finally found a solution

AceScottie · ‎05-09-2017

Hello, Im having a lot of trouble setting up an ASA 5505 in Packet Tracer v7

I keep getting the same message when in Simulation mode "The ASA does not allow and traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list"

I am trying to allow HTTP, FTP and ICMP through the ASA firewall.

network is simply R1 -- ASA -- R2

R1 G0/0: 77.97.151.1 255.255.248

ASA Vlan1: 77.97.151.2 255.255.255.248

ASA Vlan2: 77.97.151.3 255.255.255.248

R2 G0/1: 77.97.151.4 255.255.255.248

ASA configs:

interface Vlan1

nameif INSIDE

security-level 100

ip address 77.97.151.2 255.255.255.248

!

interface Vlan2

nameif OUTSIDE

security-level 0

ip address 77.97.151.3 255.255.255.248

!

route OUTSIDE 0.0.0.0 0.0.0.0 77.97.151.1 1

route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1

!

access-list OUTSIDE extended permit tcp any any eq www

access-list OUTSIDE extended permit tcp any any eq ftp

access-list OUTSIDE extended permit icmp any any echo

access-list OUTSIDE extended permit icmp any any unreachable

access-list OUTSIDE extended permit icmp any any echo-reply

!

class-map inspection_default

match default-inspection-traffic

!

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

inspect icmp

!

service-policy asa_global_fw_policy global

Im not sure what im missing to make this work, currently i cant get any traffic through the firewall.

attached full config file for reference.

Ajay Saini · ‎05-09-2017

Hello,

By default, you would require an access-list to allow traffic from low security level to high security level. That the design of ASA. If you have an access-list and its not working, please attach the packet-tracer output.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/traffic.html

-AJ

AceScottie · ‎05-09-2017

What output ?

Ajay Saini · ‎05-09-2017

I see, you have not added access-group to apply to interface. Please add the following command and test:

access-group OUTSIDE in interface OUTSIDE

HTH

-AJ

AceScottie · ‎05-10-2017

Added that command after reading the link you provided.
Still having some issues however.

The ping can only travel one way.

This is due to default route being set to "route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1"

im not sure how to rout both incoming traffic and out going traffic without using 0.0.0.0 0.0.0.0

currently the ping from R1 will reach R2 but the response will then bounce back from the ASA back to R2 and fail.

Ajay Saini · ‎05-10-2017

I also noticied that you have 2 default gateways:

route OUTSIDE 0.0.0.0 0.0.0.0 77.97.151.1 1

route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1

you can only have one gateway where you can not define specific routes. Remove the INSIDE route and test. ASA knows the inside subnet, so you can test it without that route. The default route on ASA will be needed to send any traffic to non-directly connected subnets.

-AJ

AceScottie · ‎05-10-2017

This is one of the main issues. I dont need it to connect to any non directly connected subnets.

I removed the inside default route and now it wont ping past the firewall.

I have included the packet tracer file i am using inside the zip. Using Packet Tracer v7

AceScottie · ‎05-10-2017

finally found a solution thanks to one of your comments.

you said it would auto forward to the inside interface so i changed each side to be a 252 mask and reconfigured the ip address.

I had it as a 248 network due to an earlier error where it wouldnt try pining due to the next hop not being on the same network, it seems that that error and the fix i made went into creating this error

so now i have R1 - ASA - R2

R1 77.97.151.1 255.255.255.252

ASA outside 77.97.151.2 255.255.255.252

ASA inside 77.97.151.5 255.255.255.252

R2 77.97.151.6 255.255.255.252

This now seems to work perfectly, thanks everyone for their help :)

Ashish Jhaldiyal · ‎05-10-2017

I think you have wrong subnet mask assigned on ASA and R2. if you have 255.255.255.248 on R2 it will think that 77.97.151.1 is in my same subnet, So R2 will do a local ARP instead sending traffic to its gateway(ASA LAN interface).

Ashish

ASA configuration help