Cisco ASA configuration help

N

nev_neo

n00b
Joined
Mar 14, 2011
Messages
45
So, we've been trying to get our network ipv6 compatible and had to upgrade the IOS on our ASA 5510 to 8.4
Little did we know that upgrade to 8.4 would need me to change all out NATs and Access-lists. We have a 1-1 NAT configuration that I need to keep with a bunch of regular rules to different servers (http, ftp, rdp, etc..)
I've been able to change all of that and was able to test it out successfully in our test environment. But, when I moved this to our prod env, the servers aren't able to connect to the internet. I haven't changed any routes - no changes in IP's - just changing the ASA.

Any ideas why ?

Here is the "reduced" config file - Let me know what you guys think

: Saved
:
ASA Version 8.4(1)
!
hostname asafw01
enable password

names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 20.x.x.250 255.255.255.0
ipv6 address 2400:8800:5f01:12::2/64
ipv6 enable
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 0
no ip address
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 20.x.x.115
host 20.x.x.115
description vcenter server
object network 20.x.x.10
host 20.x.x.10
object network ang-ipv6
host 2400:8800:5f01:12::40:40
object network 20.x.x.222
host 20.x.x.222
object network 20.x.x.54
host 20.x.x.54
object network 192.168.1.10
host 192.168.1.10
object network 192.168.1.115
host 192.168.1.115
object network 192.168.1.210
host 192.168.1.210
object network 20.x.x.210
host 20.x.x.210
object network 192.168.1.222
host 192.168.1.222
object network 192.168.1.54
host 192.168.1.54
object network 192.168.1.235
host 192.168.1.235
object network 192.168.1.237
host 192.168.1.237
object network 20.x.x.235
host 20.x.x.235
object network 20.x.x.237
host 20.x.x.237
object network 192.168.1.100
host 192.168.1.100
object network 192.168.1.101
host 192.168.1.101
object network 192.168.1.102
host 192.168.1.102
object network 192.168.1.103
host 192.168.1.103
object network 192.168.1.104
host 192.168.1.104
object network 192.168.1.105
host 192.168.1.105
object network 192.168.1.106
host 192.168.1.106
object network 20.x.x.100
host 20.x.x.100
object network 20.x.x.101
host 20.x.x.101
object network 20.x.x.102
host 20.x.x.102
object network 20.x.x.103
host 20.x.x.103
object network 20.x.x.104
host 20.x.x.104
object network 20.x.x.105
host 20.x.x.105
object network 20.x.x.107
host 20.x.x.107
object network 20.x.x.110
host 20.x.x.110
object network 20.x.x.114
host 20.x.x.114
object network 20.x.x.116
host 20.x.x.116
object network 20.x.x.118
host 20.x.x.118
object network 192.168.1.107
host 192.168.1.107
object network 192.168.1.110
host 192.168.1.110
object network 192.168.1.114
host 192.168.1.114
object network 192.168.1.116
host 192.168.1.116
object network 192.168.1.118
host 192.168.1.118
object network 192.168.1.12
host 192.168.1.12
object network 192.168.1.120
host 192.168.1.120
object network 192.168.1.121
host 192.168.1.121
object network 192.168.1.122
host 192.168.1.122
object network 20.x.x.12
host 20.x.x.12
object network 20.x.x.120
host 20.x.x.120
object network 20.x.x.121
host 20.x.x.121
object network 20.x.x.122
host 20.x.x.122
object network 192.168.1.130
host 192.168.1.130
object network 192.168.1.131
host 192.168.1.131
object network 192.168.1.132
host 192.168.1.132
object network 20.x.x.130
host 20.x.x.130
object network 20.x.x.131
host 20.x.x.131
object network 20.x.x.132
host 20.x.x.132
object network 192.168.1.133
host 192.168.1.133
object network 192.168.1.135
host 192.168.1.135
object network 192.168.1.136
host 192.168.1.136
object network 20.x.x.133
host 20.x.x.133
object network 20.x.x.135
host 20.x.x.135
object network 192.168.1.140
host 192.168.1.140
object network 20.x.x.136
host 20.x.x.136
object network 20.x.x.140
host 20.x.x.140
object network 192.168.1.149
host 192.168.1.149
object network 192.168.1.150
host 192.168.1.150
object network 20.x.x.149
host 20.x.x.149
object network 20.x.x.150
host 20.x.x.150
object network 192.168.1.151
host 192.168.1.151
object network 20.x.x.151
host 20.x.x.151
object network 192.168.1.152
host 192.168.1.152
object network 192.168.1.153
host 192.168.1.153
object network 192.168.1.154
host 192.168.1.154
object network 192.168.1.155
host 192.168.1.155
object network 192.168.1.156
host 192.168.1.156
object network 192.168.1.157
host 192.168.1.157
object network 192.168.1.158
host 192.168.1.158
object network 192.168.1.159
host 192.168.1.159
object network 20.x.x.152
host 20.x.x.152
object network 20.x.x.153
host 20.x.x.153
object network 20.x.x.154
host 20.x.x.154
object network 20.x.x.155
host 20.x.x.155
object network 20.x.x.156
host 20.x.x.156
object network 20.x.x.157
host 20.x.x.157
object network 20.x.x.158
host 20.x.x.158
object network 20.x.x.159
host 20.x.x.159
object network 192.168.1.160
host 192.168.1.160
object network 20.x.x.160
host 20.x.x.160
object network 192.168.1.201
host 192.168.1.201
object network 192.168.1.206
host 192.168.1.206
object network 192.168.1.207
host 192.168.1.207
object network 20.x.x.201
host 20.x.x.201
object network 20.x.x.206
host 20.x.x.206
object network 20.x.x.207
host 20.x.x.207
object network 192.168.1.22
host 192.168.1.22
object network 192.168.1.23
host 192.168.1.23
object network 20.x.x.22
host 20.x.x.22
object network 20.x.x.23
host 20.x.x.23
object network 192.168.1.24
host 192.168.1.24
object network 192.168.1.25
host 192.168.1.25
object network 192.168.1.30
host 192.168.1.30
object network 192.168.1.31
host 192.168.1.31
object network 192.168.1.32
host 192.168.1.32
object network 192.168.1.33
host 192.168.1.33
object network 20.x.x.24
host 20.x.x.24
object network 20.x.x.25
host 20.x.x.25
object network 20.x.x.30
host 20.x.x.30
object network 20.x.x.31
host 20.x.x.31
object network 20.x.x.32
host 20.x.x.32
object network 20.x.x.33
host 20.x.x.33
object network 192.168.1.40
host 192.168.1.40
object network 192.168.1.41
host 192.168.1.41
object network 192.168.1.42
host 192.168.1.42
object network 192.168.1.43
host 192.168.1.43
object network 192.168.1.45
host 192.168.1.45
object network 192.168.1.47
host 192.168.1.47
object network 20.x.x.40
host 20.x.x.40
object network 20.x.x.41
host 20.x.x.41
object network 20.x.x.42
host 20.x.x.42
object network 20.x.x.43
host 20.x.x.43
object network 20.x.x.45
host 20.x.x.45
object network 20.x.x.47
host 20.x.x.47
object network 20.x.x.55
host 20.x.x.55
object network 20.x.x.57
host 20.x.x.57
object network 192.168.1.55
host 192.168.1.55
object network 192.168.1.57
host 192.168.1.57
object network 192.168.1.71
host 192.168.1.71
object network 192.168.1.73
host 192.168.1.73
object network 192.168.1.74
host 192.168.1.74
object network 192.168.1.75
host 192.168.1.75
object network 192.168.1.76
host 192.168.1.76
object network 20.x.x.71
host 20.x.x.71
object network 20.x.x.73
host 20.x.x.73
object network 192.168.1.77
host 192.168.1.77
object network 192.168.1.78
host 192.168.1.78
object network 192.168.1.79
host 192.168.1.79
object network 192.168.1.80
host 192.168.1.80
object network 20.x.x.74
host 20.x.x.74
object network 20.x.x.75
host 20.x.x.75
object network 20.x.x.76
host 20.x.x.76
object network 20.x.x.77
host 20.x.x.77
object network 20.x.x.78
host 20.x.x.78
object network 20.x.x.79
host 20.x.x.79
object network 20.x.x.80
host 20.x.x.80
object network 192.168.1.145
host 192.168.1.145
object network 192.168.1.16
host 192.168.1.16
object network 192.168.1.165
host 192.168.1.165
object network 192.168.1.183
host 192.168.1.183
object network 20.x.x.145
host 20.x.x.145
object network 20.x.x.16
host 20.x.x.16
object network 20.x.x.165
host 20.x.x.165
object network 20.x.x.183
host 20.x.x.183
object network 192.168.1.170
host 192.168.1.170
object network 192.168.1.171
host 192.168.1.171
object network 192.168.1.175
host 192.168.1.175
object network 192.168.1.181
host 192.168.1.181
object network 20.x.x.170
host 20.x.x.170
object network 20.x.x.171
host 20.x.x.171
object network 20.x.x.175
host 20.x.x.175
object network 20.x.x.181
host 20.x.x.181
object network 192.168.1.21
host 192.168.1.21
object network 20.x.x.21
host 20.x.x.21
object network 172.16.0.12
host 172.16.0.12
object network obj-192.168.1.12
host 192.168.1.12
object network obj-192.168.1.80
host 192.168.1.80
object network obj-192.168.1.79
host 192.168.1.79
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.1.100
host 192.168.1.100
object network obj-192.168.1.101
host 192.168.1.101
object network obj-192.168.1.102
host 192.168.1.102
object network obj-192.168.1.103
host 192.168.1.103
object network obj-192.168.1.104
host 192.168.1.104
object network obj-192.168.1.105
host 192.168.1.105
object network obj-192.168.1.107
host 192.168.1.107
object network obj-192.168.1.110
host 192.168.1.110
object network obj-192.168.1.114
host 192.168.1.114
object network obj-192.168.1.116
host 192.168.1.116
object network obj-192.168.1.118
host 192.168.1.118
object network obj-192.168.1.120
host 192.168.1.120
object network obj-192.168.1.121
host 192.168.1.121
object network obj-192.168.1.122
host 192.168.1.122
object network obj-192.168.1.130
host 192.168.1.130
object network obj-192.168.1.131
host 192.168.1.131
object network obj-192.168.1.132
host 192.168.1.132
object network obj-192.168.1.133
host 192.168.1.133
object network obj-192.168.1.135
host 192.168.1.135
object network obj-192.168.1.136
host 192.168.1.136
object network obj-192.168.1.155
host 192.168.1.155
object network obj-192.168.1.156
host 192.168.1.156
object network obj-192.168.1.157
host 192.168.1.157
object network obj-192.168.1.158
host 192.168.1.158
object network obj-192.168.1.159
host 192.168.1.159
object network obj-192.168.1.160
host 192.168.1.160
object network obj-192.168.1.16
host 192.168.1.16
object network obj-192.168.1.165
host 192.168.1.165
object network obj-192.168.1.170
host 192.168.1.170
object network obj-192.168.1.171
host 192.168.1.171
object network obj-192.168.1.175
host 192.168.1.175
object network obj-192.168.1.181
host 192.168.1.181
object network obj-192.168.1.183
host 192.168.1.183
object network obj-192.168.1.206
host 192.168.1.206
object network obj-192.168.1.207
host 192.168.1.207
object network obj-192.168.1.21
host 192.168.1.21
object network obj-192.168.1.210
host 192.168.1.210
object network obj-192.168.1.22
host 192.168.1.22
object network obj-192.168.1.23
host 192.168.1.23
object network obj-192.168.1.222
host 192.168.1.222
object network obj-192.168.1.235
host 192.168.1.235
object network obj-192.168.1.237
host 192.168.1.237
object network obj-192.168.1.24
host 192.168.1.24
object network obj-192.168.1.25
host 192.168.1.25
object network obj-192.168.1.30
host 192.168.1.30
object network obj-192.168.1.31
host 192.168.1.31
object network obj-192.168.1.32
host 192.168.1.32
object network obj-192.168.1.33
host 192.168.1.33
object network obj-192.168.1.40
host 192.168.1.40
object network obj-192.168.1.41
host 192.168.1.41
object network obj-192.168.1.42
host 192.168.1.42
object network obj-192.168.1.43
host 192.168.1.43
object network obj-192.168.1.45
host 192.168.1.45
object network obj-192.168.1.47
host 192.168.1.47
object network obj-192.168.1.54
host 192.168.1.54
object network obj-192.168.1.55
host 192.168.1.55
object network obj-192.168.1.57
host 192.168.1.57
object network obj-192.168.1.71
host 192.168.1.71
object network obj-192.168.1.73
host 192.168.1.73
object network obj-192.168.1.74
host 192.168.1.74
object network obj-192.168.1.75
host 192.168.1.75
object network obj-192.168.1.76
host 192.168.1.76
object network obj-192.168.1.77
host 192.168.1.77
object network obj-192.168.1.78
host 192.168.1.78
object-group network DM_INLINE_NETWORK_1
network-object 180.76.5.0 255.255.255.0
network-object 180.76.6.0 255.255.255.0
network-object 66.249.71.0 255.255.255.0
network-object 66.249.72.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object object 20.x.x.31
network-object object 20.x.x.32
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq ftp-data
object-group network DM_INLINE_NETWORK_3
network-object object 20.x.x.76
network-object object 20.x.x.80
object-group network DM_INLINE_NETWORK_4
network-object object 192.168.1.40
network-object object 192.168.1.43
network-object 0.0.0.0 0.0.0.0
object-group service DM_INLINE_TCP_15 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object object 20.x.x.155
network-object object 20.x.x.156
network-object object 20.x.x.157
object-group service DM_INLINE_TCP_16 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_17 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_18 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_19 tcp
port-object eq www
port-object eq ssh
object-group service DM_INLINE_TCP_20 tcp
port-object eq www
port-object eq https

object-group network DM_INLINE_NETWORK_12
network-object object 192.168.1.210
network-object object 192.168.1.23
object-group network DM_INLINE_NETWORK_13
network-object object 192.168.1.149
network-object object 192.168.1.150
network-object object 192.168.1.151
network-object object 192.168.1.152
network-object object 192.168.1.153
network-object object 192.168.1.154
object-group service DM_INLINE_TCP_21 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_14
network-object object 192.168.1.155
network-object object 192.168.1.156
network-object object 192.168.1.157
access-list outside_access_in remark DNS
access-list outside_access_in extended permit object-group TCPUDP any any eq domain
access-list outside_access_in remark DNS
access-list outside_access_in extended permit udp any any eq ntp
access-list outside_access_in extended deny tcp object-group DM_INLINE_NETWORK_1 object 192.168.1.75 eq www


access-list outside_access_in extended permit tcp any object 192.168.1.57 eq ssh

access-list outside_access_in extended permit tcp any object 192.168.1.140 eq www
access-list outside_access_in extended permit tcp any object 192.168.1.107 eq www
access-list outside_access_in extended permit tcp any object 192.168.1.114 eq ssh
access-list outside_access_in extended permit tcp any object 192.168.1.115 eq 3389
access-list outside_access_in extended permit tcp any object 192.168.1.165 eq www
access-list outside_access_in remark Webtrends
access-list outside_access_in extended permit tcp any object 192.168.1.16 eq www
access-list outside_access_in extended permit tcp any object 192.168.1.10 eq www

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ipv6 route outside ::/0 2400:80:aaa:12::1
ipv6 access-list outside_access_ipv6_in permit tcp any host 2400:80:aaa:12:0:2:40:40 eq www
no failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network 192.168.1.115
nat (inside,outside) static 20.x.x.115 dns
object network obj-192.168.1.12
nat (inside,outside) static 20.x.x.12 dns
object network obj-192.168.1.80
nat (inside,outside) static 20.x.x.80 dns
object network obj-192.168.1.79
nat (inside,outside) static 20.x.x.79 dns
object network obj-192.168.1.10
nat (inside,outside) static 20.x.x.10 dns

object network obj-192.168.1.78
nat (inside,outside) static 20.x.x.78 dns
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 20.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp inside
sysopt noproxyarp management
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:315654be85b7f1a86b80e68a52e85a1d
: end
asdm image disk0:/asdm-641.bin
no asdm history enable
 
Langly, I've been through those links before. What I wasn't sure about is if the STATIC NAT i've implemented here is correct or not ?
Its strange cause in my test environment, it works - I can access the http server behind the firewall and the server can go out to the internet as well.
But when I plug in the firewall in our prod environment, everything stops working.
Could it be ARP ?
I looked through the logs and servers going out have SYN timeouts at the firewall - not sure why ??
 
If you haven't solved it yet, Packet trace to see where the traffic is stopping if its a NAT rule or if its an ACL issue or anything else. Also read the below as I found related to your SYN timeuots

"The syslog message indicates the connection closed because the of SYN timeout. This tells the administrator that no application X server responses were received by the ASA. Syslog message termination reasons can vary.

The SYN timeout gets logged because of a forced connection termination after 30 seconds that occurs after the three-way handshake completion. This issue usually occurs if the server fails to respond to a connection request, and, in most cases, is not related to the configuration on PIX/ASA.

In order to resolve this issue, refer to this checklist:

Make sure the static command is entered correctly and that it does not overlap with other static commands, for example,

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
The static NAT in ASA 8.3 and later can be configured as shown here:

object network obj-y.y.y.y
host y.y.y.y
nat (inside,outside) static x.x.x.x
Make sure that an access list exists in order to permit access to the global IP address from the outside and that it is bound to the interface:

access-list OUTSIDE_IN extended permit tcp any host x.x.x.x eq www
access-group OUTSIDE_IN in interface outside
For a successful connection with the server, the default gateway on the server must point towards the DMZ interface of PIX/ASA."

Syslog messages to help you T/s

http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html
 
Langly,
I'm not sure if this is resolved as yet - will know when I go attempt to install it again later.

RE the static nat, Since i'm using 8.4 my static nat commands are:
object network 192.168.1.115
host 192.168.1.115
nat (inside,outside) static 20.x.x.115 dns

However, I'm not sure if my access-lists are correct as well.
Just wanted to be certain that in 8.4+ we have to use the private IP's in the Outside_in Accesslists.
 
If you do the packet tracer from within the ASA itself, you can see if your ACL is blocking the traffic or if its NAT or something else. Its a handy tool, but be warned sometimes it doesn't work right. Hope that can help you narrow it down

Oh and a quick edit, Make sure your order of operations is correct in your ACL's, I didn't go through yours all the way but I've had that happen to me once. And another time where my ACL's were correct but blocking stuff, removed the whole list and re-added it and everything worked fine.
 
Finally was able to figure out the issue - the IOS 8.4.0.1
Damn thing was screwing up all NAT information.
Upgraded to 8.4.3 - looking good now.
 
Whenever something like this happens to me, first thing I do is build permit ACLs (specific to the traffic you're looking at) applied to the inbound and outbound interfaces and look for matches. If the ACL inbound is matching but the ACL outbound is not, you know to look at your routes and other ACLs.
 
The Saga ends.
Went live with the new IOS on saturday, and was having the same issue as before - SYN timeouts on data coming back.
We finally realised that our ISP's Cisco 7600 had an arp cache that was not refreshing. Clearing that brought all traffic back through the new ASA.

I got pwned by arp cache.
 
You must log in or register to reply here.
Back
Top