topic Re: Help!! in Network Security

Help!!

carlosarturoa — Mon, 11 Mar 2019 11:18:06 GMT

Hi...

I?ve configured my Cisco ASA 5510 Firewall with four subnets. Each one for different purposes, described as following:

100.130.101.0/24 network. Named UnTrust network is use it for all user inside the office.

100.131.101.0/24 network. Named Trust network is dedicated to be the network of my application servers (ERP, Accounting, Sales, etc.).

100.130.100.0/24 network. Named WAN network is dedicated to receive all frame relay link?s. This links composed my Private Wide Area Network, interconnecting all my brunches.

100.100.100.0/24 network. Name DMZ network is use for all external links and routers, like Internet and Providers.

When I make a ping from UnTrust network to any other interface of my Firewall, I can?t receive the echo-reply. Although, I?ve configured ICMP for all interfaces and I have Policies any to any for incoming and outgoing packages in all interfaces. Somebody knows what is it probably my problem? I think I?m missing some parameter. But I can?t find any resource in Internet about this matter. Thank a lot

P.D. My Configuration File is:

hostname Firewall

domain-name anything.com

enable password verysecret encrypted

names

interface GigabitEthernet0/0

nameif trust

security-level 100

ip address 100.131.101.254 255.255.255.0

interface GigabitEthernet0/1

nameif untrust

security-level 50

ip address 100.130.101.254 255.255.255.0

interface GigabitEthernet0/2

nameif wan

security-level 25

ip address 100.130.100.254 255.255.255.0

interface GigabitEthernet0/3

nameif dmz

security-level 0

ip address 100.100.100.254 255.255.255.0

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

passwd verysecret encrypted

banner exec ****************

banner exec Firewall

banner exec ****************

banner exec Welcome...

banner login ***************

banner login Firewall

banner login ***************

banner login Welcome...

banner motd ****************

banner motd Firewall

banner motd ****************

Re: Help!!

carlosarturoa — Thu, 27 Sep 2007 18:25:11 GMT

...

banner motd Welcome...

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun May 2:00 last Sun Sep 2:00

dns server-group DefaultDNS

domain-name anything.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 100 extended permit tcp any any

access-list 100 extended permit udp any any

access-list 100 extended permit icmp any any

access-list 100 extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu trust 1500

mtu untrust 1500

mtu wan 1500

mtu dmz 1500

ip verify reverse-path interface trust

ip verify reverse-path interface untrust

ip verify reverse-path interface wan

ip verify reverse-path interface dmz

no failover

monitor-interface trust

monitor-interface untrust

monitor-interface wan

monitor-interface dmz

icmp unreachable rate-limit 1 burst-size 1

icmp permit any trust

icmp permit any untrust

icmp permit any wan

icmp permit any dmz

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

access-group 100 in interface trust

access-group 100 out interface trust

access-group 100 in interface untrust

access-group 100 out interface untrust

access-group 100 in interface wan

access-group 100 out interface wan

access-group 100 in interface dmz

access-group 100 out interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username administrator password verysecret encrypted privilege 15

http server enable

http 100.130.101.14 255.255.255.255 untrust

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 100.130.101.14 255.255.255.255 untrust

ssh timeout 5

console timeout 5

management-access untrust

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

...

asdm image disk0:/asdm-522.bin

no asdm history enable

Re: Help!!

acomiskey — Thu, 27 Sep 2007 18:57:32 GMT

static (trust,untrust) 100.131.101.0 100.131.101.0 netmask 255.255.255.0

That should allow you to access untrust from trust and vice versa.

Re: Help!!

carlosarturoa — Wed, 10 Oct 2007 22:47:31 GMT

I tried configuring tha NAT rule described in your comment. But, My ASA still continue blocking all traffic. The NAT rules used area:

1) A single NAT rule from Trust to UnTrust

static (Trust,UnTrust) 100.130.101.0 100.131.101.0 netmask 255.255.255.0

2) A single NAT rule from UnTrust to Trust

static (UnTrust,Trust) 100.131.101.0 100.130.101.0 netmask 255.255.255.0

3) This last two NAT rules combined

static (UnTrust,Trust) 100.131.101.0 100.130.101.0 netmask 255.255.255.0

static (Trust,UnTrust) 100.130.101.0 100.131.101.0 netmask 255.255.255.0

Re: Help!!

sundar.palaniappan — Wed, 10 Oct 2007 23:20:57 GMT

You didn't exactly configure the static that Adam had asked you to use. Look at the global/real address (both set to 10.131.101.0) in the static configuration below. You are technically doing no NAT here with this configuration. Try this static.

static (trust,untrust) 100.131.101.0 100.131.101.0 netmask 255.255.255.0

HTH

Sundar

Re: Help!!

carlosarturoa — Thu, 11 Oct 2007 17:16:21 GMT

Thank for your response. I try it But it did not work. All traffic is still dropping it. First I will send it my entire configuration file. This file has the real addresses use it in my network. Please understand me, Innitialy I changed my real addresses for protect my information, but I think I should make a mistake in that process. Also, I just configure the NAT with the following command:

static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0

Tthe NAT with The entire configuration with NAT is:

: Saved

ASA Version 7.2(2)

hostname FwCorporativo

domain-name tecnoval.com.mx

enable password 8da6gU90DFywg4rN encrypted

names

interface GigabitEthernet0/0

nameif trust

security-level 100

ip address 10.31.1.254 255.255.255.0

interface GigabitEthernet0/1

nameif untrust

security-level 50

ip address 10.30.1.254 255.255.255.0

interface GigabitEthernet0/2

nameif wan

security-level 25

ip address 10.30.10.254 255.255.255.0

interface GigabitEthernet0/3

nameif dmz

security-level 0

ip address 10.10.10.254 255.255.255.0

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

passwd 8da6gU90DFywg4rN encrypted

banner exec ****************

banner exec Firewall

banner exec Welcome...

banner exec ****************

banner login ***************

banner login Firewall

banner login Welcome...

banner login ***************

banner motd ****************

banner motd Firewall

banner motd Welcome...

banner motd ****************

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun May 2:00 last Sun Sep 2:00

dns domain-lookup trust

dns domain-lookup untrust

dns domain-lookup wan

dns domain-lookup dmz

dns server-group DefaultDNS

name-server 201.147.189.82

name-server 200.33.146.193

name-server 200.23.242.193

domain-name tecnoval.com.mx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 100 extended permit tcp any any

access-list 100 extended permit udp any any

access-list 100 extended permit icmp any any

access-list 100 extended permit ip any any

pager lines 24

logging asdm informational

mtu trust 1500

mtu untrust 1500

mtu wan 1500

mtu dmz 1500

ip verify reverse-path interface trust

ip verify reverse-path interface untrust

ip verify reverse-path interface wan

ip verify reverse-path interface dmz

no failover

no monitor-interface trust

no monitor-interface untrust

no monitor-interface wan

no monitor-interface dmz

icmp unreachable rate-limit 1 burst-size 1

icmp permit any trust

icmp permit any untrust

icmp permit any wan

icmp permit any dmz

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0

static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0

access-group 100 in interface trust

access-group 100 out interface trust

access-group 100 in interface untrust

access-group 100 out interface untrust

access-group 100 in interface wan

access-group 100 out interface wan

access-group 100 in interface dmz

access-group 100 out interface dmz

route untrust 0.0.0.0 0.0.0.0 10.30.1.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username admin password 0732hiKtM/dsJXqn encrypted privilege 15

http server enable

http 10.30.1.14 255.255.255.255 untrust

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.30.1.14 255.255.255.255 untrust

ssh timeout 5

console timeout 5

management-access untrust

Re: Help!!

carlosarturoa — Thu, 11 Oct 2007 17:18:28 GMT

static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0

Tthe NAT with The entire configuration with NAT is:

: Saved

ASA Version 7.2(2)

hostname FwCorporativo

domain-name tecnoval.com.mx

enable password xxx

names

interface GigabitEthernet0/0

nameif trust

security-level 100

ip address 10.31.1.254 255.255.255.0

interface GigabitEthernet0/1

nameif untrust

security-level 50

ip address 10.30.1.254 255.255.255.0

interface GigabitEthernet0/2

nameif wan

security-level 25

ip address 10.30.10.254 255.255.255.0

interface GigabitEthernet0/3

nameif dmz

security-level 0

ip address 10.10.10.254 255.255.255.0

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

passwd xxx

banner exec ****************

banner exec Firewall

banner exec Welcome...

banner exec ****************

banner login ***************

banner login Firewall

banner login Welcome...

banner login ***************

banner motd ****************

banner motd Firewall

banner motd Welcome...

banner motd ****************

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun May 2:00 last Sun Sep 2:00

dns domain-lookup trust

dns domain-lookup untrust

dns domain-lookup wan

dns domain-lookup dmz

dns server-group DefaultDNS

name-server 201.147.189.82

name-server 200.33.146.193

name-server 200.23.242.193

domain-name tecnoval.com.mx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 100 extended permit tcp any any

access-list 100 extended permit udp any any

access-list 100 extended permit icmp any any

access-list 100 extended permit ip any any

pager lines 24

logging asdm informational

mtu trust 1500

mtu untrust 1500

mtu wan 1500

mtu dmz 1500

ip verify reverse-path interface trust

ip verify reverse-path interface untrust

ip verify reverse-path interface wan

ip verify reverse-path interface dmz

no failover

no monitor-interface trust

no monitor-interface untrust

no monitor-interface wan

no monitor-interface dmz

icmp unreachable rate-limit 1 burst-size 1

icmp permit any trust

icmp permit any untrust

icmp permit any wan

icmp permit any dmz

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0

static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0

access-group 100 in interface trust

access-group 100 out interface trust

access-group 100 in interface untrust

access-group 100 out interface untrust

access-group 100 in interface wan

access-group 100 out interface wan

access-group 100 in interface dmz

access-group 100 out interface dmz

route untrust 0.0.0.0 0.0.0.0 10.30.1.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username admin password 0732hiKtM/dsJXqn encrypted privilege 15

http server enable

http 10.30.1.14 255.255.255.255 untrust

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.30.1.14 255.255.255.255 untrust

ssh timeout 5

console timeout 5

management-access untrust

Re: Help!!

acomiskey — Thu, 11 Oct 2007 17:21:34 GMT

no static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0

Re: Help!!

carlosarturoa — Thu, 11 Oct 2007 17:48:12 GMT

I did it but it still do not work. From console I get the following output:

FwCorporativo(config)# no static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0

FwCorporativo(config)#

FwCorporativo# ping

Interface: trust

Target IP address: 10.30.1.14

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]: y

Verbose? [no]:

Validate reply data? [no]:

Data pattern [0xabcd]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.30.1.14, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

FwCorporativo# ping

Interface: untrust

Target IP address: 10.30.1.14

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]: y

Verbose? [no]:

Validate reply data? [no]:

Data pattern [0xabcd]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.30.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Re: Help!!

acomiskey — Thu, 11 Oct 2007 18:01:42 GMT

Try pinging from a host on the trust network, not from the firewall trust interface like you did above.

edit: You could also ping from a machine in the untrust network to a machine in the trust network, not from the untrust interface in the firewall.

Re: Help!!

carlosarturoa — Thu, 11 Oct 2007 18:29:40 GMT

Thak you, everything is working fine...