Cisco ASA 5512 – Setting Up Internet Connection

ciscocisco-asafirewall

I'm new into networking and I have a problem setting up ASA 5512 firewall. The problem is that I can't setup internet connection inside my network.

I've created two interfaces WAN with the public IP address (security level 0), and LAN with the ip of 192.168.35.4, security level 100. Actually, we are replacing the old router, and this one should take his address. I've added static route 0\0 to my default gateway, and I'm able to ping Google DNS server from the router, but can't from network computer. The network switch is also present on 192.168.35.254.

For the testing purpose I've changed WAN IP address to 192.168.99.1, and attached computer to it with IP 192.168.99.2, and when I try to ping it from the LAN interface, it does not return ping. I've also allowed ICMP inspection and created LAN to WAN NAT rule.

I would appreciate any help.

Result of the command: "show runn"

: Saved
:
ASA Version 9.1(2) 
!
hostname ciscoasa
enable password 0EnLStscpb84AAdM encrypted
names
!
interface GigabitEthernet0/0
 nameif WAN
 security-level 0
 ip address 192.168.99.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.35.6 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet0/3
 nameif LanTest
 security-level 0
 ip address 192.168.9.1 255.255.255.0 
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup WAN
dns domain-lookup LAN
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 8.8.8.8
 name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Bruce
 host 192.168.35.203
object network Buzz
 host 192.168.35.202
object network Exchange
 host 192.168.35.205
object network Fiona
 host 192.168.35.25
object network Mirror2
 host 192.168.35.24
object network Remy
 host 192.168.35.147
object network VOIP-Phone
 host 192.168.35.152
object service 81
 service tcp source eq 81 destination eq 81 
object service Fax-TCP
 service tcp source eq 5061 destination eq 5061 
object service Fax-UDP
 service udp source eq 5061 destination eq 5061 
object service Phone1
 service tcp source range sip 5090 destination range sip 5090 
object service Phone2
 service udp source range sip 5090 destination range sip 5090 
object service Phone3
 service udp source range 7000 7499 destination range 7000 7499 
object service Phone4
 service udp source range 9000 9049 destination range 9000 9049 
object service Phone5
 service udp source eq 10000 destination eq 10000 
object service SVN
 service tcp source eq 3690 destination eq 3690 
object service Sipgate
 service udp source eq sip destination eq sip 
object service Telavox
 service udp source eq sip destination eq sip 
object service Voiptalk
 service udp source eq sip destination eq sip 
object network Dug
 host 192.168.35.39
object network obj-0.0.0.0
 subnet 0.0.0.0 0.0.0.0
access-list WAN_cryptomap extended permit ip 192.168.35.0 255.255.255.0 192.168.11.0             255.255.255.0 
access-list WAN_cryptomap_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.135.0 255.255.255.0 
access-list WAN_cryptomap_4 extended permit ip 192.168.35.0 255.255.255.0 10.176.0.0 255.240.0.0 
access-list WAN_cryptomap_2 extended permit ip 192.168.35.0 255.255.255.0 192.168.13.0 255.255.255.0 
access-list WAN_access_in extended permit tcp any interface WAN eq pptp 
access-list WAN_access_in extended permit object Telavox any interface WAN 
access-list global_access extended permit object Phone1 object Dug any 
access-list global_access extended permit object Phone2 object Dug any 
access-list global_access extended permit object Phone3 any any 
access-list global_access extended permit object Phone4 any any 
access-list global_access extended permit object Phone5 any any 
access-list global_access extended permit object Phone1 object VOIP-Phone any 
access-list global_access extended permit object Phone2 object VOIP-Phone any 
access-list global_access extended deny object Phone1 any any 
access-list global_access extended deny object Phone2 any any 
access-list global_access extended permit tcp object Exchange any eq smtp 
access-list global_access extended permit tcp object Exchange any eq pop3 
pager lines 24
logging asdm informational
mtu Management 1500
mtu WAN 1500
mtu LAN 1500
mtu LanTest 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Management
icmp permit any LAN
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (LAN,WAN) after-auto source dynamic any interface
access-group WAN_access_in in interface WAN
access-group global_access global
route WAN 0.0.0.0 0.0.0.0 192.168.99.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
http 192.168.0.0 255.255.0.0 Management
http 192.168.0.0 255.255.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

I've done what JJBurgess suggested and here is the output:

Result of the command: "packet-tracer input LAN tcp 192.168.45.2 80 192.168.99.2 80 detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.99.0    255.255.255.0   WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN_access_in in interface LAN
access-list LAN_access_in extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffa033ca70, priority=13, domain=permit, deny=false
    hits=1, user_data=0x7fff9b795140, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=any

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (LAN,WAN) after-auto source dynamic any interface
Additional Information:
Dynamic translate 192.168.45.2/80 to 192.168.99.1/80
 Forward Flow based lookup yields rule:
 in  id=0x7fff9fdfa6a0, priority=6, domain=nat, deny=false
    hits=6, user_data=0x7fff9fb4e6a0, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9eba4d20, priority=0, domain=nat-per-session, deny=false
    hits=19194, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9ff06120, priority=0, domain=inspect-ip-options, deny=true
    hits=7932, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) after-auto source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff9f52e430, priority=6, domain=nat-reverse, deny=false
    hits=2, user_data=0x7fffa05f92b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=WAN

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9eba4d20, priority=0, domain=nat-per-session, deny=false
    hits=19196, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9e391890, priority=0, domain=inspect-ip-options, deny=true
    hits=16734, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=WAN, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 17528, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

Best Answer

in elevated mode, run the command:

packet-tracer input LAN tcp 192.168.35.203 80 192.168.99.2 80 detailed

and have a look through the output. It should give you an idea why the packets are being dropped, if indeed there is a problem with the configuration.

You can also run an capture on both interfaces to check if the packets are getting where you think they should be going by setting up an access list which matches the packets you want to capture, and applying to an interface as follows:

capture {capture-name} interface {interface-name} access-list {access-list name}

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco IOS outbound filtering

The reason why the port forwarding is not working with the access-list applied to the interface is quite simple.

Let's see what happens when the outside client requests the https webpage.

The destination port in the request packet is 443, while the source port is random. This request gets translated by nat at the router, then goes all the way to the server, server answers with the packet sourced from port 443 and destined to that client's random number port.

The packet in its journey back to the client gets to your router, but router wouldn't let the packet leave, because the destination port (that random port) is not specified in the access-list you have created.

And that would be the reason you are looking for.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco IOS outbound filtering

Related Topic