topic Thanks for replying. in Network Security

How to connect an ASA Firewall to the internet?

anthony_chedid1 — Tue, 12 Mar 2019 07:33:04 GMT

Hello,

In my topology (attached), I am simply trying to connect a PC to the internet through an ASA Firewall.

Here is the ASA configuration:

hostname Firewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network local
subnet 192.168.3.0 255.255.255.0
access-list out-in extended permit tcp any 192.168.3.0 255.255.255.0 eq www
access-list out-in extended permit tcp any 192.168.3.0 255.255.255.0 eq https
access-list out-in extended permit ip any 192.168.3.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network local
nat (inside,outside) dynamic interface
access-group out-in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

------------------------------------------------------------------------------------------------------------------

Both the Firewall and the PC are able to ping 8.8.8.8 but I can't surf the web on the PC which means in a way it is not connected to the internet.

So what should I change or do ?

Thank you

Hi,

Aditya Ganjoo — Tue, 29 Mar 2016 12:49:54 GMT

Hi,

What is the IP of the PC ?

It should have an IP of the same 192.168.3.0 255.255.255.0 range and default gateway as 192.168.3.254.

Also use the command fixup protocol icmp on ASA.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

hi,

johnlloyd_13 — Tue, 29 Mar 2016 13:26:10 GMT

hi,

try adding DNS IP 8.8.8.8 on your PC's TCP/IPv4 settings and try again.

I already added this DNS IP

anthony_chedid1 — Wed, 30 Mar 2016 06:40:11 GMT

I already added this DNS IP and it didn't make any difference.

My PC's IP is 192.168.3.10

anthony_chedid1 — Wed, 30 Mar 2016 06:43:25 GMT

My PC's IP is 192.168.3.10 and the gateway's IP is 192.168.3.254.

I used the command you mentioned and it didn't make any difference.

I was hoping someone would find what's wrong in the ASA configuration. Maybe the nat command is wrong or the access list.

A helpful tool to use is

james.tucker — Wed, 30 Mar 2016 21:52:32 GMT

A helpful tool to use is packet-tracer, it will tell whats happening at each stage of the packet processing.

packet-tracer input inside tcp 192.168.3.10 1234 8.8.8.8 80

Try this and then use packet tracer again:

access-list in-out permit ip 192.168.3.0 255.255.255.0 any
access-group in-out in interface inside

Your existing ACL is permitting traffic in the outside interface, so toward your inside network 🙂

Thanks for replying.

anthony_chedid1 — Thu, 31 Mar 2016 06:57:07 GMT

Thanks for replying.

The weirdest thing happened with my ASA firewall and I don't know if it should have happened this way.

I rewrote the configuration and this time I only configured the interfaces and the natting. And to my surprise the PC is now connected to the internet with no access-list.

Is that supposed to happen? Shouldn't the firewall block everything unless I permit a certain ip?

How can I protect my PC form the "dangers" of the Internet using my Firewall?

Thank you.

In this case you are relying

james.tucker — Thu, 31 Mar 2016 21:32:42 GMT

In this case you are relying on the interface security levels to permit the traffic to the Internet. Traffic will flow from higher to lower security level interfaces (no ACL needed to permit) but not the other way round - here you would need an ACL that will define which ports you would need to permit into your network.