1. Home
  2. Cisco Systems
  3. ASA won't let anything through!

ASA won't let anything through!

I am having a tough time with my ASA. It will not let anything through. My ACLs are in place and there are no hits on most of them. I can ping the interfaces in the same segment but not across the ASA. When I bypass the ASA and go directly into the router everything is fine. My inside interface has a security level of 100 and the outside of 0. There are ACLs in place on the inside interface IN to let traffic through and the outside interface IN to let traffic back through from the outside world.

From the command line in the console port of the ASA, I can ping

everything on the interior network and the outside interface on my gateway router.

Below is my running config and the routing table, with non important critical data X'ed out and important critical data with an explanation in its place.

Thanks you very much in advance.

---------------------------------------------

sh running:

ASA Version XX ! hostname XXXX domain-name XXXX enable password XXXXX names dns-guard ! interface Ethernet0/0 description INside interface. NAT to private IPs nameif inside security-level 100 ip address PRIVATE IP POINT-TO-POINT TO MULTIHOMED SERVER ! interface Ethernet0/1 description Outside Interface. Private IP to router, NAT to public IP. nameif outside security-level 0 ip address PRIVATE IP POINT-TO-POINT TO ROUTER ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address XXXX management-only ! passwd XXXX banner exec You are logging into a corporate device. Unauthorized access is prohibited banner motd "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle ftp mode passive clock timezone XXX -5 clock summer-time EDT recurring object-group service NecessaryServices tcp port-object eq echo port-object eq www port-object eq domain port-object eq ssh port-object eq smtp port-object eq ftp-data port-object eq pop3 port-object eq aol port-object eq ftp port-object eq https object-group service UDPServices udp port-object eq nameserver port-object eq www port-object eq isakmp port-object eq domain object-group service TCP-UDPServices tcp-udp port-object eq echo port-object eq www port-object eq domain access-list inbound_on_outside remark This ACL filters traffic on the outside in terface into the network access-list inside_access_in extended permit tcp PRIVATE.NETWORK.0.0

255.255.0.0 any obj ect-group NecessaryServices access-list inside_access_in extended permit icmp PRIVATE.NETWORK.0.0 255.255.0.0 any access-list inside_access_in extended permit udp PRIVATE.NETWORK.0.0 255.255.0.0 any obj ect-group TCP-UDPServices access-list inside_access_in remark log implicit deny access-list inside_access_in extended deny ip any any log access-list outside_access_in extended permit udp any object-group UDPServices h ost PUBLIC.IP access-list outside_access_in extended permit tcp any object-group NecessaryServ ices host PUBLIC.IP access-list outside_access_in extended permit udp any object-group TCP-UDPServic es host PUBLIC.IP access-list outside_access_in extended permit icmp any host PUBLIC.IP echo-re ply access-list outside_access_in remark log implicit deny access-list outside_access_in extended deny ip any any log access-list policy_PAT_SMTP extended permit tcp host PRIVATE.IP.OF.PROXY eq smtp any eq smtp pager lines 24 logging enable logging monitor notifications logging asdm informational mtu management 1500 mtu inside 1500 mtu outside 1500 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp permit any inside asdm image disk0:/asdm505.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 PRIVATE.IP global (outside) 2 PRIVATE.IP nat (inside) 1 access-list policy_PAT_SMTP nat (inside) 2 PRIVATE.IP access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ROUTER.IP ! router ospf 1 network XXXX network XXXX network XXXX network XXXX network XXXX area 0 log-adj-changes ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http XXXX http XXXX http XXXX no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet XXXX telnet timeout 5 ssh XXXX ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 50 ! class-map global-class match default-inspection-traffic ! ! policy-map global-policy class global-class inspect icmp error inspect http inspect icmp inspect ftp inspect dns ! service-policy global-policy global smtp-server XXXX Cryptochecksum:e726e8ffd29f3efb9af2c6b4bd07dfbd : end

---------------------------

sh route

O PUBLIC IP NETWORK [110/11] via ROUTER'S INSIDE INTERFACE, 0:36:06, outside C XXXXX is directly connected, management C PRIVATE NETWORK IP CONNECTED TO PROXY SERVER 255.255.255.252 is directly connected, inside C PRIVATE NETWORK IP CONNECTED TO ROUTER 255.255.255.252 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via ROUTER'S INSIDE INTERFACE, outside

Reply to
K.J. 44
Loading thread data ...

Most likely, it's something with the ACL's. What happens if you remove the ACL's from being applied to their respective interfaces? Without an ACL in place, by default the higher security level traffic should pass to the lower level interface. When you do a show access-list, which lines are showing hits?

- B K.J. 44 wrote:

Reply to
response3

snip

K.J,

Hi.

I have been messing around with a couple of ASA's for the last few days, setting up failover, LAN-to-LAN connectivity and remote VPN access into it.

One thing that helped me greatly when trying to sort out my identity nat (Nat 0) and Access-List woes was the Monitoring screen on the front of the ASDM Gui. On many occasions I started Pings, Telnet sessions etc from remote hosts and waited to see what the Monitoring screen reported There is also an excellent tool for simulating traffic in ASDM as well.

I have always been a lover of the command line, but mixing the two in this instance has been invaluable. Try it, also look at the Security Tab and try and follow the logic of you access lists and NAT.

Hope you get it sorted.

Regards

Darren

Reply to
Darren Green

I will try that. The only hits I have seen on the ACLs were a couple of pings but when I tried pinging, the counters didn't increase. I will try those things. Thanks for your help..

Darren Green wrote:

Reply to
K.J. 44

All right. Nothing seems to be showing hits when I try to ping across the ASA. I even tried to set a single ACL on the inside and outside interfaces to say allow anything. When I am on one side of the ASA I can ping to the interface from anywhere on that side of the ASA but I cannot ping across it. I tried to monitor but no traffic was even showing up when I tried to ping across. There are no hits on the deny all or the allow all ACL. I am very confused. When I pull the ASA out of the mix everything works great.

Any other suggesti> I will try that. The only hits I have seen on the ACLs were a couple

Reply to
K.J. 44

Shouldn't you be natting from a private ip to a public IP?

Do the devices that connect to the ASA see a default route via OSPF? Why so many network statements?

James

Reply to
James

My apologies, that should read global (outside) 1 PUBLIC.IP global (outside) 2 PUBLIC.IP nat (inside) 1 access-list policy_PAT_SMTP nat (inside) 2 PRIVATE.IP

When I was editing the config to obscure it I messed that up.

James wrote:

Reply to
K.J. 44

KJ,

Just looked at my config. A snippet is enclosed:

interface Ethernet0/0 description Interface to ISP nameif outside security-level 0 ip address X.X.X.X + mask ! interface Ethernet0/1 description LAN Interface To Private Network speed 100 duplex full nameif inside security-level 100 ip address 172.29.1.1 255.255.255.0 ! interface Ethernet0/2 description DMZ Port speed 100 duplex full nameif DMZ security-level 50 ip address 172.28.1.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address

object-group network public-subnets (i.e. the public subnets that I will access the device from on the outside) network-object X.X.X.X + subnet mask network-object X.X.X.X + subnet mask

object-group icmp-type icmp icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable

object-group network managed-devices network-object X.X.X.X + subnet mask network-object X.X.X.X + subnet mask

access-list outside extended permit icmp object-group public-subnets object-group managed-devices object-group icmp

static (inside, outside) mapped_address real_address + subnet mask

This allows the public subnets I am coming from to access my managed devices which have a static translation on the outside of my firewall using the static (inside, outside) command. Pinging the public IP of the inside translated device works fine for me. If you are not getting any matches I would hazzard a guess and say that NAT could be the issue as the matches may be against something else.

You also need to apply the access-list to the outside interface with the access-group command. I note that you have done this in your original post.

Regards

Darren

Reply to
Darren Green

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.