topic Re: ASA WAN & LAN Configuration in Network Security

ASA WAN & LAN Configuration

rsjavahar — Mon, 11 Mar 2019 12:57:11 GMT

I am Newbee to ASA configuration. recently we brought one ASA5505 i tried my level best to configure the ASA we are getiing PPPOE IP from ISP. after PC are not able to browse. from ASA i am able to ping the outside network. can any one please help me how to configure ASA .

please find the current configuration/

ciscoasa# sh run

: Saved

ASA Version 7.2(3)

hostname ciscoasa

domain-name cisco.com

enable password xxx

names

interface Vlan1

nameif outside

security-level 0

pppoe client vpdn group ADSLGROUP

ip address pppoe setroute

ospf cost 10

interface Vlan2

nameif inside

security-level 100

ip address 192.168.31.215 255.255.255.0

ospf cost 10

interface Ethernet0/0

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 2

interface Ethernet0/3

switchport access vlan 2

interface Ethernet0/4

switchport access vlan 2

interface Ethernet0/5

switchport access vlan 2

interface Ethernet0/6

switchport access vlan 11

interface Ethernet0/7

switchport access vlan 11

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name cisco.com

access-list inside_access_out extended permit ip any interface outside

access-list inside_access_in extended permit tcp any eq www any eq www

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list outside_in extended permit icmp any any

access-list outside_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any interface inside

pager lines 24

logging enable

logging asdm informational

logging debug-trace

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 192.168.31.0-192.168.31.255 netmask 255.255.255.0

static (inside,outside) tcp 192.168.31.0 smtp 59.93.112.10 smtp netmask 255.255.255.255

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 59.93.122.1 1

route outside 0.0.0.0 0.0.0.0 59.93.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.31.0 255.255.255.0 inside

http 192.168.31.0 255.255.255.0 outside

http authentication-certificate outside

http authentication-certificate inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group ADSLGrouP request dialout pppoe

vpdn group ADSLGrouP localname AdslLocalName

vpdn group ADSLGrouP ppp authentication chap

vpdn username ADSLUSENAME password ****** store-local

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

username user1 password xxx encrypted

prompt hostname context

Cryptochecksum:xxx

: end

Re: ASA WAN & LAN Configuration

Farrukh Haroon — Tue, 10 Jun 2008 07:11:41 GMT

You are missing a 'nat' statement. Also your 'global' statement is incorrect'

nat = what IP Addresses(s) to translate

global = Translate IPs mentioned in 'Nat' statement into WHICH public IP Addresses(s)

The nat and global statements should share the same sequence number (in your case 1)

nat (inside) 1 192.168.31.0-192.168.31.255 netmask 255.255.255.0

global (outside) 1 interface

Regards

Farrukh

Re: ASA WAN & LAN Configuration

Farrukh Haroon — Tue, 10 Jun 2008 07:16:46 GMT

Also the following is recommend for PPPoE

mtu outside 1492

Regards

Farrukh

Re: ASA WAN & LAN Configuration

Farrukh Haroon — Tue, 10 Jun 2008 18:07:53 GMT

Hello

Did you get this working?

Regards

Farrukh

Re: ASA WAN & LAN Configuration

nomair_83 — Sun, 15 Jun 2008 11:58:09 GMT

Dear Where is nat:) ?

Re: ASA WAN & LAN Configuration

rsjavahar — Mon, 16 Jun 2008 06:39:33 GMT

i added the NAT statements but its not working .. from PC i can ping to Inside IP address but not able to ping to the Outside interface . Browsing is not working

please do the need .

Re: ASA WAN & LAN Configuration

Farrukh Haroon — Mon, 16 Jun 2008 07:37:13 GMT

You will not be able to ping the 'outside' interface itself when sourcing your pings from the 'inside'. This is not allowed by the PIX/ASA.

Can you try to ping any public IP addresses from the PIX itself?

Also when you initiate traffic to the internet from inside, what do you see in the following:

show xlate

show conn det

Regards

Farrukh

Re: ASA WAN & LAN Configuration

rsjavahar — Mon, 16 Jun 2008 07:52:03 GMT

Please find the current config . i am not able to browse internet ,

: Saved

ASA Version 7.2(3)

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.31.215 255.255.255.0

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group pppoex

ip address pppoe setroute

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

shutdown

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list inside_access_out extended permit ip any interface outside

access-list inside_access_in extended permit tcp any eq www any eq www

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list outside_in extended permit icmp any any

access-list outside_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any interface inside

pager lines 24

mtu inside 1500

mtu outside 1492

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.31.0 255.255.255.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 59.93.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.31.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname ABCDEFGHI

vpdn group pppoex ppp authentication mschap

vpdn username ABCDEFGHIK password ********

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa(config)#

Re: ASA WAN & LAN Configuration

Farrukh Haroon — Mon, 16 Jun 2008 08:47:31 GMT

Can you try to ping any public IP addresses from the PIX itself?

Also when you initiate traffic to the internet from inside, what do you see in the following:

show xlate

show conn det

show route (important)

It seems you have assigned a 'default gateway' to some IP, what IP is this? You already have 'setroute' option in PPP.

Regards

Farrukh

Re: ASA WAN & LAN Configuration

liaqath2k7 — Mon, 16 Jun 2008 08:50:14 GMT

did you enable vpdn on the firewall?

Re: ASA WAN & LAN Configuration

rsjavahar — Mon, 16 Jun 2008 10:25:15 GMT

I didn't add any Static IP in the configuration here find the output for the commands you asked

ciscoasa(config)# sh nat

NAT policies on Interface inside:

match ip inside 192.168.31.0 255.255.255.0 outside any

dynamic translation to pool 1 (95.93.117.66 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.31.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.31.0 255.255.255.0 _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

ciscoasa(config)#

ciscoasa(config)# sh run access-list

access-list inside_access_out extended permit ip any interface outside

access-list inside_access_in extended permit tcp any eq www any eq www

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list outside_in extended permit icmp any any

access-list outside_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any interface inside

ciscoasa(config)#

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 95.93.112.1 to network 0.0.0.0

C 192.168.31.0 255.255.255.0 is directly connected, inside

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

S* 0.0.0.0 0.0.0.0 [1/0] via 95.93.112.1, outside

ciscoasa(config)#

ciscoasa(config)# sh conn detail

0 in use, 32 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,

E - outside back connection, F - outside FIN, f - inside FIN,

G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

k - Skinny media, M - SMTP data, m - SIP media, O - outbound data,

P - inside back connection, q - SQL*Net data, R - outside acknowledged FI

R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, W - WAAS,

X - inspected by service module

ciscoasa(config)#

ciscoasa(config)# sh xlate

0 in use, 0 most used

ciscoasa(config)#

ciscoasa(config)# ping 209.85.153.104

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.85.153.104, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/80 ms

ciscoasa(config)#

Re: ASA WAN & LAN Configuration

rsjavahar — Mon, 16 Jun 2008 10:45:21 GMT

yes i got IP from the Service provider .. is it possible can i take your help through IM .. please

Re: ASA WAN & LAN Configuration

alanajjar — Mon, 16 Jun 2008 12:12:34 GMT

Hi,

I think the problem of internet browsing here is in the access list entry:

access-list inside_access_in extended permit tcp any eq www any eq www

because the source port will not be www(80), it will be a random number above 1024, and the destination port will be www(80). so, to solve this problem just remove this entry, the other commands in this ACL is enough to enable internet browsing.

with regards

Re: ASA WAN & LAN Configuration

Farrukh Haroon — Mon, 16 Jun 2008 12:53:08 GMT

That should not be a problem because the next line is:

access-list inside_access_in extended permit ip any any

Regards

Farrukh

Re: ASA WAN & LAN Configuration

alanajjar — Mon, 16 Jun 2008 13:27:50 GMT

hi,

You are right, I thought it is deny statement.

with regards