ASA 5512X config problem

Started by heath, July 21, 2015, 05:30:21 PM

Previous topic - Next topic

heath

I'm trying to help a friend replace an old Pix Firewall with a new ASA 5512X. I've attached a diagram of the network.  (I have no idea why it was set up that way with the second ASA 5505 and their servers being given public IP addresses.  I'm not looking to re-design the network, just replace the Pix with the 5512X.)

The problem is that when I switch over to the new Firewall (unplugging the cables from the Pix and plugging in to the 5512), no traffic seems to be making it through the ASA from either side.  No outgoing and no incoming.  On the ASDM logging screen, I can see sessions being built, but none of the hit counter on an of the ACLs increment.

From the 5512-X, I can successfully ping out in both directions. The internal network (172.x.x.x - "inside" of the ASA 5505) can access the servers on the 199.x.x.x network ("outside" the ASA 5505 and "inside" the ASA 5512-X). But neither can access the outside world. The servers on the 199.x.x.x network can not be accessed from the outside world.

I'm not familiar with the Pix, nor am I familiar with ASA 8.3+ code. I only have experience with 8.2 ASA code. And I'm mostly familiar with the ASDM as opposed to the CLI, but I'm learning. Anyway, here is the code I have so far, hopefully obfuscated enough as to not have anything identifiable:

ASA Version 8.6(1)2
!
hostname ASA5512X
domain-name xxxx.xxxx.xxx
!
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 199.x.x.62 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 199.x.x.126 255.255.255.192
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx.xxxx.xxx
same-security-traffic permit intra-interface
object network ASA-5505
host 199.x.x.70
description ASA for internal network
object network server-1
host 199.x.x.66
description Ubuntu 14
object network server-2
host 199.x.x.69
description Windows Server
object network web0
host 199.x.x.74
description Ubuntu 12
object network web1
host 199.x.x.75
description Ubuntu 14
object network Inside-Network
subnet 199.x.x.64 255.255.255.192
description Inside network, public IP range for servers
object network Outside-Network
subnet 199.x.x.60 255.255.255.252
description Connection to Internet
object-group service DM_INLINE_TCP_1 tcp
port-object eq 404
port-object eq 8000
port-object eq 8080
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_4 tcp
port-object eq 404
port-object eq 8000
port-object eq 8080
port-object eq www
port-object eq https
port-object eq ssh
access-list outside_access_in extended permit tcp any object server-1 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object server-2 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any object web0 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any object web1 object-group DM_INLINE_TCP_4
pager lines 24
logging enable
logging asdm informational
mtu Management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside-Network Inside-Network
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 199.x.x.61 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!


What am I missing?  I have a feeling it's something really simple and stupid that I'm just overlooking.


Otanx

NAT statement does not look right. Try

nat (inside,outside) source dynamic Inside-Network interface

Doing that from memory I don't have a ASA doing NAT I can look at right now so the syntax may be off a little.

-Otanx

EOS

With 8.6 code, you could try this NAT statement also...

nat (inside,outside) after-auto source dynamic any interface

deanwebb

I read the title and thought, "Bet it's a NAT problem."
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

heath

#4
I did have some concerns about the NAT as I've never configured public IP address on the inside of the firewall.  I checked with the "show xlate" command and it seemed to me that it was NATting correctly.  For example the command "sh xlate local 199.x.x.74" would give the output "Global 199.x.x.74 Local 199.x.x.74."



icecream-guy

you'd probably have to NAT the DMZ servers to the firewall outside interface IP address, but that doesn't bode well for multiple services running on the same port in the DMZ,  if you were to make the outside interface network a bit larger, then you could NAT the extra IP's to the server IP's in the DMZ to allow for multiple services on the same port.
:professorcat:

My Moral Fibers have been cut.

heath

Quote from: ristau5741 on July 22, 2015, 11:11:23 AM
you'd probably have to NAT the DMZ servers to the firewall outside interface IP address, but that doesn't bode well for multiple services running on the same port in the DMZ,  if you were to make the outside interface network a bit larger, then you could NAT the extra IP's to the server IP's in the DMZ to allow for multiple services on the same port.

The PIX is configured with a /30 network on the outside interface, and a /26 network on the inside interface.  The PIX is NOT PATting the inside/dmz 199.x.x.64/26 address to the outside 199.x.x.62/30 address.  Everything on the 199.x.x.64/26 network is reachable from the outside on its real address, not a different PATted or NATted address.  While your suggestion makes sense to me, I'm looking at the PIX configuration, which is working, and it's telling me that's not necessary.  Surely that's not something the PIX could handle but the 5512 can't?


heath

Here's the current operating PIX config (names and addresses and passwords removed or obfuscated).  There are some things in this config that are no longer needed or used and I did not carry that forward to the 5512-X (some hosts and the VPN).

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password
passwd
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list Internet permit icmp any any echo-reply
access-list Internet permit tcp any host 199.x.x.74 eq www
access-list Internet permit udp any host 199.x.x.67 eq domain
access-list Internet permit udp any host 199.x.x.71 eq domain
access-list Internet permit tcp any host 199.x.x.66 eq www
access-list Internet permit tcp any host 199.x.x.66 eq https
access-list Internet permit tcp any host 199.x.x.74 eq https
access-list Internet permit tcp any host 199.x.x.74 eq ssh
access-list Internet permit tcp any host 199.x.x.67 eq www
access-list Internet permit tcp any host 199.x.x.67 eq https
access-list Internet permit tcp any host 199.x.x.67 eq ssh
access-list 80 permit ip 199.x.x.64 255.255.255.192 172.x.x.0 255.255.255.0
pager lines 24
mtu outside 1470
mtu inside 1500
mtu intf2 1500
ip address outside 199.x.x.62 255.255.255.252
ip address inside 199.x.x.126 255.255.255.192
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.x.x.50-172.x.x.100
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 80
static (inside,outside) 199.x.x.64 199.x.x.64 netmask 255.255.255.192 0 0
access-group Internet in interface outside
route outside 0.0.0.0 0.0.0.0 199.x.x.61 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 199.x.x.64 255.255.255.192 inside
http 199.x.x.62 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set CLIENT esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set CLIENT
crypto map VPN 20 ipsec-isakmp dynamic cisco
crypto map VPN interface outside
isakmp enable outside
isakmp key xxxxx address 0.0.0.0 netmask 0.0.0.0
isakmp nat-traversal 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup VPNUser address-pool VPNPOOL
vpngroup VPNUser dns-server 199.x.x.73
vpngroup VPNUser wins-server 199.x.x.73
vpngroup VPNUser split-tunnel 80
vpngroup VPNUser idle-time 7200
telnet 199.x.x.64 255.255.255.192 inside
telnet 199.x.x.64 255.255.255.192 intf2
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80