03-16-2012 10:53 PM - edited 03-11-2019 03:43 PM
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
03-17-2012 07:35 AM
Why do you have a global NAT rule for the same IP as your static NAT? i.e.,
global (outside) 1 xxx.xxx.xxx.95
That could be part of your problem.
03-17-2012 07:57 AM
Thanks, I will try to remove that out of the script.
I did re-run all commands from scratch after restoring factory defaults and came across a few errors.
Result of the command: "ip address outside xxx.xxx.xxx.94 255.255.255.224"
ip address outside xxx.xxx.xxx.94 255.255.255.224
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "ip address inside 192.168.1.1 255.255.255.0"
ip address inside 192.168.1.1 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
^
ERROR: % Invalid input detected at '^' marker.
In trying to correct I ran a few more things and eventually got a message saying this:
Result of the command: "out 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"
ERROR: The apply and outbound commands have been deprecated,
and as such, they have been superseded by the 'access-list'
command.
INFO: A tool, Outbound Conduit Converter (OCC) is available in CCO
to help you to convert from outbound commands to access-lists.
Have some of the commands I am using been replaced with new ones?
03-17-2012 08:18 AM
Ahhh sorry - I neglected to note you are using a 5505. The ASA 5505 uses VLAN interfaces and you need to make sure you apply your Layer 3 interface parameters to the VLANs, not the physical ports. Your snippet above didn't provide enough of the script to verify that you are doing that correctly - I assumed you were.
Have you had a look at the configuration guide?
I was wondering about that "outside" command also - I'm not familiar with it at all.
03-17-2012 08:52 AM
What version of firmware are you using. I have recently overcome similar obstacles and are using vers 8.43.
03-17-2012 08:59 AM
Aaah, this stuff is going to drive me to drink. As a test I restored the firewall to defaults, but before running the script I ran the 5505 Startup Wizard. Once that was completed I then ran the original script. Still got some of the errors mentioned, but now everything is working. Looks like the commands are fine. There is something extra that I probably need in the script that the Startup Wizard is adding.
Thank you very much for your help! I'm glad I only need to touch these things every once in a while.
The version is 8.2(5)
03-17-2012 05:40 PM
Hey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA.
03-18-2012 05:43 AM
Thank you! Will try that the next time I need to configure a 5505. Hopefully a LONG time from now! It is working now...the key was to run the Startup Wizard before running the script in my original post. Your script will probably do the trick as well. Thanks a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: