cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
513
Views
0
Helpful
2
Replies

Help with firewall rules

support
Level 1
Level 1

This is my 1st time working with post 8.3 IOS and I am having trouble with the configuration.  I would like all computers in the inside network to access lower security zones (data and dmz) via all protocols.  I would have done this with a nat 0 and global command in previous versions.   Below is my config         

ASA Version 8.6(1)2

!

hostname TOR1PLXSD01

enable password sxZETAvnsVuPSnUc encrypted

passwd FomDbcd6ujnk.spR encrypted

names

!

interface GigabitEthernet0/0

description Management

speed 1000

duplex full

nameif Inside

security-level 100

ip address 172.21.20.1 255.255.255.0 standby 172.21.20.2

!

interface GigabitEthernet0/1

speed 1000

duplex full

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.20

description Plexxus Data

vlan 20

nameif data

security-level 50

ip address 172.16.18.1 255.255.255.0 standby 172.16.18.2

!

interface GigabitEthernet0/1.25

description DMZ

vlan 25

nameif DMZ

security-level 25

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

nameif Outside

security-level 0

ip address yyyyyyyy 255.255.255.224 standby xxxxxx

!

interface GigabitEthernet0/5

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

dns domain-lookup data

dns server-group DefaultDNS

name-server 172.16.18.21

name-server 172.16.18.22

object network OBJ_INSIDE-HOSTS_172.21.20.0

subnet 172.21.20.0 255.255.255.0

object network OBJ_DATA-HOSTS_172.16.18.0

subnet 172.16.18.0 255.255.255.0

object network OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255

range 172.16.22.0 172.16.23.255

object network OBJ_TOR1PLXEX01_172.16.18.26

host 172.16.18.26

object network OBJ_TOR1PLXFTP01_172.16.18.28

host 172.16.18.28

access-list acl_outside extended permit icmp any any

access-list acl_SplitTunnel_VPN standard permit 172.21.20.0 255.255.255.0

access-list acl_SplitTunnel_VPN standard permit 172.16.18.0 255.255.255.0

access-list acl_dmz extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu data 1500

mtu DMZ 1500

mtu Outside 1500

mtu management 1500

ip local pool vpn_pool1 172.16.22.5-172.16.22.250 mask 255.255.255.0

ip local pool vpn_pool2 172.16.23.5-172.16.23.250 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/5

failover link Failover GigabitEthernet0/5

failover interface ip Failover 4.4.4.1 255.255.255.0 standby 4.4.4.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any data

icmp permit any DMZ

icmp permit any Outside

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (data,Outside) source static OBJ_DATA-HOSTS_172.16.18.0 OBJ_DATA-HOSTS_172.16.18.0 destination static OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255 OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255

nat (Inside,Outside) source static OBJ_INSIDE-HOSTS_172.21.20.0 OBJ_INSIDE-HOSTS_172.21.20.0 destination static OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255 OBJ_VPN_SUBNETS_172.16.22.0-172.16.23.255 route-lookup

!

object network OBJ_INSIDE-HOSTS_172.21.20.0

nat (Inside,Outside) dynamic 68.71.198.102

object network OBJ_DATA-HOSTS_172.16.18.0

nat (data,Outside) dynamic 68.71.198.102

access-group acl_dmz in interface DMZ

access-group acl_outside in interface Outside

route Outside 0.0.0.0 0.0.0.0 68.71.198.97 1

route data 10.1.1.0 255.255.255.0 172.16.18.3 1

route data 172.16.1.0 255.255.255.0 172.16.18.3 1

route data 172.16.5.0 255.255.255.0 172.16.18.3 1

route data 172.16.10.0 255.255.255.0 172.16.18.3 1

route data 172.16.13.0 255.255.255.0 172.16.18.3 1

route data 172.16.14.0 255.255.255.0 172.16.18.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 172.21.20.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 172.21.20.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable Outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy AnyConnectClientPolicy internal

group-policy AnyConnectClientPolicy attributes

wins-server none

dns-server value 172.16.18.21 172.16.18.22

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acl_SplitTunnel_VPN

default-domain value plexxus.ca

address-pools value vpn_pool1 vpn_pool2

username dmradmin password 1ZwOzoVS5TWIvR0h encrypted

tunnel-group AnyConnectClientProfile type remote-access

tunnel-group AnyConnectClientProfile general-attributes

address-pool vpn_pool1

address-pool vpn_pool2

default-group-policy AnyConnectClientPolicy

tunnel-group AnyConnectClientProfile webvpn-attributes

group-alias AnyConnect enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8539b4736e97023e17a76de6284a537a

: end

2 Replies 2

support
Level 1
Level 1

It seems I can remote desktop to a server in the data network but not ping it..

OK, slightly more complicated in 8.3.

Here you go:

object network obj-172.21.20.0

   subnet 172.21.20.0 255.255.255.0

object network obj-172.16.0.0

   subnet 172.16.0.0 255.255.0.0

static (Inside,data) source static obj-172.21.20.0 obj-172.21.20.0 destination static obj-172.16.0.0 obj-172.16.0.0

policy-map global_policy

class inspection_default

  inspect icmp

Then "clear xlate" after the above changes. The inside hosts would be able to access the hosts in data network.

BTW, your dmz doesn't have any ip address yet, so i am not sure what subnet it is. But the configuration would be similar to the above with the correct dmz subnet.

Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: