topic ASA 5510 config help in Network Security

ASA 5510 config help

Narmi2000 — Mon, 11 Mar 2019 21:39:26 GMT

My ASA5510 is connected to a time capsule (Apple router). Its configuratin is as follow:

Ethernet0/0 interface Outside with security level 0. It is configured to get ip adr from dhcp. (It gets ip adr from Time Capsule)

Ethernet0/1 interface Inside with security level 100. IP adr is 192.168.10.1 255.255.255.0 . DHCP server is enabled on interface Inside (192.168.10.2-192.168.10.254). I did that so my computer could get ip adr from ASA instead of TimeCapsule. Also autoconfiguration is enabled on interface Outside.

PAT is enabled (Use the ip adr on the Outside interface.)

This is the basic info from setup wizard. There is no other additional configuration.

ASA is wired into TimeCapsule on Ethernet0/0 and my pc is connected to ethernet0/1 of ASA. My pc gets ip adr (192.168.10.2) from ASA but not able to connect to the internet. When run Windows TS wizard the msg I get is "Windows can not communicate with the device/resource (Primary DNS Server)"

Cany any body tell me what I am doing wrong? I believe I am missing some crucial config setting at ASA but can't figure it out.

Any kind of help will be highly appreciated.

Regards,

ImranN

ASA 5510 config help

Jon Marshall — Tue, 18 Oct 2011 16:59:30 GMT

In your DHCP config are you handing out a valid DNS server ?

If it is a DNS server problem then can you try connecting to a website using an IP address rather than a URL ?

Jon

ASA 5510 config help

Narmi2000 — Tue, 18 Oct 2011 18:39:49 GMT

Thanks for your help Jon.

I have enabled DHCP server on Inside interface with the pool (192.168.10.2-192.168.10.254) so my pc could get

ip adr from there and it does. Also I have enabled auto-configuration from interface Outside (This setting

is part of setup wizard). It means DHCP server should automatically configure DNS, WINS and domain name.

According to the ipv4 settings

My pc's ip adr is 192.168.10.2 (Getting from interface Inside which is configured as DHCP)

Default gateway is 192.168.10.1 (IP adr of interface Inside)

DHCP serveris 192.168.10.1 (IP adr of interface Inside where DHCP server is enabled)

DNS server is 192.168.1.1 (Internal IP adr of the router ie TimeCapsule)

I cant use IP adr to conenct to a web site because my pc is not connecting to internet. (In Network and Sharing Center I have a red X on internet.). In other words I dont have internet connectivity. It probably means packets are not allowed to leave ASA. That is why probably some misconfiguration. The error I get is (Your computer appears to be correctly configured but the device or resource (DNS Server) is not responding)

Btw, the ip subnet at interface Inside is 192.168.10.0 and the ip adr ASA gets from router is from the subnet of 192.168.1.0. On the other hand management interface has ip adr of 192.168.1.1. Does it make and difference?

Any other suggestion?

Regards,

ImraN

ASA 5510 config help

Jon Marshall — Tue, 18 Oct 2011 21:35:14 GMT

Can you post config of ASA ?

Jon

Re: ASA 5510 config help

Narmi2000 — Wed, 19 Oct 2011 14:12:16 GMT

Here is the configuration detail of ASA5510. I have attached screen shots.

Moreover I have run ping test from my pc. My pc is connected to interface Inside and interface Outside is connected to TimeCapsule router.

I can ping to the interface I am connected to but can't ping the other interface (Outside). It means somehow both interfaces are not comunicating.

Regards,

ImraN

Re: ASA 5510 config help

cadet alain — Wed, 19 Oct 2011 15:29:34 GMT

Hi,

I can ping to the interface I am connected to but can't ping the other interface (Outside).

That's normal you cant ping outside interface from inside on the ASA.

In your ACl screenshot you have implicit deny all inbound on outside but if you want to ping from inside to the router on outside then you must put an explicit rule stating you accept icmp echo-replies on this interface inbound or enable icmp inspection.

I can't only give you a CLI config but you can paste it in ASDM:

the most secure way for me is to inspect icmp so here it is

policy-map global_policy

class inspection_default

inspect icmp

This way you can ping your router IP address from a PC on inside.

what does a ping to router WAN address give?

if you connect a PC directly on the router, does it work and then have you got connectivity with internet? ping 8.8.8.8 is successful from PC?

Could you post a show run from the ASA.

Regards.

Alain.

Re: ASA 5510 config help

Narmi2000 — Thu, 20 Oct 2011 22:05:47 GMT

Thanks you so much for helping me out Alain.

Here is show running-config command out put on my ASA5510

JASA> en

Password:

JASA# show run

: Saved

ASA Version 8.2(5)

hostname JASA

enable password y2YjIyt7RRXU24 encrypted

passwd 2KFQnbNI.2KYOU encrypted

names

interface Ethernet0/0

nameif JOutside

security-level 0

ip address dhcp setroute

interface Ethernet0/1

nameif JInside

security-level 100

ip address 192.168.10.1 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

<--- More --->

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list JOutside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu JOutside 1500

mtu JInside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

nat (JInside) 0 0.0.0.0 0.0.0.0 norandomseq

access-group JOutside_access_in in interface JOutside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config JOutside

dhcpd update dns

dhcpd address 192.168.10.2-192.168.10.254 JInside

dhcpd auto_config JOutside interface JInside

dhcpd enable JInside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0504ad33009162ea950248812eba1ffc

: end

JASA#

I changed the network on the router. Now its using 172.16.0.0 network instead of 192.168.1.0. After doing that now in ASDM interface Outside also shows the ip adr its getting from the router where it was not showing any ip adr before (see screenshot). Anyways, nothing eles has been changed

My pc is connected to interface outside with ethernet cable and interface Inside is connected to the router. LAN config of my nic is:

Ip adr: 192.168.10.2

Default gateway: 192.168.10.1

DHCP server: 192.168.10.1

DNS server : 172.16.1.1 (Internal ip adr of the router)

I cant ping Outside interface of ASA. Host is unreachable. The traffic from high security interface to low security interface is allowed by default. If this is correct then I must have internet connection. Even though two different networks are setup on inside and outside interfaces, should ASA by default not do NAT?

I have internet connected while directly connected to my router.

Regards,

ImraN

ASA 5510 config help

cadet alain — Fri, 21 Oct 2011 09:08:23 GMT

Hi,

My pc is connected to interface outside with ethernet cable and interface Inside is connected to the router. LAN config of my nic is:

Ip adr: 192.168.10.2

Default gateway: 192.168.10.1

DHCP server: 192.168.10.1

DNS server : 172.16.1.1 (Internal ip adr of the router)

1) PC should be connected to interface INSIDE and router to interface OUTSIDE and it is as you have received a DHCP address so point 1 is ok

2) so to ping your router interface on OUTSIDE or any address on OUTSIDE you must either:

- inspect ICMP as I explained above and that's the most secure way

-create an ACL permitting ICMP echo-replies from any to your PC an apply it inbound on interface OUTSIDE

this is ok but the way you do it is very insecure .

3) verify you have a default route on ASA for OUTSIDE pointing to 172.16.1.1 ---> show route

if it is not the case then create one: route outside 0 0 172.16.1.1

4) the router needs a route to 192.168.10.0/24 network no need to from 6 output

5) As as I said in previous post you can't ping ASA outside interface from inside so don't worry about this.

6) whether your ASA should be doing NAT or not depends if nat-control is enabled or not ---> show run nat-control

if it is enabled then it is mandatory to do NAT from inside to outside communication to work. If it is the case then point 4 is not mandatory anymore.

7) from 6 you must be doing NAT and this is where there is a problem in your config:

do this:

- no nat (JInside) 0 0.0.0.0 0.0.0.0

-nat(inside) 1 0 0

-global(outside) 1 interface JOutside

As I said above concerning the ACL when you've verified all is ok then remove it and inspect icmp instead

Let us know.

Regards.

Alain.

Re: ASA 5510 config help

Narmi2000 — Tue, 08 Nov 2011 14:38:13 GMT

Thank you Alain for all your help.

I have tried the config you provided but for some reason it CLI does not accept

-global(outside) 1 interface JOutside

So after many fruitless tries, I set the firewall to factory default. Connected it directly to the internet connection and configured it. I did work. I will look into other configuration some other time just for my own knowledge. I still greatly

appreciate all your help.

ASA 5510 config help

cadet alain — Tue, 08 Nov 2011 20:59:56 GMT

Hi,

happy to know it is working now.

But I gave you a wrong command it should have been

-nat(Jinside) 1 0 0

-global(Joutside) 1 interface

Regards.

Alain.