Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
4
Replies

Help please fw config

spivy6666
Level 1
Level 1

‎05-15-2013 11:18 AM - edited ‎03-11-2019 06:44 PM

below is my config.  Can someone tell if this below config will let my users .36.0/24 access the internet? i think it does but i need to be certain. the 192.168.36.0/24 just needs all outbound access for internet and any thing outbound?


: Saved
:
ASA Version 8.2(5)
!
hostname ASAfirewall
enable password 8RRRXU24 encrypted
passwd 2KFQ2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.36.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list OPEN extended permit ip 192.168.36.0 255.255.255.0 any
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.36.0 255.255.255.0
access-group OPEN out interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.36.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh 192.168.36.0 255.255.255.0 inside
ssh timeout 5
console timeout 20
dhcpd dns 2.2.2.138 2.2.2.4
dhcpd lease 4600
!
dhcpd address 192.168.36.40-192.168.36.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password GaV64ZRjSgXshU9e encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC

no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9118468c95c765234a5c6215f9fd4779

: end

CCNA
Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎05-15-2013 11:41 AM

Hi,

One thing you need to change is how the ACL is attached

no access-group OPEN out interface inside

access-group OPEN in interface inside

The parameter "out" would mean traffic heading out the interface inside. In other words traffic headed towards the networks behind inside.

The parameter "in" would however control traffic coming from inside, which is what you want to do

Hope this helps :)

- Jouni

Sent from Cisco Technical Support iPad App

0 Helpful

spivy6666
Level 1
Level 1
In response to Jouni Forss

‎05-15-2013 12:58 PM

Ok i will make that chnage  and thanks. but the entry below is right. with out the access list my users would not have access to the net? thanks again. Lets say i had eveyting but the access list .My users would not have access becuse you need a acl applied on an interface ?

access-list OPEN extended permit ip 192.168.36.0 255.255.255.0 any

CCNA
0 Helpful

jj27
Spotlight
Spotlight
In response to spivy6666

‎05-15-2013 01:10 PM

You do not need an access list defined on the inside interface for them to be able to get to the internet due to the security levels of the interfaces.  On an ASA, the higher security level interfaces are allowed to transit lower security level interfaces.  In your case, and many similar cases, inside is set to 100 and outside is set to 0.  The inside access list is usually configured to restrict certain types of traffic towards the internet, but not required for to permit general access.

0 Helpful

spivy6666
Level 1
Level 1
In response to jj27

‎05-15-2013 01:24 PM

Thanks for your reply JJ but i tried to use the below config as you stated and packets were getting denided due to globa group policy? can you fix my config so it will work?

sh run

: Saved

:

ASA Version 8.2(5)

!

hostname ASAfirewall

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.36.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list OPEN extended permit ip 192.168.36.0 255.255.255.0 any

no pager

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.36.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 1.1.1.1   1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.36.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh scopy enable

ssh 192.168.36.0 255.255.255.0 inside

ssh timeout 5

console timeout 20

dhcpd dns 2.2.2.138 2.2.2.4

dhcpd lease 4600

!

dhcpd address 192.168.36.40-192.168.36.100 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username admin password GaV64ZRjSgXshU9e encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8bf43babbcc428dd5a8adb5f515c463e

: end

ASAfirewall#

CCNA
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card