Solved: Cisco asa5510 Firewall Rules

jasoncaines · ‎10-11-2011

hello

I have start from begin on my asa5510, I given The et0 an inside of 192.168.1.1 and outside of 87.85.**.*** on a /28 network, I can't seem to get on the internet to ping or tracert

I have on ACl list Outside

1 source any - destinatiomn any IP Permit

2 Source Any - Destination Any IP Deny

Should The destination any be the gateway of the ISP 87.85./28 network? I have a static route of 0.0.0.0 0.0.0.0 gateway IP 87.85.**.*** Metic 1

regards

cadet alain · ‎10-12-2011

Hi,

Can't you do it via CLI instead of ASDM?

anyway for ASDM:

type=echo

code=0

id= 8

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎10-12-2011

Hi,

Can you do the same for outside icmp echo-reply to inside address

or do a packet capture for same traffic and capture on inside and outside :

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎10-13-2011

Hi,

do a ping from inside to outside and do a capture both on inside ingress and on outside ingress then save as pcap and post here.

Alain.

Don't forget to rate helpful posts.

View solution in original post

varrao · ‎10-11-2011

Hi Jason,

Try taking captures first and verify where the packets are dropping:

https://supportforums.cisco.com/docs/DOC-17814

Thanks,

Varun

Thanks,
Varun Rao

cadet alain · ‎10-11-2011

Hi,

Can you post running-config : sh run

Alain.

-

Don't forget to rate helpful posts.

jasoncaines · ‎10-12-2011

Hello

Its in a bit of mess now!!!

cadet alain · ‎10-12-2011

Hi,

I didn't notice anything wrong at first look.

can you do

packet-tracer input inside icmp 192.168.1.20  8.8.8.8 detailed


Regards.

Alain.

Don't forget to rate helpful posts.

jasoncaines · ‎10-12-2011

Hi Alain

Sorry about this,

Source IP 192.168.1.20 Dest IP 8.8.8.8

Packet Type icmp

Type ?

Code?

ID ?

cadet alain · ‎10-12-2011

Hi,

Can't you do it via CLI instead of ASDM?

anyway for ASDM:

type=echo

code=0

id= 8

Alain.

Don't forget to rate helpful posts.

jasoncaines · ‎10-12-2011

I Like that

Route-Lookup Actoin Allow

Info 0.0.0.0 0.0.0.0 outside

Route-Liikup Action allow

in 192.168.1.0 255.255.255.0 inside

Access-list action allow

Config

access-group inside_access_in in interface inside

access-list_access_in extended permit IP any any

NO IP Option

NO inspect

Type Nat action allow

nat (inside) 0 0.0.0.0 0.0.0.0

Nat-control

match ip inside any outside any

dynamic tranaltion to pool (87.85.237.64)

translate_hits = 10977, untranslate_hits = 0

Info

dymanic translate 192.168.1.13/8 to 87.85.237.65/54798 using netmask 255.255.255.255

Type Nat subtype host-limits action allow

config (inside) 2 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dymanic translation to pool 2 (87.85.237.65)

translate_hits = 10977 untranslte_hits = 0

Flow control action allow

new flow created with id 55908 packet dispalcted to next module

routelookup

info

found next 87.85.237.65 using egress ifc outside

adjacency active

next hop mac address 30e4.db55.be55 hits 6

WOW i better they an easy way that writing it all out

Input Interface : inside Line UP - Link UP

Output Interface Inside Inside Line Up Link Up

cadet alain · ‎10-12-2011

Hi,

Can you do the same for outside icmp echo-reply to inside address

or do a packet capture for same traffic and capture on inside and outside :

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Regards.

Alain.

Don't forget to rate helpful posts.

jasoncaines · ‎10-12-2011

Hi,

Source IP 87.85.**.** Outside gateway to 192.168.1.13 Echo 0 8

I get to the bottom

ACL-flow is denied by conf rule

if I use the other method I get a ping inside, no ping from outside to inside so I guess the 87.85.**.** which is a talktalk router must block pings?

Regards

cadet alain · ‎10-13-2011

Hi,

do a ping from inside to outside and do a capture both on inside ingress and on outside ingress then save as pcap and post here.

Alain.

Don't forget to rate helpful posts.

jasoncaines · ‎10-13-2011

Hello

Enclose a file, its defo The talk talk router blocking traffic.

Regards

cadet alain · ‎10-13-2011

Hi,

You mean you found the issue? Then mark the post as resolved.

Regards.

Alain.

Don't forget to rate helpful posts.