Cisco ASA

diwakar410 · ‎04-28-2016

Here is my Putty log:

ASA Version 9.2(2)4

hostname ciscoasa

interface GigabitEthernet0/0
nameif Public-IP
security-level 0
ip address 202.67.23.37 255.255.255.0
!
interface GigabitEthernet0/1
nameif CC-Camera
security-level 0
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif Computer-Lab
security-level 90
ip address 10.10.21.1 255.255.255.0

interface GigabitEthernet0/3
<--- More ---> nameif Private-LAN
<--- More ---> security-level 100
<--- More ---> ip address 10.10.22.1 255.255.255.0
<--- More ---> !
<--- More ---> interface GigabitEthernet0/4
<--- More ---> nameif Wireless
<--- More ---> security-level 80
<--- More ---> ip address 10.10.23.1 255.255.255.0
<--- More ---> !
<--- More ---> interface GigabitEthernet0/5
<--- More ---> shutdown
<--- More ---> no nameif
<--- More ---> no security-level
<--- More ---> no ip address
<--- More ---> !
<--- More ---> interface Management0/0
<--- More ---> management-only
<--- More ---> nameif management
<--- More ---> security-level 100
<--- More ---> ip address 192.168.1.1 255.255.255.0

boot system disk0:/asa922-4-smp-k8.bin
<--- More ---> ftp mode passive
<--- More ---> object network CC-Camera-subnet
<--- More ---> subnet 10.10.20.0 255.255.255.0
<--- More ---> object network Computer-Lab
<--- More ---> subnet 10.10.21.0 255.255.255.0
<--- More ---> object network Private-LAN
<--- More ---> subnet 10.10.22.0 255.255.255.0
<--- More ---> object network Wireless
<--- More ---> subnet 10.10.23.0 255.255.255.0
<--- More ---> access-list CC-Camera_access_in extended permit ip any any inactive
<--- More ---> access-list CC-Camera_access_in extended permit ip any interface Public-IP
<--- More ---> access-list Public-IP_access_in extended permit ip any interface CC-Camera
<--- More ---> pager lines 24
<--- More ---> logging asdm informational
<--- More ---> mtu Public-IP 1500
<--- More ---> mtu CC-Camera 1500
<--- More ---> mtu Computer-Lab 1500
<--- More ---> mtu Private-LAN 1500
<--- More ---> mtu Wireless 1500
<--- More ---> mtu management 1500
<--- More ---> no failover
<--- More ---> icmp unreachable rate-limit 1 burst-size 1
<--- More ---> asdm image disk0:/asdm-7221.bin
<--- More ---> no asdm history enable
<--- More ---> arp timeout 14400
<--- More ---> no arp permit-nonconnected
<--- More ---> !
<--- More ---> object network CC-Camera-subnet
<--- More ---> nat (CC-Camera,Public-IP) dynamic interface
<--- More ---> object network Computer-Lab
<--- More ---> nat (Computer-Lab,Public-IP) dynamic interface
<--- More ---> object network Private-LAN
<--- More ---> nat (Private-LAN,Public-IP) dynamic interface
<--- More ---> object network Wireless
<--- More ---> nat (Wireless,Public-IP) dynamic interface
<--- More ---> access-group Public-IP_access_in in interface Public-IP
<--- More ---> access-group CC-Camera_access_in in interface CC-Camera
<--- More ---> route Public-IP 0.0.0.0 0.0.0.0 202.79.23.1 1
<--- More ---> timeout xlate 3:00:00
<--- More ---> timeout pat-xlate 0:00:30
<--- More ---> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More ---> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More ---> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More ---> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More ---> timeout tcp-proxy-reassembly 0:01:00
<--- More ---> timeout floating-conn 0:00:00
<--- More ---> dynamic-access-policy-record DfltAccessPolicy
<--- More ---> user-identity default-domain LOCAL
<--- More ---> http server enable
<--- More ---> http 192.168.1.0 255.255.255.0 management
<--- More ---> no snmp-server location
<--- More ---> no snmp-server contact
<--- More ---> crypto ipsec security-association pmtu-aging infinite
<--- More ---> crypto ca trustpool policy
<--- More ---> telnet timeout 5
<--- More ---> no ssh stricthostkeycheck
<--- More ---> ssh timeout 5
<--- More ---> ssh key-exchange group dh-group1-sha1
<--- More ---> console timeout 0
<--- More ---> dhcpd address 192.168.1.2-192.168.1.254 management
<--- More ---> dhcpd enable management
<--- More ---> !
<--- More ---> threat-detection basic-threat
<--- More ---> threat-detection statistics access-list
<--- More ---> no threat-detection statistics tcp-intercept
<--- More ---> ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
<--- More ---> !
<--- More ---> class-map inspection_default
<--- More ---> match default-inspection-traffic
<--- More ---> !
<--- More ---> !
<--- More ---> policy-map type inspect dns preset_dns_map
<--- More ---> parameters
<--- More ---> message-length maximum client auto
<--- More ---> message-length maximum 512
<--- More ---> policy-map global_policy
<--- More ---> class inspection_default
<--- More ---> inspect dns preset_dns_map
<--- More ---> inspect ftp
<--- More ---> inspect h323 h225
<--- More ---> inspect h323 ras
<--- More ---> inspect rsh
<--- More ---> inspect rtsp
<--- More ---> inspect esmtp
<--- More ---> inspect sqlnet
<--- More ---> inspect skinny
<--- More ---> inspect sunrpc
<--- More ---> inspect xdmcp
<--- More ---> inspect sip
<--- More ---> inspect netbios
<--- More ---> inspect tftp
<--- More ---> inspect ip-options
<--- More ---> !
<--- More ---> service-policy global_policy global
<--- More ---> prompt hostname context
<--- More ---> no call-home reporting anonymous
<--- More ---> Cryptochecksum:577fdb160dccc7796f9a682bda7dbeef
<--- More ---> : end

Here are my list of problems that i am facing right now. I have attached my putty log here.

NAT is not working
I tried to make the port 0/0 to communicate with 0/1 using two way policy and that didn't work either
I am using the ASDM to configure it. Since it is my first time with ASA so i prefer GUI.
My client wants Facebook, youtube, torrent etc to be blocked. How can i do so using ASDM?

Philip D'Ath · ‎04-28-2016

1. NAT from where to where is not working?

2. What exactly do you want to communicate between these two interfaces? Which IP addresses?

3. Do you have Firepower in this ASA? That is the best way. Failing that check out this article:

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-domain-fqdn-based-acls.html

diwakar410 · ‎04-28-2016

Hi Philip,

I mean NAT from my private IP to public IP ie, from CC camera 10.10.20.1/24 to public ip ie,202.67.23.37.

Since the NAT didn't work so i tried to just communicate the two interface cc camera and Public ip so that i can ping the interface from one another but that failed too.

When i try to use the packet tracer option from the ASDM, it says packets dropped and deny.

Thank you.

Philip D'Ath · ‎04-28-2016

Start by changing the security level of CC camera from 0 to anything else, like 10. Then reboot. Then see how many problems resolve themself. Let me know what is left that is broken.

diwakar410 · ‎04-28-2016

Actually, i had security level of 50 at first and it didn't work so i thought because it is at different security level it is not working so i changed it to 0 same that of the Public IP.

How do you communicate two interface? I may want to communicate my cc camera with computer lab so what do i do as they are at different security level.

What we did at fortigate is, we used to make a 2 way policy from cc camera to computer and computer to cc camera and it would work fine. Same way i tried doing in ASA but it didn't work.

Philip is my natting and static route configured properly. Can you please check that.

Thank you.