
    604
    Jeff Specoli
    Jul 21, 2003
  3. quasi/various/bob [7.13.86.42]

    OT: Let me in! Let me in!

    quasi/various/bob [7.13.86.42], May 29, 2006, in forum: MCSE
    Replies:
    7
    Views:
    672
    The Rev [MCT]
    May 30, 2006
  4. K.J. 44
    Replies:
    2
    Views:
    759
    swapnendu
    Sep 13, 2006
  5. Daniel
    Replies:
    2
    Views:
    381
    Daniel
    May 11, 2004
Loading...

Share This Page