05-01-2014 02:48 PM - edited 03-11-2019 09:09 PM
I am going from a pix-515e to asa-5512-x. I used the wizard for the initial setup. I then set the interfaces the same, objects, nat rules, routes, ACLs the same as in the 515e (except for the outside interface ACL where you use the inside address now, rather than the outside...and you have a global deny rule for all interfaces) .
I take the cables from the inside / outside interface from the 515e, plug them into the 5512x and nada...
Computers on the inside can't get out. I see egress failures on the ASDM monitor from the inside to outside. I don't see any traffic coming in on the outside interface to the inside as I do on the ASDM of the 515e.
ASA Version 9.1(5)
!
hostname ASA-5512-X
domain-name mydomain.com
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 98.xxx.xxx.xxx 255.255.255.224
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.0.1.242 255.255.252.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa915-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.42
domain-name mydomain.com
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object webserver-inside object-group web-ports
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static webserver-inside webserver-outside unidirectional
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 2
route inside 172.20.0.0 255.255.0.0 10.0.0.1 1
route inside 172.21.0.0 255.255.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.0.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
05-01-2014 03:49 PM
At a quick glance the config looks pretty clean (please do use ssh and not telnet though)
Since you replaced one box with another, have you checked that your upstream (Outside) device is reachable from the ASA itself? (i.e can you ping your default gateway at 98.xxx.xxx.xxx 2 )
I've sometimes seen cases where we had to ask the ISP to clear their ARP cache when changing out firewalls.
05-02-2014 06:13 AM
It looked like it was the ISP. It took a few minutes with the new ASA hooked up for computers to get internet activity. I noticed the computers on the dynamic nat had internet connectivity first, but the servers on static nats did not. I changed the nats to both directions (instead of unidirectional) and it started working. Not sure if that fixed it for the statics or i needed to wait longer for the ISP to adjust.
05-02-2014 06:27 AM
Glad to hear it's working for you. Cheers.
05-02-2014 04:18 AM
I would make sure you have an ARP entry for your default gateway:
show arp
If so I would then run a packet tracer simulation to verify all is well.
packet-tracer input inside tcp 10.0.1.245 aol 8.8.8.8 aol
Finally I would change console timeout from 0 to 30. Console timeout 0 means it will never timeout and stay logged in.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: