Cisco ASA 5505 Enable Live Traffic

par13 · ‎03-15-2012

I am currently troubleshooting a firewall policy on a ASA 5505. What command can enter in the CLI to enable live view of traffic been block and which traffic is been allow?

In my experiences with other firewall vendors, other firewalls allow me to narrow down the source and destination, too. is there such thing on the ASA 5505?

Thanks

Marvin Rhoads · ‎03-15-2012

A couple of tools can be used. If there is an access-list issue, you can "show access-list" and watch for hits. Better still is the packet tracer utility. Using it, one can test the firewall's handling of a hypothetical flow and tell if it pases or, if it fails, why it does. See the syntax and examples in the command reference. You can also capture traffic but that won't necessarily show you how the firewall is handling the traffic.

par13 · ‎03-16-2012

Thank you,

Also, how do I configure the asa 5505 to allow my internal computers to go to windowsupdate.microsoft.com to get windows updates?

Thanks

Marvin Rhoads · ‎03-16-2012

By default, traffic is allowed from more secure (inside) networks to less secure (outside - often the Internet). That "implicit allow" plus a global NAT rule is sufficient for all Internet access.

If you want to lock things down to specific services, it's a bit more involved - many web-based services and even home pages call elements from more than one site / DNS entry.

We'd have to see your config to give a more accurate answer for your specific context.

par13 · ‎03-16-2012

I was reading online that version 8.2 supports fqdn which on that case it seems that I could use windowsupdate.microsoft.com on the network-object host or hostname area. Does this makes senses?

By the way, we are running ver 7.2. Is there something wrong to upgrade directly to 8.2 or do I need to follow the 8.0,8.1 and 8.2?

thanks

Marvin Rhoads · ‎03-16-2012

Well-established and unchanging FQDNs can indeed be used in access-lists (assuming your ASA can resolve them on a configured DNS server).

I'm just saying that, for instance, when I browse from my Windows 7 machine to windowsupdate.microsoft.com, it redirects to update.microsoft.com (at the same IP) which in turn instructs me to use the control panel applet. When I do that (and watch the connections from my machine) I see a connection open up to another address in the same network. A simple FQDN in the access-list might not follow all of that web redirection.

Upgrading from 7.2 to 8.2 is supported. Reference here.

par13 · ‎03-21-2012

Thank you all! Beside the question above, can anyone tell me why my static ip address stop working. I created a static ip address which allow external traffic to access internal hosts. As you can see below, I added these lines:

access-list outside_access_in extended permit ip any host 152.18.75.133

static (inside,outside) 152.18.75.133 10.2.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside

ASA Version 8.4

!

hostname cisco-asa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.2.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 152.18.75.132 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group network dts-servers

network-object host 152.31.53.251

network-object host 152.31.53.195

object-group network frs_servers

network-object 152.111.5.22 255.255.255.255

access-list extended extended permit ip any any

access-list extended extended permit icmp any any

access-list extended extended permit ip any object-group dts-servers

access-list acl_out extended permit tcp any object-group frs_servers eq https
access-list outside_access_in extended permit ip any host 152.18.75.133

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply inside

icmp permit 10.2.1.0 255.255.255.0 inside

icmp permit any echo-reply outside

icmp permit 152.31.53.0 255.255.255.0 outside

icmp permit 152.31.185.0 255.255.255.0 outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 152.18.75.133 10.2.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http 10.2.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.2.1.2 255.255.255.255 inside

ssh 152.31.53.0 255.255.255.0 outside

ssh 152.18.1.128 152.18.75.132 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.2.1.2-10.2.1.254 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context