ASA 5510 Setup

j_j624001 · ‎06-29-2016

I'm in very serious help with this firewall; i have erase this firewall too many times lol; i don't know what is causing the problem integrating this firewall within my network.. .Can some please help me pin point this problem.

Network

1. Outside interface on router, firewall and switch

2. 4 internal subnet on router, firewall and switch

3. Route to outside network on firewall

Problem

1.Unable to ping internal subnet gateway from switch or firewall

2. Unable to ping google servers on firewall or switch

Someone please advised on what steps i need to take or what can i do in order to fix these issue.

Thnks

Aditya Ganjoo · ‎06-29-2016

Hi,

You need to check if both the devices Firewall and the switch are learning each other's MAC address.

You should you have a proper route configuration on the firewall.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

j_j624001 · ‎06-29-2016

can you possible take a look at my configurations and see if it right ???

Aditya Ganjoo · ‎06-29-2016

Hi,

Yes i can do that.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

j_j624001 · ‎06-29-2016

Thanks

Heres my router config first

Router

Building configuration...

Current configuration : 4436 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.0.84

ip dhcp excluded-address 10.10.0.101 10.10.0.255

ip dhcp excluded-address 10.10.20.1 10.10.20.84

ip dhcp excluded-address 10.10.20.101 10.10.20.255

ip dhcp excluded-address 10.10.25.101 10.10.25.255

ip dhcp excluded-address 10.10.25.1 10.10.25.84

!

ip dhcp pool 10_Net_POOL

import all

network 10.10.0.0 255.255.255.0

update dns

default-router 10.10.0.1

domain-name J_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

!

ip dhcp pool 20_NET_POOL

import all

network 10.10.20.0 255.255.255.0

update dns

default-router 10.10.20.1

domain-name Backup_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

!

ip dhcp pool 25_NET_POOL

import all

network 10.10.25.0 255.255.255.0

update dns

default-router 10.10.25.1

domain-name Storage_Internal_Net.com

dns-server 10.10.15.4 10.10.15.5

update arp

!

ip ssh logging events

ip ssh version 2

!

interface FastEthernet0

description OUT

ip address 192.168.0.85 255.255.255.0

ip access-group filter-inbond in

ip access-group filter-outbond out

ip nat outside

ip irdp

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

description Internal

ip address 10.85.85.1 255.255.255.0

ip nat Outside

ip irdp

ip virtual-reassembly

duplex auto

speed auto

no snmp trap link-status

!

interface FastEthernet1.10

description Clients

encapsulation dot1Q 10

ip address 10.10.0.1 255.255.255.0

ip nat inside

ip irdp

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet1.15

description Servers

encapsulation dot1Q 15

ip address 10.10.15.1 255.255.255.0

ip nat inside

ip irdp

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet1.20

description Backup

encapsulation dot1Q 20

ip address 10.10.20.1 255.255.255.0

ip nat inside

ip irdp

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet1.25

description Storage

encapsulation dot1Q 25

ip address 10.10.25.1 255.255.255.0

ip nat inside

ip irdp

ip virtual-reassembly

no snmp trap link-status

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1

ip route 10.0.0.0 255.0.0.0 10.85.85.2

!

no ip http server

no ip http secure-server

ip nat inside source list 50 interface FastEthernet0 overload

!

ip access-list extended filter-inbond

permit icmp any any echo-reply

permit tcp any eq www any established

permit tcp any eq 443 any established

permit tcp any eq 8080 any established

permit udp any eq domain any

deny ip any any

deny udp any any

deny tcp any any

ip access-list extended filter-outbond

permit icmp any any echo

permit udp any any eq domain

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8080

deny ip any any

deny tcp any any

deny udp any any

!

access-list 40 permit 0.0.0.90 255.255.255.0

access-list 40 permit 0.0.0.0 255.0.0.0

access-list 50 permit 10.10.0.0 0.0.255.255

access-list 50 permit 0.0.0.0 255.0.0.0

!

control-plane

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

session-timeout 60

access-class 40 in

exec-timeout 60 0

session-limit 2

login

refuse-message ^CRY AGAIN BI^C

autoselect arap

autohangup

line vty 5 14

session-timeout 60

access-class 40 in

exec-timeout 60 0

session-limit 2

login

refuse-message ^CRY AGAIN BI^C

autoselect arap

autohangup

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Here is my switch config

hostname SW

!

no aaa new-model

clock timezone EST 4 1

switch 1 provision ws-c3750e-24td

system mtu routing 1500

ip subnet-zero

no ip domain-lookup

ip domain-name IN_Switch.com

ip name-server 10.10.15.4

ip name-server 10.10.15.5

!

ip port-map dns port 53

ip port-map smtp port 161

ip port-map pop2 port 109

ip port-map pop3 port 110

ip port-map nntp port 119

ip port-map ldap port 389

ip port-map imap port 143

ip port-map nfs port 944

ip dhcp-server 10.10.0.1

ip dhcp-server 10.10.20.1

ip dhcp-server 10.10.25.1

!

password encryption aes

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip tcp selective-ack

ip tcp timestamp

ip tcp queuemax 50

ip tcp path-mtu-discovery

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface GigabitEthernet1/0/1

description Outside R1 - SW

switchport access vlan 5

switchport mode access

!

interface GigabitEthernet1/0/2

description Outside FW - SW

switchport access vlan 5

switchport mode access

!

interface GigabitEthernet1/0/3

description Inside Network FW

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport trunk allowed vlan 10,15,20,25

switchport mode trunk

!

interface GigabitEthernet1/0/4

description **************

!

interface GigabitEthernet1/0/5

description Servers

switchport access vlan 15

switchport mode access

!

interface GigabitEthernet1/0/6

description Servers

switchport access vlan 15

switchport mode access

!

interface GigabitEthernet1/0/7

description Inside

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet1/0/8

description Inside

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

description Backups

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet1/0/14

description Backups

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet1/0/15

description Storage

switchport access vlan 25

switchport mode access

!

interface GigabitEthernet1/0/16

description Storage

switchport access vlan 25

switchport mode access

!

interface GigabitEthernet1/0/17

description Storage

switchport access vlan 25

switchport mode access

!

interface GigabitEthernet1/0/18

description Storage

switchport access vlan 25

switchport mode access

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan5

ip address 10.85.85.3 255.255.255.0

ip helper-address 10.85.85.1

no ip route-cache

arp snap

spanning-tree portfast

!

interface Vlan10

ip address 10.10.0.3 255.255.255.0

ip helper-address 10.10.0.1

no ip route-cache

arp snap

spanning-tree portfast

!

interface Vlan15

ip address 10.10.15.3 255.255.255.0

ip helper-address 10.10.15.1

no ip route-cache

arp snap

spanning-tree portfast

!

interface Vlan20

ip address 10.10.20.3 255.255.255.0

ip helper-address 10.10.20.1

no ip route-cache

arp snap

spanning-tree portfast

!

interface Vlan25

ip address 10.10.25.3 255.255.255.0

ip helper-address 10.10.25.1

no ip route-cache

arp snap

spanning-tree portfast

!

ip default-gateway 10.85.85.1

ip classless

no ip http server

!

control-plane

!

banner login ^C

WELCOME TO SWITCHING !!!! ^C

banner motd ^C

LEARN AS MUCH AS YOU CAN !!!!!! ^C

!

line con 0

line vty 0 4

session-timeout 60

access-class 40 in

timeout login response 120

login

refuse-message ^C

TRY AGAIN BITCH !!!!!!!! ^C

line vty 5 14

session-timeout 60

access-class 40 in

timeout login response 120

login

refuse-message ^C

TRY AGAIN BITCH !!!!!!!! ^C

line vty 15

login

!

end

Here is my Firewall config

Result of the command: "show run"

: Saved
:
ASA Version 8.2(3)
!
hostname JFW

name 10.85.85.1 Outside description Outside
name 10.10.0.1 R1 description Client
name 10.10.15.1 R2 description R2
name 10.10.20.1 R3 description R3
name 10.10.25.1 R4 description R4
!
interface Ethernet0/0
nameif Outside_Network
security-level 0
ip address 10.85.85.2 255.255.255.0
!
interface Ethernet0/1
nameif Inside_Network
security-level 100
ip address 10.10.0.2 255.255.255.0
!
interface Ethernet0/1.15
vlan 15
nameif Servers
security-level 100
ip address 10.10.15.2 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif Backups
security-level 100
ip address 10.10.20.2 255.255.255.0
!
interface Ethernet0/1.25
vlan 25
nameif Storage
security-level 100
ip address 10.10.25.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif TEST
security-level 100
ip address dhcp
!
banner login 1
banner login WELCOME TO THE DEAD ZONE !!!!
banner login WELCOME TO J-WALL !!!
banner motd LEARN HOW TO BLOCK OUTSIDE TRAFFIC !!!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Servers
dns server-group DefaultDNS
name-server 10.10.15.4
name-server 10.10.15.5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Internal
network-object host R1
network-object host R2
network-object host R3
network-object host R4
object-group network Outside
network-object host Outside
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list Outside_Network_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.85.85.0 255.255.255.0 10.10.0.0 255.255.255.0
access-list Inside_Network_access_in extended permit icmp 10.10.0.0 255.255.255.0 10.85.85.0 255.255.255.0
access-list global_mpc extended permit object-group DM_INLINE_PROTOCOL_2 any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm debugging
logging debug-trace
mtu Outside_Network 1500
mtu Inside_Network 1500
mtu TEST 1500
mtu Servers 1500
mtu Backups 1500
mtu Storage 1500
ip verify reverse-path interface Outside_Network
ip verify reverse-path interface Inside_Network
ip verify reverse-path interface Servers
ip verify reverse-path interface Backups
ip verify reverse-path interface Storage
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.85.85.0 255.255.255.0 Outside_Network
icmp permit 10.0.0.0 255.0.0.0 Inside_Network
no asdm history enable
arp timeout 14400
static (Outside_Network,Inside_Network) R1 Outside netmask 255.255.255.255
access-group Outside_Network_access_in in interface Outside_Network
access-group Inside_Network_access_in in interface Inside_Network
route Outside_Network 0.0.0.0 0.0.0.0 Outside 1
route Inside_Network 10.0.0.0 255.0.0.0 Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 TEST
http 10.10.0.0 255.255.255.0 Inside_Network
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface Outside_Network
service resetinbound interface Inside_Network
service resetinbound interface TEST
service resetinbound interface Backups
service resetinbound interface Storage
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.255.0 Inside_Network
ssh timeout 30
console timeout 0
dhcpd address 10.10.0.85-10.10.0.100 Inside_Network
dhcpd dns 10.10.15.4 10.10.15.5 interface Inside_Network
dhcpd domain J_Internal.com interface Inside_Network
dhcpd option 3 ip R1 interface Inside_Network
dhcpd option 6 ip 10.10.15.4 10.10.15.5 interface Inside_Network
dhcpd enable Inside_Network
!
dhcpd address 10.10.20.85-10.10.20.100 Backups
dhcpd dns 10.10.15.4 10.10.15.5 interface Backups
dhcpd domain Backups_Internal.com interface Backups
dhcpd option 3 ip R3 interface Backups
dhcpd option 6 ip 10.10.15.4 10.10.15.5 interface Backups
!
dhcpd address 10.10.25.85-10.10.25.100 Storage
dhcpd dns 10.10.15.4 10.10.15.5 interface Storage
dhcpd domain Storage_Internal.com interface Storage
dhcpd option 3 ip R4 interface Storage
dhcpd option 6 ip 10.10.15.4 10.10.15.5 interface Storage
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map type inspect http match-all asdm_high_security_methods
match not request method get
match not request method head
class-map Internal_Traffic
match access-list global_mpc
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action log
policy-map type inspect ftp FTP
parameters
mask-banner
mask-syst-reply
policy-map type inspect netbios NETBIOS
parameters
protocol-violation action drop log
policy-map type inspect ip-options Options
parameters
eool action clear
nop action clear
router-alert action clear
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class asdm_high_security_methods
drop-connection
match request header non-ascii
drop-connection
policy-map global-policy
class Internal_Traffic
inspect dns preset_dns_map dynamic-filter-snoop
inspect ftp strict FTP
inspect http HTTP
inspect icmp
inspect icmp error
inspect tftp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0950e1da9af81acd01c0ade643c88e1
: end

Please if you have to change something please do; im struggling hard on this implentation