topic What am I missing - ASA 5520 basic config? in Network Security

What am I missing - ASA 5520 basic config?

torleif — Mon, 11 Mar 2019 21:56:15 GMT

I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.

The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193

What am I missing since I can not get trafic from inside to the internet?

Any help would be appreciated!

ASA Version 8.2(5)

hostname asatest

domain-name test.net

enable password xxx

passwd xxx

names

dns-guard

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 64.28.29.200 255.255.255.240

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.59.64.50 255.255.255.0

boot system disk0:/asa825-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name test.net

access-list outside_acl extended permit icmp any any

access-list inside_acl extended permit ip any any

global (Outside) 1 64.28.29.202

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_acl in interface Outside

access-group inside_acl in interface Inside

route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1

What am I missing - ASA 5520 basic config?

Richard Burts — Mon, 28 Nov 2011 22:01:04 GMT

The first issue that I notice is this

access-group outside_acl in interface Outside

access-list outside_acl extended permit icmp any any

so you are not allowing anything but ICMP inbound on the outside interface. that makes it very difficult for things like DNS to work, which then impacts many other things that depend on DNS.

HTH

Rick

What am I missing - ASA 5520 basic config?

torleif — Wed, 30 Nov 2011 14:26:00 GMT

I tried to add

access-list outside_acl extended permit ip any any

but this did not help..

What am I missing - ASA 5520 basic config?

cadet alain — Wed, 30 Nov 2011 14:59:52 GMT

Hi,

access-list outside_acl extended permit icmp any any

access-list inside_acl extended permit ip any any

global (Outside) 1 64.28.29.202

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_acl in interface Outside

access-group inside_acl in interface Inside

route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1

1) remove both ACLs and the access-groups commands

2) change global(outside) command to global (Outside) 1 interface

3) enable icmp inspection:

policy-map global_policy

class inspection_default

inspect icmp

Regards.

Alain

What am I missing - ASA 5520 basic config?

torleif — Thu, 01 Dec 2011 13:31:16 GMT

Thank you for your suggestions.

I got the following error messages while configuring:

asatest(config)# policy-map global_policy

asatest(config-pmap)# class inspection_default

ERROR: % class-map inspection_default not configured

asatest(config-pmap)# inspect icmp

ERROR: % Invalid input detected at '^' marker.

asatest(config)# policy-map global_policy

asatest(config-pmap)# class inspection_default

ERROR: % class-map inspection_default not configured

asatest(config-pmap)# inspect icmp

ERROR: % Invalid input detected at '^' marker.

The changes did not seem to solve my problem.

Regards,

Torleif

What am I missing - ASA 5520 basic config?

cadet alain — Thu, 01 Dec 2011 13:41:53 GMT

Hi,

post entire config.

can you ping your internet gateway from inside ?

Regards.

Alain

What am I missing - ASA 5520 basic config?

mvsheik123 — Thu, 01 Dec 2011 18:31:34 GMT

Hi,

For basic config, as Rich and Alain mentioned, remove the ACLs.Once web access work, you can add addl security.

Also, if you see no issues in reaching the gateway, try using global (Outside) 1 interface. See if that works.

Thx

What am I missing - ASA 5520 basic config?

torleif — Fri, 02 Dec 2011 08:08:24 GMT

From the inside network I am only able to ping the inside interface. I am not able to ping the outside interface nor the outside gateway from the inside.

Here comes the entire config.

Thx for your help.

Regards,

Torleif

ASA Version 8.4(2)

hostname asatest

domain-name test.net

enable password xxx encrypted

passwd xxx encrypted

names

dns-guard

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 64.28.29.200 255.255.255.240

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.59.64.50 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.3.1 255.255.255.0

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 10.59.60.50 255.255.255.0

management-only

boot system disk0:/asa842-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name test.net

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_acl extended permit icmp any any

access-list outside_acl extended permit ip any any

access-list inside_acl extended permit ip any any

pager lines 24

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

no failover

failover polltime unit 15 holdtime 45

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

object network obj_any

nat (Inside,Outside) dynamic 64.28.29.202

access-group outside_acl in interface Outside

access-group inside_acl in interface Inside

route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.59.64.0 255.255.255.0 Inside

http 10.59.60.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:434092a6461c0571570d49af38b17c46

: end

asatest#

What am I missing - ASA 5520 basic config?

cadet alain — Fri, 02 Dec 2011 08:56:32 GMT

Hi,

Remove your inside ACL it's not necessary. then look at this:

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 64.28.29.200 255.255.255.240

object network obj_any

nat (Inside,Outside) dynamic 64.28.29.202

Try the nat(Inside,Outside) dynamic interface I suggested, remove the inside ACL and then first try a ping to your gateway then to 8.8.8.8 and then do the same from an inside host.

Regards.

Alain

What am I missing - ASA 5520 basic config?

torleif — Fri, 02 Dec 2011 09:21:19 GMT

Thank you all for your suggestions and your time!

Alains changes made this work!

Now I have a working config and can work on with my needs..

Torleif

What am I missing - ASA 5520 basic config?

mvsheik123 — Fri, 02 Dec 2011 14:29:10 GMT

Hi Alain / Rich,

Can you shed some light on why the ASA does not work when mapping static ip (global (Outside) 1 x.x.x.x) when compared to dynamic mapping with public ip subnet /28? I had similar issue previously on 8.0 and when changed the config to global (Outside) 1 interface- it worked fine.

The static ip mapping config worked fine for me with public subnets /24 and /27.

Thanks