1. Home
  2. Cisco Systems
  3. ACK! This ASA 5500 is kicking my butt!

ACK! This ASA 5500 is kicking my butt!

Any help would be appreciated! I ran a Raptor Eagle NT for a small college about 9 years ago, but a lot's changed.

I have a new Cisco ASA 5500, and a hard deadline, and I need to get just BASIC traffic configured, the simplest setup just to get operational.

One protected inside network with just a few hosts and a public IP range...

One outside interface to our Internet Gateway (Cisco 2811) with a registered address range.

The interfaces are configured. I've confirmed connectivity by pings from the firewall.

All interfaces can be pinged from the network they're on.

I've defined interface PAT to and from both sides of the device.

The outside interface has a security setting of 0, inside is 90.

I've gone into device administration, and allowed icmp on both interfaces.

I can NOT ping through though. I can't even ping the outside interface of the firewall from a host on its inside network.

I'm using the graphic interface right now.

Is there anyone out there that could give me just the BASIC steps you would use to get a simple inside/outside network setup going on this firewall?

I have about 20 bundles of PDF printout I pulled from the web, none of them seem to help.

Getting desperate here! I just need to get this basically operational until I have time to really research and get up to speed!

Ingot

Reply to
Ingot
Loading thread data ...

Perhaps you could post a config?

interface Ethernet0/0 description Connection to the Internet speed 100 duplex full nameif outside security-level 0 ip address 66.X.X.2 255.255.255.240 ! interface Ethernet0/1 description Connection to Internal Network speed 100 duplex full nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0

access-list outside_access_in remark Allows internal clients to PING to internet access-list outside_access_in extended permit icmp any host 66.X.X.2 echo-reply log access-list outside_access_in remark Allows internal clients to traceroute to internet access-list outside_access_in extended permit icmp any host 66.X.X.2 time-exceeded log

global (outside) 1 interface nat (inside) 1 192.168.0.0 255.255.255.0 access-group outside_access_in in interface outside

HTH,

Chad

Reply to
Chad Mahoney

"Chad Mahoney" wrote in message news: snipped-for-privacy@news.supernews.com...

Certainly!

I've messed around a bit more but I'm obviously missing something...

Well, plus... I've been working (and learning) with this thing for two days now, and I may have left some messed up settings behind in all of that.

Don't judge me too harshly on this configuration!

Thanks in advance!

--- Begin Paste ---

ciscoasa# sh run : Saved : ASA Version 7.0(6) ! hostname ciscoasa domain-name default.domain.invalid enable password xxxxxxxxxxxxxx encrypted names dns-guard ! interface Ethernet0/0 description Connection to Internet nameif Outside security-level 0 ip address x.x.x.34 255.255.255.248 ! interface Ethernet0/1 description Connection to internal network nameif Inside security-level 90 ip address 192.168.3.1 255.255.255.0 ! ip address 192.168.1.1 255.255.255.0 management-only ! passwd xxxxxxxxxxxx encrypted ftp mode passive dns domain-lookup Inside dns name-server 195.107.41.34 dns name-server 195.107.41.21 access-list Outside_access_in remark Allows internal clients to PING to the internet access-list Outside_access_in extended permit icmp any any echo-reply access-list Outside_access_in remark Allows internal clients to traceroute to internet access-list Outside_access_in extended permit icmp any any access-list Inside_access_in extended permit icmp interface Inside interface Outside pager lines 24 logging enable logging asdm informational mtu management 1500 mtu Inside 1500 mtu Outside 1500 no failover icmp permit any Inside icmp permit any Outside asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 nat-control global (Inside) 24 interface global (Outside) 100 interface nat (management) 0 0.0.0.0 0.0.0.0 nat (Inside) 100 0.0.0.0 0.0.0.0 nat (Outside) 24 0.0.0.0 0.0.0.0 outside access-group Outside_access_in in interface Outside route Outside 0.0.0.0 0.0.0.0 x.x.x.33 tunneled timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management http 192.168.3.0 255.255.255.0 Inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.3.0 255.255.255.0 Inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management Cryptochecksum:

Reply to
Ingot

Remove those access list statements and enter:

access-list outside_access_in extended permit icmp any host x.x.x.34 echo-reply log

access-list outside_access_in extended permit icmp any host x.x.x.34 time-exceeded log

Whoa! Lets look at this!

Remove the 2 statements above and enter:

global (outside) 1 interface

Remove the 3 statements above and enter:

nat (inside) 1 192.168.3.0 255.255.255.0

Remove the above statement and enter:

route outside 0.0.0.0 0.0.0.0 IP_of_Router 1

Where the IP of the router would be on the same subnet as x.x.x.34 which is your outside interface. Once your have done that perform a write memory and a clear xlate and test.

Reply to
Chad Mahoney

"Chad Mahoney" wrote in message news: snipped-for-privacy@news.supernews.com...

No luck. I was very careful, but still nothing.

I even got sick of messing with he, set it back to factory defaults, and rebuilt the configuration. It simply won't route.

I'm about to explode here, this is so frustrating.

Here's my post-wipe-and-rebuild sh run

--- Begin Paste ---

ciscoasa(config)# sh run : Saved : ASA Version 7.0(6) ! hostname issciscoasa domain-name default.domain.invalid enable password xxxxxxxxxxxxxx encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.34 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.3.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd xxxxxxxxx encrypted ftp mode passive access-list outside_access_in extended permit icmp any host x.x.x.34 echo-reply log access-list outside_access_in extended permit icmp any host x.x.x.34 time-exceeded log pager lines 24 logging enable logging asdm informational mtu management 1500 mtu inside 1500 mtu outside 1500 no failover asdm image disk0:/asdm506.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 192.168.3.0 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 x.x.x.33 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management http 172.24.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.3.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global

Reply to
Ingot

Can you ping the router from the firewall? Log in to the firewall and issue this command:

ping outside x.x.x.33 and paste the results...

Reply to
Chad Mahoney

"Chad Mahoney" wrote

Yup.

This is on a seperate network that is completely disabled by the firewall right now, so I'm not going to paste the results. (Have to transfer them by USB drive to get them into my e-mailing computer...)

But,

Sending 5, 100-byte ICMP Echoes to x.x.x.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I've done a few router configurations, and if this was a router, I'd suspect I needed to do "ip routing" from (config).

I can ping ALL interfaces from outside them...

I can ping ANYTHING outside the firewall, while I'm telneted into it.

I just can't ping across it, even to the interface on the other side.

In fact, NOTHING works across the firewall.

I spent the last 90 minutes upgrading to the latest ASA IOS, and the ASDM image as well. No help.

Ingot

Reply to
Ingot

So your PC's are setup to use the inside interface as the default gateway? Also setup logging to a syslog server and capture the logs and post them.

Reply to
Chad Mahoney

"Chad Mahoney" wrote

Ok, 2 minutes before I had to leave work today, I got ping replies...

One thing I did wrong was to ping the opposite interface. The rules seem to operate differently, or maybe it was set to not reply to ICMP packets, but when I started pinging across to the router on the other side, I started getting more helpfull log file messages.

A simply dynamic NAT, to use the opposite interface address for all IP, and I started seeing the replies getting denied on their way back in from the router interface.

A rule to let them back in, and the pings started working.

Then I had to go. Guess it's up super early tomorrow to get back to it.

Thanks for all the help Chad. Not that I'm safe yet, but I'm one step further.

Ingot

Reply to
Ingot

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.