RE: ASA 5505 network behind an access point from Brian McGahan on 2012-07-18 (Ccielab archives 07/2012)

From: Brian McGahan <bmcgahan_at_ine.com>
Date: Wed, 18 Jul 2012 21:56:22 -0500

> *I would have thought the default behaviour would have been for any inside
address to communicate with outside & establish comms?*

That's only true for standard TCP and UDP applications, or applications which the ASA has an application inspection engine for.

A "standard" application is one that the client initiates the session with a well-known destination port, and the server responds with a well-known source port. HTTP is a good example of this, where the client talks to the server at TCP destination 80, and the server talks to the client at TCP source 80.

On the flip-side, a "non-standard" application is one whose outbound traffic flow is not indicative of its inbound traffic flow. Traceroute is a good example of this, where the source sends either UDP or ICMP echos out, but the destination replies with either ICMP time-exceeded or ICMP port-unreachable. Since the ASA does not have a specific application inspection for traceroute (either the Windows or Linux variant) you'll see that if you trace to a destination on the Internet from the inside, the replies will be dropped, i.e. the trace is broken. The only fix for this is to manually allow the return flows back in with an ACL.

I don't know what the inbound vs. outbound flow information is for your particular application, but if its non-standard the ASA won't be able to inspect it and it will be dropped on the return. The easy way to see if this is the case is to configure an ACL OUTSIDE_IN that denies all IP traffic, and then turn logging on. Anything that the inspection engine allows will skip the ACL check. Any non-standard apps or unsolicited outside to inside traffic will be dropped and generate a log.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Tony Singh
Sent: Wednesday, July 18, 2012 5:54 PM
To: Carlos G Mendioroz; Cisco certification
Subject: Re: ASA 5505 network behind an access point

some questions may seem a little dumb so apologise in advance..

im pritty new to the asa and am struggling a bit..

trying to get a slingbox working for remote viewing and in the asdm syslog
I can see the udp, tcp message go out of the asa outside interface from the
inside source (192.168.1.237) not so long after I see these communications
teardown.....

I have set a NAT rule to allow any service from outside to connect to host
192.168.1.237/32 but still it does not work

I also have a cccam client which does similar, but relations teardown and
im unable to get this application working - (needs more understanding I
have various remote ports it tries to connect to)

*I would have thought the default behaviour would have been for any inside
address to communicate with outside & establish comms?*

I dont really want to put these devices into a dmz

is it possible to have a scenario where I can use my home public ip address
for internet access from a remote location

thanks in advance.

On 17 July 2012 14:03, Ryan West <rwest_at_zyedge.com> wrote:

> Default behavior of dd-wrt would be NAT between the 192.168.1.0/24network and
> 10.0.0.0/24 network. If you choose a port that's not wan on the ap and
> turn off dhcp, you should get .1 addresses and this would be a moot point.
> If you still want this setup, make sure you turn off NAT on the ap.
>
> Sent from handheld
>
> On Jul 17, 2012, at 8:22 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:
>
> > hi mate
> >
> > 1.7 pings fine from hosts on 192 & from the ASA , further testing from
> packet tracer on ASA shows icmp,tcp & udp allowed from hosts on 192.x to
> 10.x this passes with all boxes ticked.
> >
> > Looking at the ASDM syslog messages when I'm on a 192.x host when trying
> to establish an ssh or http session to 10.x resources, the tcp session
> builds then waits for SYN but tearsdown after timeout..
> >
> > ISP MODEM > ASA > NETGEAR wireless > DD-WRT wireless in client bridge
> repeater mode
> >
> > Above proved to be working ok without ASA, need to set up SSL VPN to
> resources hence the reason for it.
> >
> > ASA setup is vlan2 outside dhcp address from ISP ok & inside ports 1-7
> vlan1 with different resources, port 1 is where wireless is connected with
> an assigned dhcp address of 1.7 from the ASA this access point is using
> dhcp to assign hosts 10.x range (these hosts have access to Internet ok
> through the ASA)
> >
> > --
> > BR
> >
> > Sent from my iPhone on 3
> >
> > On 17 Jul 2012, at 12:57, Ryan West <rwest_at_zyedge.com> wrote:
> >
> >> Can you ping .1.7? How many interfaces are you talking about on the
> ASA?
> >>
> >> Sent from handheld
> >>
> >> On Jul 17, 2012, at 6:34 AM, "Tony Singh" <mothafungla_at_gmail.com>
> wrote:
> >>
> >>> hi carlos
> >>>
> >>> yes sorry should have mentioned from asa - first time playing with
> these...
> >>>
> >>> from linux host (192.168.1.6)
> >>>
> >>> root_at_dm8000:~# ping 10.0.0.2
> >>> PING 10.0.0.2 (10.0.0.2): 56 data bytes
> >>>
> >>> not getting anything back
> >>>
> >>> but ASA looks like it's passing the icmp on
> >>>
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38400 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38656 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38912 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39168 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39424 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39680 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39936 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40192 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40448 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40704 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40960 len=56
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> >>>
> >>>> Sorry, I thought you where trying to get from another host to the
> >>>> wireless. Now I see that the ASA is not able to ping.
> >>>> Can you ping a wireless host from another 192.168.1.1 host if you add
> a
> >>>> route via .7 ? Sounds like a WLC ACL.
> >>>>
> >>>>
> >>>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
> >>>>
> >>>>>
> >>>>>
> >>>>> hi carlos - thanks but see below...
> >>>>>
> >>>>> ciscoasa(config)# same-security-traffic permit inter-interface
> >>>>> ciscoasa(config)# same-security-traffic permit intra-interface
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> >>>>> ?????
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>> ciscoasa(config)# debug icmp trace 15
> >>>>> debug icmp trace enabled at level 15
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> >>>>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
> >>>>> <mailto:tron_at_huapi.ba.ar>> wrote:
> >>>>>
> >>>>> http://www.cisco.com/en/US/__**products/ps6120/products_tech_**
> >>>>> __note09186a0080734db7.shtml<
> http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml
> >
> >>>>>
> >>>>> <http://www.cisco.com/en/US/**products/ps6120/products_tech_**
> >>>>> note09186a0080734db7.shtml<
> http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
> >
> >>>>>>
> >>>>> ?
> >>>>>
> >>>>> same security traffic permit intra-interface
> >>>>>
> >>>>> -Carlos
> >>>>>
> >>>>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
> >>>>>
> >>>>> hi experts
> >>>>>
> >>>>> problem
> >>>>> network behind wireless is 10.0.0.0/24 <http://10.0.0.0/24>
> >>>>>
> >>>>> unable to access from asa defined
> >>>>> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
> >>>>>
> >>>>>
> >>>>> topology
> >>>>> wireless access point wan port --> ASA inside switchport vlan 1
> >>>>>
> >>>>> on asa set a static route to say 10.x is behind 192.168.1.7
> >>>>> (which is the
> >>>>> address of the wan port of the wireless access point, pings fine
> >>>>> from asa
> >>>>> and traffic from the 10.x range is able to get out to the
> >>>>> internet fine)
> >>>>>
> >>>>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
> >>>>>
> >>>>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
> >>>>>
> >>>>> but ping fails
> >>>>>
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2
> seconds:
> >>>>> ?????
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>> using the ASDM packet tracer facility it show that it is trying
> >>>>> to ping
> >>>>> from inside to outside interface, it fails due to acl-rule
> >>>>>
> >>>>> but on asa not seeing it here..
> >>>>>
> >>>>> ciscoasa(config)# show access-list
> >>>>> access-list cached ACL log flows: total 0, denied 0
> >>>>> (deny-flow-max 4096)
> >>>>> alert-interval 300
> >>>>>
> >>>>> problem is this probably a private vlan scenario as I have a
> >>>>> network within
> >>>>> a network on my inside interface so the packet trace going from
> >>>>> inside to
> >>>>> outside is wrong
> >>>>>
> >>>>> any advice would be great
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>
> >>>>> ______________________________**______________________________**
> >>>>> _______________
> >>>>>
> >>>>> Subscription information may be found at:
> >>>>> http://www.groupstudy.com/__**list/CCIELab.html<
> http://www.groupstudy.com/__list/CCIELab.html>
> >>>>> <http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> >>>>> LW7 EQI Argentina
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> --
> >>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 18 2012 - 21:56:22 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART