We have an ASA configured to access the internet, which works fine for clients who have an IP address assigned by DHCP, but not for clients with manually assigned IPs.
For instance, with the DHCP server configured to give IP addresses between 172.16.101.1 and 172.16.101.10, a device may get the IP address 172.16.101.1. This machine will have connectivity to the internet.
If we then configure DHCPd server range as 172.16.101.2 to 172.16.101.10 and statically assign the 172.16.101.1 IP to the client, it will not have internet access. It will, however have inside access and VPN access.
If I try to ping 8.8.8.8, the following is logged:
ASA 3 Feb 08 2013 15:51:01 8.8.8.8 xxx.xxx.xxx.100 Deny inbound
icmp src outside:8.8.8.8 dst servers:xxx.xxx.xxx.100 (type 0,
code 0)
Where 'servers' is the name of the inside interface the request is made from and 'xxx.xxx.xxx.100' is the external IP. It seems as DNAT is not working when the client IP is static assigned.
Has anybody seen this behaviour before? It has me stumped!
The running config:
ASA Version 8.2(5)
!
hostname hayes-fw
enable password XXXXXXXXX encrypted
passwd XXXXXXXXX encrypted
names
name 212.xxx.xxx.2 DUNSTABLE
!
interface Ethernet0/0
description Internet
switchport access vlan 105
switchport trunk allowed vlan 100,109
switchport trunk native vlan 999
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/1
description Failover back-to-back
switchport access vlan 254
!
interface Ethernet0/2
description Internal
switchport trunk allowed vlan 100-106
switchport trunk native vlan 999
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/3
description unused
switchport trunk allowed vlan 100-104
!
interface Ethernet0/4
description temp-inside
switchport trunk allowed vlan 60
switchport trunk native vlan 60
switchport mode trunk
!
interface Ethernet0/5
description unused
switchport access vlan 253
shutdown
!
interface Ethernet0/6
description unused
switchport access vlan 253
shutdown
!
interface Ethernet0/7
description unused
switchport access vlan 100
!
interface Vlan60
nameif temp-inside
security-level 100
ip address 172.xx.60.253 255.255.255.0
!
interface Vlan100
description Mgmt
nameif mgmt
security-level 100
ip address 172.xx.100.253 255.255.255.0 standby 172.16.100.252
!
interface Vlan101
nameif servers
security-level 90
ip address 172.16.101.253 255.255.255.0 standby 172.16.101.252
!
interface Vlan102
description Warehouse
nameif office
security-level 80
ip address 172.16.102.253 255.255.255.0 standby 172.16.102.252
!
interface Vlan103
nameif warehouse-cameras
security-level 60
ip address 172.16.103.253 255.255.255.0 standby 172.16.103.252
!
interface Vlan104
description Office
nameif warehouse
security-level 70
ip address 172.16.104.253 255.255.255.0 standby 172.16.104.252
!
interface Vlan105
nameif voip
security-level 50
ip address 172.16.105.253 255.255.255.0
!
interface Vlan106
nameif guest
security-level 40
ip address 172.16.106.253 255.255.255.0
!
interface Vlan109
nameif outside
security-level 0
ip address 80.xxx.xx.100 255.255.255.248 standby 80.xxx.xx.101
!
interface Vlan254
description LAN Failover Interface
!
ftp mode passive
object-group network FELTHAM-NETWORKS
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object host 217.xxx.xxx.155
object-group network HAYES-NETWORKS
network-object 172.16.100.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
network-object 172.16.104.0 255.255.255.0
network-object host 192.168.1.253
network-object 80.xxx.xx.96 255.255.255.248
network-object 172.16.60.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
object-group network DUNSTABLE-NETWORKS
network-object 172.16.33.0 255.255.255.0
network-object host 212.xxx.xxx.3
access-list DUNSTABLE-VPN extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS
access-list FELTHAM-VPN extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS
access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS
access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS
access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS
access-list Inbound extended permit icmp any interface voip
access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS
access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS
access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS
access-list outside_cryptomap extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS
access-list outside_cryptomap_1 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS
access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS
access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS
access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered debugging
logging asdm informational
mtu temp-inside 1500
mtu mgmt 1500
mtu servers 1500
mtu office 1500
mtu warehouse-cameras 1500
mtu warehouse 1500
mtu voip 1500
mtu guest 1500
mtu outside 1500
ip local pool HAYES-POOL 172.16.104.25-172.16.104.50
failover
failover lan unit secondary
failover lan interface failover Vlan254
failover interface ip failover 192.168.254.9 255.255.255.252 standby 192.168.254.10
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (temp-inside) 0 access-list Nat0
nat (temp-inside) 1 172.16.60.0 255.255.255.0
nat (servers) 0 access-list Nat0
nat (servers) 1 172.16.101.0 255.255.255.0
nat (office) 0 access-list office_nat0_outbound
nat (office) 1 172.16.102.0 255.255.255.0
nat (warehouse) 0 access-list Nat0
nat (warehouse) 1 172.16.104.0 255.255.255.0
nat (outside) 0 access-list Nat0
nat (outside) 1 172.16.101.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 80.168.58.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec authentication-server
http server enable
http 172.16.33.0 255.255.255.0 warehouse
http 172.16.100.0 255.255.255.0 mgmt
http 172.16.30.0 255.255.255.0 warehouse
http 172.16.33.0 255.255.255.0 temp-inside
http 172.16.60.0 255.255.255.0 temp-inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp servers
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DM-HAYES 10 set transform-set ESP-AES-128-SHA
crypto dynamic-map DM-HAYES 10 set security-association lifetime seconds 288000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map CM-VPN 10 match address DUNSTABLE-VPN
crypto map CM-VPN 10 set pfs
crypto map CM-VPN 10 set peer 212.xxx.xxx.3
crypto map CM-VPN 10 set transform-set ESP-AES-128-SHA
crypto map CM-VPN 20 match address FELTHAM-VPN
crypto map CM-VPN 20 set pfs
crypto map CM-VPN 20 set peer 217.xxx.xxx.155
crypto map CM-VPN 20 set transform-set ESP-AES-128-SHA
crypto map CM-VPN 99 ipsec-isakmp dynamic DM-HAYES
crypto map outside_map2 10 match address outside_cryptomap_1
crypto map outside_map2 10 set pfs
crypto map outside_map2 10 set peer 217.xxx.xxx.155
crypto map outside_map2 10 set transform-set ESP-AES-128-SHA
crypto map outside_map2 20 match address outside_cryptomap
crypto map outside_map2 20 set pfs
crypto map outside_map2 20 set peer 212.xxx.xxx.3
crypto map outside_map2 20 set transform-set ESP-AES-128-SHA
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 172.16.60.0 255.255.255.0 temp-inside
ssh 172.16.100.0 255.255.255.0 mgmt
ssh 172.16.33.0 255.255.255.0 mgmt
ssh 172.16.33.0 255.255.255.0 warehouse
ssh timeout 60
ssh version 2
console timeout 0
management-access warehouse
dhcp-client update dns server both
dhcpd address 172.16.60.1-172.16.60.175 temp-inside
dhcpd dns 79.xxx.xxx.84 interface temp-inside
dhcpd domain hayes.com interface temp-inside
dhcpd enable temp-inside
!
dhcpd address 172.16.101.2-172.16.101.10 servers
dhcpd dns 79.xxx.xxx.84 interface servers
dhcpd domain hayes.com interface servers
dhcpd enable servers
!
dhcpd address 172.16.102.1-172.16.102.175 office
dhcpd dns 79.xxx.xxx.84 interface office
dhcpd domain hayes.com interface office
dhcpd enable office
!
dhcpd address 172.16.103.1-172.16.103.200 warehouse-cameras
dhcpd domain cameras.hayes.com interface warehouse-cameras
dhcpd enable warehouse-cameras
!
dhcpd address 172.16.104.1-172.16.104.175 warehouse
dhcpd dns 79.xxx.xxx.84 interface warehouse
dhcpd domain hayes.com interface warehouse
dhcpd enable warehouse
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.104.254 source warehouse
webvpn
group-policy HAYES-RAVPN-POLICY internal
group-policy HAYES-RAVPN-POLICY attributes
dns-server value 172.16.104.254 79.xxx.xxx.84
vpn-idle-timeout 1440
vpn-tunnel-protocol IPSec l2tp-ipsec
username admin password /f.QRufHe2ulQB/e encrypted privilege 15
tunnel-group HAYES type remote-access
tunnel-group HAYES general-attributes
address-pool HAYES-POOL
default-group-policy HAYES-RAVPN-POLICY
tunnel-group HAYES ipsec-attributes
pre-shared-key *
tunnel-group 212.xxx.xxx.3 type ipsec-l2l
tunnel-group 212.xxx.xxx.3 ipsec-attributes
pre-shared-key *
tunnel-group 217.xxx.xxx.155 type ipsec-l2l
tunnel-group 217.xxx.xxx.155 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http someAddress://butIcantPostLinks
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Best Answer
You are getting that deny because you have not allowed the returning ICMP ping packet on the outside interface of the firewall. ICMP is stateless and because of this you will need to allow the traffic out and in. Something like this will fix that.
Without a copy of your config I cannot tell you any more but I would say your internet access issue is NAT related. Post up the config.