topic Thank you it was in fact my in Network Security

New ASA 5505 setup

nwdls8725 — Tue, 12 Mar 2019 07:48:08 GMT

Hello, I am trying to setup my asa for first time use. And I am unable to get to the outside world. I am not sure where I am going wrong with my configuration. Thank you for your help. Here is my current config:

Result of the command: "show run"

: Saved
:
ASA Version 9.0(1)
!
hostname ciscoasa
enable password xZplLFirrUSkXN1l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.128.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.70.142.9 255.255.255.0
ospf cost 10
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 207.70.128.240
object network inside_subnet
subnet 192.168.128.0 255.255.255.0
object-group icmp-type ALLOW-ICMP
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
access-list INBOUND extended permit icmp any any object-group ALLOW-ICMP
access-list inside_access_in extended permit ip 192.168.128.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.128.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside_subnet
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 207.70.142.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

dhcpd dns 207.70.128.240
dhcpd lease 86400
dhcpd auto_config outside
!
dhcpd address 192.168.128.100-192.168.128.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password sM/cvVSkWC3aa0kQ encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:6edfbbd4c5f8c274151f287dac57b560
: end

Hi,

Aditya Ganjoo — Wed, 25 May 2016 17:01:16 GMT

Hi,

Config is fine.

Please enable fixup protocol icmp on the ASA for allowing ICMP traffic through the box.

Also make sure the DNS settings on the hosts is correct.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hello,

Julio Carvajal — Wed, 25 May 2016 17:53:30 GMT

Hello,

Config wise as Aditya said you are good.

There are certain things that I would change (just for a clean up) like the access-groups and the ACLs you are using at the moment as you are anyway permitting everything on the inside and most important the fixup protocol ICMP would take care of the echo replies so no need for the inbound ACL on the outside interface.

Make sure that you can ping from the ASA to your default gateway 207.70.142.254.

If that works then ping from your ASA to 4.2.2.2

Keep us posted

Julio Carvajal

Senior Network Security and Core Specialist

CCIE #42930, 2xCCNP, JNCIS-SEC

Rate all the helpful posts

Thank you Aditya,

nwdls8725 — Wed, 25 May 2016 19:02:26 GMT

Thank you Aditya,

I enabled fixup protocol icmp, now it reads:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp

I also manually put it in the dns into the one laptop connected to the asa, still no access to the internet. I do see there are hits to the outside, i just can't browse. Anything else to check?

Sorry, I just saw this. I

nwdls8725 — Wed, 25 May 2016 20:20:05 GMT

Sorry, I just saw this. I tried pinging my default gateway from the ASA and it was unsuccessful. I'm still unsure where I am going wrong?

Thank you

Matt

Hi,

Aditya Ganjoo — Thu, 26 May 2016 01:24:25 GMT

Hi,

So you are able to ping the public IP's but no access to the internet.

Could you change your DNS to 8.8.8.8 and then test ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi Matt,

Aditya Ganjoo — Thu, 26 May 2016 01:27:40 GMT

Hi Matt,

Do you see the ARP for the next hop on the ASA ?

sh run arp

You should see the arp for this IP 207.70.142.254.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

hi,

johnlloyd_13 — Thu, 26 May 2016 06:49:17 GMT

hi,

what's your topology like?

can you bypass the ASA 5505 and directly assign a laptop with the WAN IP address and test if you have connectivity?

PC IP: 207.70.142.9

SM: 255.255.255.0

GW: 207.70.142.254

DNS: 8.8.8.8

try to ping 207.70.142.254 and if it failed, check your Layer1 and report to your ISP.

Thank you it was in fact my

nwdls8725 — Wed, 01 Jun 2016 17:29:06 GMT

Thank you it was in fact my isp. They had a static arp entry for my old firewall's mac address, once they cleared that, everything was great. I appreciate everyone's help!