11-15-2011 10:10 PM - edited 03-11-2019 02:51 PM
What should i do on my Cisco ASA 5505 firewall to grant access to my network systems to access internet via gateway. I use ASDM to configure the firewall.
Solved! Go to Solution.
11-16-2011 12:59 AM
Hi,
I'm not a big fan of GUIs but you can paste CLI configs into the ASDM if my memory is good.
So pasting show run would give us the config and we could look at it to see if it's ok.
Second step would be to perform a packet-tracer and post result here.
here's a video that demonstrates the feature: http://www.youtube.com/watch?v=T9G5FKItoyw
Regards.
Alain
11-16-2011 12:41 AM
Hi,
1)configure a default route on Outside interface. the CLI command is route outside 0.0.0.0 0.0.0.0 x.x.x.x where x.x.x.x is the next-hop IP.
2) configure NAT but the syntax differs since 8.3 OS
3) configure ICMP inspection if you want ping replies from outside to get to inside hosts
I think It's better you post your config: show run and we will tell you what's missing.
Regards.
Alain.
11-16-2011 12:53 AM
I am not very confortable with cli commands. I use adsm to configure my firewall. Everything is working fine on my firewall. All my rules are working fine. The only thing missing is any of my PCs or laptops which are in the same network are not able to browse internet with the default gateway of my firewall.
Default route on outside interface is 0.0.0.0 0.0.0.0 124.153.85.235
11-16-2011 12:59 AM
Hi,
I'm not a big fan of GUIs but you can paste CLI configs into the ASDM if my memory is good.
So pasting show run would give us the config and we could look at it to see if it's ok.
Second step would be to perform a packet-tracer and post result here.
here's a video that demonstrates the feature: http://www.youtube.com/watch?v=T9G5FKItoyw
Regards.
Alain
11-16-2011 01:06 AM
Result of the command: "show run"
: Saved
:
ASA Version 8.2(1)
!
hostname OCTOPUS-FIREWALL
names
!
interface Vlan1
description "***Connection on Inside port ETH 0/1***"
nameif Inside
security-level 100
ip address 10.100.1.1 255.255.255.0
!
interface Vlan2
description "***Uplink connection on Outside Port ETH0/0***"
nameif Outside
security-level 0
ip address 124.153.82.50 255.255.255.248
!
interface Vlan3
description "connected_on_192.168.1.x"
no nameif
no security-level
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone IST 5 30
dns domain-lookup Inside
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 124.153.69.80
name-server 124.153.69.15
object-group network Netmagic_Monitor_Group
network-object host 124.153.69.124
network-object host 124.153.69.121
network-object host 124.153.69.123
network-object host 123.108.39.124
network-object host 124.153.99.124
network-object host 180.179.39.124
network-object host 124.153.69.203
network-object host 124.153.69.204
object-group network Netmagic_Network_Group
network-object host 124.153.99.242
network-object host 123.108.39.242
network-object host 124.153.69.242
network-object host 180.179.39.242
network-object host 202.87.39.242
object-group service 7070 tcp
port-object eq 7070
access-list 101 extended permit tcp any host 124.153.85.175 eq 8085
access-list 101 extended deny ip host 204.152.184.139 any
access-list 101 extended deny ip host 58.63.237.42 any
access-list 101 extended deny ip host 58.252.208.131 any
access-list 101 extended permit ip object-group Netmagic_Network_Group any
access-list 101 extended deny ip host 60.250.122.226 any
access-list 101 extended permit ip object-group Netmagic_Monitor_Group any
access-list 101 extended deny ip host 121.254.71.105 any
access-list 101 extended permit tcp any host 124.153.85.232 eq ftp
access-list 101 extended permit tcp any host 124.153.85.232 eq 8085
access-list 101 extended permit tcp any host 124.153.85.235 eq 8081
access-list 101 extended permit tcp any host 124.153.85.233 eq www
access-list 101 extended permit tcp any host 124.153.85.233 eq 1433
access-list 101 extended permit tcp any host 124.153.85.233 eq https
access-list 101 extended permit tcp any host 124.153.85.233 eq ftp
access-list 101 extended permit tcp any host 124.153.85.233 eq ssh
access-list 101 extended permit tcp any host 124.153.85.233 eq ftp-data
access-list 101 extended permit tcp any host 124.153.85.233 eq 59001
access-list 101 extended permit tcp any host 124.153.85.172 eq 8085
access-list 101 extended permit tcp any host 124.153.85.172 eq ftp
access-list 101 extended permit tcp any host 124.153.85.173 eq 8085
access-list 101 extended permit tcp any host 124.153.85.173 range ftp-data ftp
access-list 101 extended permit tcp any host 124.153.85.174 eq www
access-list 101 extended permit tcp any host 124.153.82.53 eq 8085
access-list 101 extended permit tcp any host 124.153.85.235 eq 8094
access-list 101 extended permit tcp any host 124.153.85.234 eq 8080
access-list 101 extended permit tcp any host 124.153.85.172 eq 7272
access-list 101 extended permit icmp any host 124.153.85.173
access-list 101 extended permit tcp any host 124.153.82.52 eq 8081
access-list 101 extended permit icmp any host 124.153.85.235
access-list 108 extended deny tcp any host 58.63.237.42
access-list 108 extended deny udp any host 58.63.237.42
access-list 108 extended deny udp any host 121.254.71.105
access-list 108 extended deny udp any host 60.250.122.226
access-list 108 extended deny tcp any host 121.254.71.105
access-list 108 extended deny ip any host 61.157.96.8
access-list 108 extended deny ip any host 58.252.208.131
access-list 108 extended deny tcp any host 60.250.122.226
access-list 108 extended permit ip any any
access-list octopusepat_82_54 extended permit tcp host 10.100.1.6 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.9 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.220 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.59 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.26 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.15 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.14 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.12 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.7 host 213.171.216.50 eq smtp
access-list octopusepat_82_54 extended permit tcp host 10.100.1.172 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.9 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.7 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.12 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.14 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.6 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.10 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.15 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.218 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.97 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.25 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.60 host 72.14.213.109 eq 465
access-list octopusepat_82_54 extended permit tcp host 10.100.1.59 host 72.14.213.109 eq 465
pager lines 24
logging enable
logging timestamp
logging trap critical
logging asdm informational
logging facility 18
logging host Outside 202.87.39.89
mtu Inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 124.153.82.54
nat (Inside) 1 access-list octopusepat_82_54
static (Inside,Outside) 124.153.85.232 10.100.1.5 netmask 255.255.255.255
static (Inside,Outside) 124.153.85.234 10.100.1.38 netmask 255.255.255.255
static (Inside,Outside) 124.153.85.233 10.100.1.120 netmask 255.255.255.255
static (Inside,Outside) 124.153.85.173 10.100.1.2 netmask 255.255.255.255
static (Inside,Outside) 124.153.82.53 10.100.1.98 netmask 255.255.255.255
static (Inside,Outside) 124.153.85.174 10.100.1.11 netmask 255.255.255.255
static (Inside,Outside) 124.153.85.172 10.100.1.100 netmask 255.255.255.255
static (Inside,Outside) 124.153.85.175 10.100.1.52 netmask 255.255.255.255
static (Inside,Outside) 124.153.85.235 10.100.1.55 netmask 255.255.255.255
static (Inside,Outside) 124.153.82.52 10.100.1.10 netmask 255.255.255.255
static (Outside,Inside) 124.153.82.50 10.100.1.1 netmask 255.255.255.255
access-group 108 in interface Inside
access-group 101 in interface Outside
route Outside 0.0.0.0 0.0.0.0 124.153.82.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command LOCAL
http server enable
http 10.100.1.0 255.255.255.0 Inside
http 122.170.115.164 255.255.255.255 Outside
snmp-server host Outside 123.108.39.124 community chn2000
snmp-server host Outside 123.108.39.39 community chn2000
snmp-server host Outside 124.153.69.121 community chn2000
snmp-server host Outside 124.153.69.123 community chn2000
snmp-server host Outside 124.153.69.124 community chn2000
snmp-server host Outside 124.153.69.203 community chn2000
snmp-server host Outside 124.153.69.204 community chn2000
snmp-server host Outside 124.153.99.124 community chn2000
snmp-server host Outside 124.153.99.39 community chn2000
snmp-server host Outside 180.179.39.124 community chn2000
snmp-server host Outside 202.87.39.39 community chn2000
snmp-server host Outside 202.87.44.69 community chn2000
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 124.153.69.242 255.255.255.255 Outside
ssh 122.170.115.164 255.255.255.255 Outside
ssh timeout 5
console timeout 5
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp trusted-key 1
webvpn
username cisco password miNpFGsdff.9QSZNEuyO encrypted
username netmagic password VWIMcRsCCdfr7Oc5YO encrypted
username netmagic attributes
service-type nas-prompt
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a08cd5d128fc909a8122b6d52a9cb19a
: end
11-16-2011 01:31 AM
Hi,
1) why use policy NAT ? nat (Inside) 1 access-list octopusepat_82_54
You're not permitting web traffic and dns traffic in this ACL so you won't be able to browse. you don't even permit icmp so you can't ping outside hosts.
2) if you do just simple nat: nat(inside) 10.100.1.0 255.255.255.0 in addition to policy NAT then you'll have to
-enable icmp inspection or
-apply an ACL inbound on outside to permit icmp replies
Cisco recommends doing the first one like this:
policy-map global_policy
class inspection_default
inspect icmp
Regards.
Alain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: