ASA 5505/5520 routing from outside to inside

[lgpl3]

I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the server. I thought this might be an outside-NAT-required issue, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside.

I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.

I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.

I set up the same scenario in my lab with an ASA 5505, with the same results. Any ideas? Below is the running config:

: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside
security-level 100
ip address 192.168.250.41 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list 101 remark -ACCESS LIST 101 APPLIED TO OUTSIDE-
access-list 101 remark -WAN to LAN-
access-list 101 remark --
access-list 101 remark -Allowed ICMP Pass-Thru-
access-list 101 remark ---
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any echo
access-list 101 remark ----
access-list 101 remark -DEFAULT - Permit outside hosts Announce to 192.168.250.24-
access-list 101 remark -----
access-list 101 extended permit udp any host 192.168.250.24 eq 54771
access-list 101 remark ------
access-list 101 remark -Deny all IP - Implicit, but done to trap hits-
access-list 101 remark ---------
access-list 101 extended deny ip any any
access-list 101 remark ----------
access-list 101 remark -ACL Added for FB2 UDP Discovery-
access-list 101 remark -Added on 2-28-13 by L.Pederson-
access-list 102 remark -ACCESS LIST 102 APPLIED TO INSIDE-
access-list 102 remark -WAN to LAN-
access-list 102 remark --
access-list 102 remark -Allowed ICMP Pass-Thru-
access-list 102 remark ---
access-list 102 extended permit icmp any any echo-reply
access-list 102 extended permit icmp any any unreachable
access-list 102 extended permit icmp any any time-exceeded
access-list 102 extended permit icmp any any echo
access-list 102 remark ----
access-list 102 remark -DEFAULT - Permit outside hosts Announce to 192.168.250.24-
access-list 102 remark -----
access-list 102 extended permit udp any host 192.168.250.24 eq 54771
access-list 102 remark --------
access-list 102 remark -Deny all IP - Implicit, but done to trap hits-
access-list 102 remark ---------
access-list 102 extended deny ip any any
access-list 102 remark ----------
access-list 102 remark -ACL Added for FB2 UDP Discovery-
access-list 102 remark -Added on 2-28-13 by L.Pederson-
pager lines 24
logging enable
logging monitor debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group 102 out interface inside
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username mvadmin password 8Ry0koA9un5B4p74 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4bce0170a7e62e40c6bdbc458d647837
: end

 

[HungryHouse]

You dont have an outside translation for the inside sever...aka there is no outside NAT for it.

Truly, you should put the server on the DMZ of the 5520 which is correct design allowing the inside and outside users to get to the server and keep it protected at the same point...find a public static IP they can use (i'm sure they ahve more than just the inteface IP avaialbale to them).

Create a new subnet for the DMZ..lets call it 172.16.100.0/24.
Lets asume we put the server on 172.16.100.24 (keeping youtr last octect for the host the same)
Take the host server's IP and map it statically to the outside interface (or another viale outside global address), or better yet, if the inside hosts still need access to the server make it to any Interface so both sides can get there such as:
Should look something like this;
(config)# object network dmz-server
(config-network-object)# host 172.16.100.24
(config-network-object)# nat (dmz, any) static 192.168.10.24

And remember in 8.3, you have to you use the real IP address for your ACL (Not the translated IP)...you should not be using "any" in your ACL because for the destination.

I hope this helps.

HH


Real trouble call:
Customer: "I have a huge problem. A friend has put a screensaver on my computer, but every time I move the mouse, it disappears!"