topic Cisco asa5510 Firewall Rules in Network Security

Cisco asa5510 Firewall Rules

jasoncaines — Mon, 11 Mar 2019 21:36:30 GMT

hello

I have start from begin on my asa5510, I given The et0 an inside of 192.168.1.1 and outside of 87.85.**.*** on a /28 network, I can't seem to get on the internet to ping or tracert

I have on ACl list Outside

1 source any - destinatiomn any IP Permit

2 Source Any - Destination Any IP Deny

Should The destination any be the gateway of the ISP 87.85./28 network? I have a static route of 0.0.0.0 0.0.0.0 gateway IP 87.85.**.*** Metic 1

regards

Cisco asa5510 Firewall Rules

varrao — Tue, 11 Oct 2011 15:45:20 GMT

Hi Jason,

Try taking captures first and verify where the packets are dropping:

https://supportforums.cisco.com/docs/DOC-17814

Thanks,

Varun

Cisco asa5510 Firewall Rules

cadet alain — Tue, 11 Oct 2011 18:43:15 GMT

Hi,

Can you post running-config : sh run

Alain.

Re: Cisco asa5510 Firewall Rules

jasoncaines — Wed, 12 Oct 2011 09:20:15 GMT

Hello

Its in a bit of mess now!!!

Cisco asa5510 Firewall Rules

cadet alain — Wed, 12 Oct 2011 14:10:06 GMT

Hi,

I didn't notice anything wrong at first look.

can you do

packet-tracer input inside icmp 192.168.1.20  8.8.8.8 detailed


Regards.

Alain.

Cisco asa5510 Firewall Rules

jasoncaines — Wed, 12 Oct 2011 14:26:15 GMT

Hi Alain

Sorry about this,

Source IP 192.168.1.20 Dest IP 8.8.8.8

Packet Type icmp

Type ?

Code?

ID ?

Cisco asa5510 Firewall Rules

cadet alain — Wed, 12 Oct 2011 14:33:38 GMT

Hi,

Can't you do it via CLI instead of ASDM?

anyway for ASDM:

type=echo

code=0

id= 8

Alain.

Cisco asa5510 Firewall Rules

jasoncaines — Wed, 12 Oct 2011 14:50:51 GMT

I Like that

Route-Lookup Actoin Allow

Info 0.0.0.0 0.0.0.0 outside

Route-Liikup Action allow

in 192.168.1.0 255.255.255.0 inside

Access-list action allow

Config

access-group inside_access_in in interface inside

access-list_access_in extended permit IP any any

NO IP Option

NO inspect

Type Nat action allow

nat (inside) 0 0.0.0.0 0.0.0.0

Nat-control

match ip inside any outside any

dynamic tranaltion to pool (87.85.237.64)

translate_hits = 10977, untranslate_hits = 0

Info

dymanic translate 192.168.1.13/8 to 87.85.237.65/54798 using netmask 255.255.255.255

Type Nat subtype host-limits action allow

config (inside) 2 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dymanic translation to pool 2 (87.85.237.65)

translate_hits = 10977 untranslte_hits = 0

Flow control action allow

new flow created with id 55908 packet dispalcted to next module

routelookup

info

found next 87.85.237.65 using egress ifc outside

adjacency active

next hop mac address 30e4.db55.be55 hits 6

WOW i better they an easy way that writing it all out

Input Interface : inside Line UP - Link UP

Output Interface Inside Inside Line Up Link Up

Cisco asa5510 Firewall Rules

cadet alain — Wed, 12 Oct 2011 15:52:03 GMT

Hi,

Can you do the same for outside icmp echo-reply to inside address

or do a packet capture for same traffic and capture on inside and outside :

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Regards.

Alain.

Cisco asa5510 Firewall Rules

jasoncaines — Wed, 12 Oct 2011 18:56:00 GMT

Hi,

Source IP 87.85.**.** Outside gateway to 192.168.1.13 Echo 0 8

I get to the bottom

ACL-flow is denied by conf rule

if I use the other method I get a ping inside, no ping from outside to inside so I guess the 87.85.**.** which is a talktalk router must block pings?

Regards

Cisco asa5510 Firewall Rules

cadet alain — Thu, 13 Oct 2011 14:07:46 GMT

Hi,

do a ping from inside to outside and do a capture both on inside ingress and on outside ingress then save as pcap and post here.

Alain.

Re: Cisco asa5510 Firewall Rules

jasoncaines — Thu, 13 Oct 2011 15:08:21 GMT

Hello

Enclose a file, its defo The talk talk router blocking traffic.

Regards

Cisco asa5510 Firewall Rules

cadet alain — Thu, 13 Oct 2011 18:04:30 GMT

Hi,

You mean you found the issue? Then mark the post as resolved.

Regards.

Alain.