01-25-2020 01:31 PM
I am newbie to the firewall config arena. I have an ASA 5510 that I have created a basic config for to access the internet. I am connecting to the firewall through the LAN and I am able to ping it and access the config via the ASDM. If I console in I am able to ping hosts on the internet. I assume that I have a NAT/ACL issue. Also (getting a bunch of TCP Deny errors in the log). Running config below.
Any help is much appreciated
ASA Version 8.2(2)
!
hostname
domain-name
enable password 1IxzQZxJCD4u7.Ts encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 173.166.5.185 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
vlan 20
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2.7
vlan 65
nameif WLAN
security-level 32
ip address 172.20.10.1 255.255.255.0
!
interface Ethernet0/3
nameif corp_lan
security-level 30
ip address 172.22.7.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name fbsintdom.com
object-group network obj_any
access-list corp_lan_access_in extended permit ip any any
access-list corp_lan_access_in extended permit icmp any any
access-list outside_acl extended permit ip any any inactive
access-list outside_acl extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu WLAN 1500
mtu corp_lan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 173.166.5.186 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:00:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username vvvvvvv password 9pL7lKE2sX30.27k encrypted
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect http
inspect ip-options
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:884bdc4332706e16b7d8f00292b27899
: end
01-25-2020 02:07 PM - edited 01-25-2020 02:45 PM
Hi,
Every things look good however i did not find ACL applied to the interface.
access-group outside_acl in interface outside
There is one more option to allow ICMP traffic by including it in the default global policy you have in your firewall. This will allow ICMP to other zones also you have in your FW when ICMP initiated from high security zone interfaces to low security zones.
!
policy-map global-policy
class global-class
inspect icmp
01-26-2020 08:40 AM
ACL assigned to the interface is not necessary as security level configuration will take care of that. How are you testing? If with ping then you would need inspect icmp configured in the policy-map as mentioned by Muhammad.
Are you able to ping the default route IP 173.166.5.186 from the ASA? Can you ping the internet (ex. 8.8.8.8) from the ASA?
If yes, to the questions above:
1. Check Logs in ASDM for any drops for the relevant traffic.
2. Configure packet capture on the outside interface with a source of any and destination of the IP you are trying to reach.
cap capout interface outside match ip any host 8.8.8.8
show cap capout
Check to see if you have outgoing traffic, if you see nothing comming back there is a routing issue towards your public assigned IP adresses.
01-26-2020 09:04 AM
01-26-2020 09:25 AM
01-26-2020 09:28 AM
01-26-2020 12:17 PM
Some additional Info. I cant see a way to remove the implicit deny rule shown in the image below but the trace route seems to indicate that is one of the issues.
02-05-2020 01:36 PM
What are you trying to achieve with this ACL?
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 173.166.5.184 255.255.255.252
You are only permitting access to the ASA's outside interface subnet so all other traffic will be dropped. For internet this should look like the following:
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
Also your packet-tracer is not correct. Packet tracer is for testing traffic that will travel through the ASA, not to the ASA. The only time you would use the ASA interface IP is when testing traffic heading to a server (most likely from the outside interface). In the destination IP section you should be using an IP on the internet, 8.8.8.8 for example.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide