I was trying make routing work on a new Cisco ASA 5525-X firewall. The initial setup had a public IP address configured on the outside interface (G0/0), G0/1 interface configured for the client VLAN (a DMZ) and MGMT port for the inside interface. I was able to ping our Solarwinds (NMS) IP and the other servers but I wasn't able to poll the ASA via SNMP.
The routing, SNMP and ACL configurations on the ASA seemed to be correct and even the packet tracer output looked fine.
access-list MGMT extended permit icmp any any time-exceeded
access-list MGMT extended permit icmp any any unreachable
access-list MGMT extended permit tcp host 202.8.6.17 host 172.27.0.124 eq ssh
access-list MGMT extended permit ip any any
access-group MGMT in interface management
snmp-server host management 10.11.0.6 community ***** version 2c
route management 10.11.0.0 255.255.255.0 172.27.0.121
5525-X# ping management 10.11.0.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 210/212/220 ms
5525-X# packet-tracer input management udp 10.11.0.6 161 172.27.0.124 161
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.27.0.124 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 190, packet dispatched to next module
Result:
input-interface: management
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
SNMP polling on the ASA wasn't my only concern. There's also an Internet edge router before the ASA and its core routing wasn't working as well.
5525-X# packet-tracer input outside icmp 202.26.16.77 8 0 202.8.6.17 detail // PING FROM INTERNET EDGE ROUTER PUBLIC LAN IP TO MANAGEMENT SERVER
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 202.8.6.17 255.255.255.255 management
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit icmp any 202.8.6.0 255.255.240.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30d53760, priority=13, domain=permit, deny=false
hits=18, user_data=0x7fff29133800, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=202.78.16.0, mask=255.255.240.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2faccba0, priority=0, domain=nat-per-session, deny=true
hits=649, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3059cb30, priority=0, domain=inspect-ip-options, deny=true
hits=315, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf3b90, priority=70, domain=inspect-icmp, deny=false
hits=19, user_data=0x7fff30cf2f90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf8900, priority=70, domain=inspect-icmp-error, deny=false
hits=19, user_data=0x7fff30cf7d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: mgmt-deny-all
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3064a0a0, priority=200, domain=mgmt-lockdown, deny=true
hits=24, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=management
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule // THIS GOT ME THINKING SINCE I'VE APPLIED permit ip any any TO MGMT ACL
I did some searching and also took out my FIREWALL notes and reviewed the purpose of management interface:
"An ASA interface configured as a management-only interface can accept and respond to traffic where the ASA itself is the destination (ping, management session, and so on), but cannot pass any transit traffic through the ASA to or from another interface. Despite this restriction, you still need to specify in the ASA configuration exactly which systems can access the ASA using remote management protocols over the dedicated management systems through the dedicated management interface."
Below is the default configuration on a management interface (for ASA 5510/5512-X and above). So it's is purely used for remote management only, i.e. when performing Telnet/SSH and ASDM. I went ahead and moved the cable from MGMT to G0/2 port and moved the command lines from management to inside interface.
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
The packet tracer output looked better after using another routable port (G0/2) besides MGMT on the ASA. I was able to add the router and ASA to Solarwinds and both was able talk to the TACACS+ and SSH management server.
5525-X# packet-tracer input inside udp 10.11.0.6 161 172.27.0.24 161
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.27.0.0 255.255.0.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface inside
access-list INSIDE extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1239, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
5525-X# packet-tracer input outside tcp 202.26.16.77 49 89.25.21.88 49 // INTERNET EDGE ROUTER TO INTERNAL TACACS+ SERVER
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 89.25.21.88 255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit tcp host 202.26.16.77 host 89.25.21.88 eq tacacs
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1255, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
The routing, SNMP and ACL configurations on the ASA seemed to be correct and even the packet tracer output looked fine.
access-list MGMT extended permit icmp any any time-exceeded
access-list MGMT extended permit icmp any any unreachable
access-list MGMT extended permit tcp host 202.8.6.17 host 172.27.0.124 eq ssh
access-list MGMT extended permit ip any any
access-group MGMT in interface management
snmp-server host management 10.11.0.6 community ***** version 2c
route management 10.11.0.0 255.255.255.0 172.27.0.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 210/212/220 ms
5525-X# packet-tracer input management udp 10.11.0.6 161 172.27.0.124 161
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.27.0.124 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 190, packet dispatched to next module
Result:
input-interface: management
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
SNMP polling on the ASA wasn't my only concern. There's also an Internet edge router before the ASA and its core routing wasn't working as well.
5525-X# packet-tracer input outside icmp 202.26.16.77 8 0 202.8.6.17 detail // PING FROM INTERNET EDGE ROUTER PUBLIC LAN IP TO MANAGEMENT SERVER
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 202.8.6.17 255.255.255.255 management
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit icmp any 202.8.6.0 255.255.240.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30d53760, priority=13, domain=permit, deny=false
hits=18, user_data=0x7fff29133800, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=202.78.16.0, mask=255.255.240.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2faccba0, priority=0, domain=nat-per-session, deny=true
hits=649, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3059cb30, priority=0, domain=inspect-ip-options, deny=true
hits=315, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf3b90, priority=70, domain=inspect-icmp, deny=false
hits=19, user_data=0x7fff30cf2f90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf8900, priority=70, domain=inspect-icmp-error, deny=false
hits=19, user_data=0x7fff30cf7d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: mgmt-deny-all
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3064a0a0, priority=200, domain=mgmt-lockdown, deny=true
hits=24, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=management
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule // THIS GOT ME THINKING SINCE I'VE APPLIED permit ip any any TO MGMT ACL
I did some searching and also took out my FIREWALL notes and reviewed the purpose of management interface:
"An ASA interface configured as a management-only interface can accept and respond to traffic where the ASA itself is the destination (ping, management session, and so on), but cannot pass any transit traffic through the ASA to or from another interface. Despite this restriction, you still need to specify in the ASA configuration exactly which systems can access the ASA using remote management protocols over the dedicated management systems through the dedicated management interface."
Below is the default configuration on a management interface (for ASA 5510/5512-X and above). So it's is purely used for remote management only, i.e. when performing Telnet/SSH and ASDM. I went ahead and moved the cable from MGMT to G0/2 port and moved the command lines from management to inside interface.
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
The packet tracer output looked better after using another routable port (G0/2) besides MGMT on the ASA. I was able to add the router and ASA to Solarwinds and both was able talk to the TACACS+ and SSH management server.
5525-X# packet-tracer input inside udp 10.11.0.6 161 172.27.0.24 161
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.27.0.0 255.255.0.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface inside
access-list INSIDE extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1239, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
5525-X# packet-tracer input outside tcp 202.26.16.77 49 89.25.21.88 49 // INTERNET EDGE ROUTER TO INTERNAL TACACS+ SERVER
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 89.25.21.88 255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit tcp host 202.26.16.77 host 89.25.21.88 eq tacacs
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1255, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
No comments:
Post a Comment