topic Re: Basic firewall setup in Network Security

Basic firewall setup

jacobs_son — Mon, 11 Mar 2019 17:11:20 GMT

Hello all,

I'm new to Cisco firewalls and so apologise if this is a stupid question....

I have set up a firewall following the "Securing networks with ASA" cisco press book, but I can get no traffic to traverse my firewall. It is an ASA 5510, and I just want to be able to ping across the device (atleast this would be a great start!).

Here's my config:

ASA Version 8.0(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 10
nameif outside
security-level 0

ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
speed 10
nameif inside
security-level 100
ip address 10.18.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list acl_outside extended permit ip any any
access-list acl_inside extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group acl_outside in interface outside
access-group acl_inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context

I have a laptop in the correct network directly connected to each configured interface, I can see them if i do a "sh arp". They can both ping their local gateway, and I have disabled local firewalls on those hosts. The firewall builds the ICMP connection (I see this in the logs) but I get no replies.

I've also tried adding the following for my inside host:

static (inside,outside) 10.18.1.2 10.18.1.2 netmask 255.255.255.255

And alternatively:

global (outside) 1 interface

nat (inside) 1 0 0

If i enable debug icmp trace I can see the echo-request packets hitting the firewall, but no replies. I can also see the output counter incrementing on the egress interface.

The ip any any's are there just for testing too.

In some ways I hope this is a very simple issue, because it is driving me crazy and I just want to get it working.

Many thanks in advance, and please let me know if you would like any further info or output.

James

Re: Basic firewall setup

Jon Marshall — Wed, 17 Feb 2010 16:36:57 GMT

James

Assumng both the outside and inside interfaces are showing as up then are you sure you do not have a personal firewall enabled on the PC that would be blocking ICMP requests ?

Other then i'm assuming you have set the correct default-gateways on the PCs ie. their respective firewall interfaces ?

Jon

Re: Basic firewall setup

jacobs_son — Wed, 17 Feb 2010 18:35:57 GMT

Hi Jon,

I have definitely disabled the personal firewall on both laptops. They are both clean builds (windows firewall disabled), and I was using them to test other features with this same firewall yesterday. All I have done is flash the firewall config and go from scratch.

The only software on 1 of the laptops is an ftp server that I have used before to upload files to other devices, so I know connections are allowed in to that laptop.

Both the inside and outside interfaces are up, and i can ping those interfaces successfully from each laptop. Those laptops are configured with addresses in the correct subnet (192.168.1.0/24 and 10.18.1.0/16), with the correct gateway. When I execute a ping from either side, I see the ICMP connection being built in the logs, and the echo-request going through on the icmp debug. As I mentioned above, I also see the output counter going up on either egress interface, and the translation being built when the NAT config is in place.

I just get no reply either way... (and I can't connect to the FTP server either! TCP connection goes out, then teardown due to SYN timeout)

Thanks again,

James

Re: Basic firewall setup

Jon Marshall — Wed, 17 Feb 2010 18:44:28 GMT

James

Just a quick test - can you ping each PC from the firewall ?

Jon

Re: Basic firewall setup

jacobs_son — Thu, 18 Feb 2010 09:47:27 GMT

Hi Jon,

I can now ping the moutside host from the inside host and the firewall, (AV client was block the reply from that one...).

I still can't ping the inside host from outside, or from the firewall, but I can from our production network.

Any ideas what im missing to allow traffic inbound to the inside host?

Thanks again,

James

Re: Basic firewall setup

Jon Marshall — Thu, 18 Feb 2010 13:18:34 GMT

James

To ping from outside to inside you will need a static NAT translation, can you add this back into your config -

static (inside,outside) 10.18.1.2 10.18.1.2 netmask 255.255.255.255

and retest.

Jon

Re: Basic firewall setup

jacobs_son — Thu, 18 Feb 2010 13:53:40 GMT

I already have a static in the config for it, and still can't ping from Outside. Should I not be able to ping it from the firewall anyway?

I can see the output counter going up on the inside interface, just still not getting a reply..

Config now looks like this:

ASA Version 8.0(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.18.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list acl_outside extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
static (inside,outside) 10.18.1.2 10.18.1.2 netmask 255.255.255.255
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b3f43531b9958ece808e647c1d476ca6
: end

Thanks again,

James

Re: Basic firewall setup

jacobs_son — Thu, 18 Feb 2010 14:04:45 GMT

The logs look like this:

%ASA-7-609001: Built local-host outside:192.168.1.2
%ASA-7-609001: Built local-host inside:10.18.1.2
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.2/1 gaddr 10.18.1.2/0 laddr 10.18.1.2/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.2/1 gaddr 10.18.1.2/0 laddr 10.18.1.2/0
%ASA-7-609002: Teardown local-host outside:192.168.1.2 duration 0:00:04
%ASA-7-609002: Teardown local-host inside:10.18.1.2 duration 0:00:04
%ASA-7-609001: Built local-host outside:192.168.1.2
%ASA-7-609001: Built local-host inside:10.18.1.2
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.2/1 gaddr 10.18.1.2/0 laddr 10.18.1.2/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.2/1 gaddr 10.18.1.2/0 laddr 10.18.1.2/0
%ASA-7-609002: Teardown local-host outside:192.168.1.2 duration 0:00:04
%ASA-7-609002: Teardown local-host inside:10.18.1.2 duration 0:00:04
%ASA-7-609001: Built local-host outside:192.168.1.2
%ASA-7-609001: Built local-host inside:10.18.1.2
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.2/1 gaddr 10.18.1.2/0 laddr 10.18.1.2/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.2/1 gaddr 10.18.1.2/0 laddr 10.18.1.2/0
%ASA-7-609002: Teardown local-host outside:192.168.1.2 duration 0:00:04
%ASA-7-609002: Teardown local-host inside:10.18.1.2 duration 0:00:04

James

Re: Basic firewall setup

Jon Marshall — Thu, 18 Feb 2010 16:03:21 GMT

James

Is the inside directly connected to the firewall ? It sounds like it isn't because you say you can ping it from other machines in the production LAN. What default-gateway do you have on the inside host ?

Jon

Re: Basic firewall setup

Gatling_uk — Thu, 18 Feb 2010 16:14:25 GMT

Mis-post

Re: Basic firewall setup

Jon Marshall — Thu, 18 Feb 2010 16:21:22 GMT

Gatling_uk wrote:

The laptops are both directly connected to the inside and outside interfaces. When I said "I can ping it form the production network", I meant that if I disconnect the inside host, reconfigure the NIC details and patch it in to our production network I can ping it from anywhere, and connect to the ftp server.

Across this firewall, I cant reach it at all. The setup really is as simple as Laptop <---> Firewall <---> Laptop.

Thanks,

James

You should definitely be able to ping it from the firewall. It does sound as though something is still blocking the inbound traffic even though it pings on the production network. Your config looks fine to me.

Lets forget about the outside host for a moment as you have proved you can ping that from the inside host.

Can you-

1) ping the firewall from the inside host

2) ping the inside host from the firewall

Apologies for keep asking the same sort of questions but your config looks good.

Jon

Re: Basic firewall setup

jacobs_son — Thu, 18 Feb 2010 16:23:02 GMT

Double post.

Re: Basic firewall setup

jacobs_son — Thu, 18 Feb 2010 16:26:33 GMT

I can ping the firewall from the inside host, but I cannot ping the inside host from the firewall. I can ping the same host from any other network I have connected it to, and routinely use it as an FTP server.

Maybe there is just something strange going on with the laptop... I will find another one and test.

Thanks for all the help so far.

James