Re: Cisco Asa 5525x

eduardonoitel · ‎05-05-2023

My configurations are there

But I cant , ping to the internet from inside network, please help

Fr1# show running-config
: Saved

:
: Serial Number: xxx
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2400 MHz, 1 CPU (4 cores)
:
ASA Version 9.12(4)56
!
hostname Fr1
enable password ***** xxx
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif Acess
security-level 0
ip address 192.168.3.1 255.255.255.0
!
ftp mode passive
object network Insider
subnet 192.168.2.0 255.255.255.0
object network outside
host 192.168.100.111
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 object outside
access-list outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
pager lines 24
mtu Acess 1500
mtu outside 1500
mtu inside 1500
no failover
no failover wait-disable
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network Insider
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.3.0 255.255.255.0 Acess
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** xxx privilege 15
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
!
jumbo-frame reservation
!
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email xxx
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxx

MHM Cisco World · ‎05-05-2023

You config access list and apply to inside' and it allow only access to one host

That issue I think

eduardonoitel · ‎05-05-2023

how can I allow for all Network? And other configurations , are good ?

Kasun Bandara · ‎05-05-2023

@eduardonoitel try changing below

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 0.0.0.0 0.0.0.0

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

MHM Cisco World · ‎05-05-2023

Your config is ok' you have defualt route

You config NATing

But there is no need for inside outside interface acl'

Remove it and check ping

eduardonoitel · ‎05-05-2023

alert-interval 300
access-list inside_access_in; 1 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip 192.168.2.0 255.255.255.0 object outside_network (hitcnt=0) 0x3b75655e
access-list inside_access_in line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x3b75655e
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip any any (hitcnt=0) 0x3b75655e
access-list global_access; 1 elements; name hash: 0xbd6c87a7
access-list global_access line 1 extended permit ip any any (hitcnt=0) 0x3b75655e
Fr1#

And now?

Marvin Rhoads · ‎05-05-2023

You configuration appears incomplete. I would expect to see the inspect class maps (including one for ICMP).

Your outside interface is a private network and the interface is set for DHCP. Is it getting an address on the 192.168.100.0/24 subnet?. Is there an upstream device doing additional NAT to give the outside subnet a public IP?