03-26-2006 12:12 PM - edited 02-21-2020 12:47 AM
Hi there
I'm new to Cisco and our ASA 5510. I'm not new to firewalls in general but this is my first time working with a Cisco product.
I have configured my ASA with all my network info but it is not allowing any computers connected to my network to access the internet.
If I post my configuration (which is very simple), which information do I need to remove if any for security purposes? Hopefully someone will point out what I did incorrectly.
Thanks in advance for your time.
Percy
03-26-2006 12:24 PM
hi percy. for ur internal users to access the internet. when a packet is flowing from a higher level security interface say ur inside interface segment of the asa where ur users are connected to a lower security level interface say ur outside interface where the ouside router will be connected to the isp.u have to configure natting for the internal users. without natting in pix u cannot have packet flowing from higher to lower interface. unless u have configured nat 0 which is nat exemption. incase u have more issues write back, see ya
sebastan
03-26-2006 12:32 PM
Thanks for your reply, so what would be the appropriate CLI commands to enable the nat 0?
I don't use a pool of addresses, just a single address for outgoing traffic if that helps you.
Should I post my config so you can get the whole picture? Again, If I do, what should I delete from it before posting it?
Percy
03-26-2006 02:20 PM
remove your ip's from the config
03-26-2006 02:28 PM
Ok.. Here we go
ASA Version 7.0(4)
!
hostname asa5510-ME-01
domain-name xxxxx.com
enable password encrypted
names
!
interface Ethernet0/0
description Interfce connects to Cisco 2600
duplex half
nameif outside
security-level 0
ip address 207.x.x.254 255.255.255.240
!
interface Ethernet0/1
description Internal Interface
nameif inside
security-level 100
ip address 1.0.x.x.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd encrypted
banner login ACCESS TO THIS DEVICE IS STRICLTY PROHIBITED. ALL CONNECTIONS AND MONITORED AND LOGGED.
boot config disk0:/asa704
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns name-server 64.x.x.x.x
object-group service MYSERVICES-EMAIL tcp
port-object eq pop3
port-object eq smtp
object-group service MYSERVICES-WEB tcp
port-object eq www
port-object eq https
object-group network WEBSERVERS
network-object 1.0.0.150 255.255.255.255
network-object 1.0.0.151 255.255.255.255
network-object 1.0.0.152 255.255.255.255
object-group network EMAILSERVERS
network-object 1.0.0.150 255.255.255.255
network-object 1.0.0.152 255.255.255.255
object-group network VPNSERVERS
network-object 1.0.0.150 255.255.255.255
network-object 1.0.0.151 255.255.255.255
access-list outside_access_in remark permit web services
access-list outside_access_in extended permit tcp any any object-group MYSERVICES-WEB
access-list outside_access_in remark permit email services
access-list outside_access_in extended permit tcp any any object-group MYSERVICES-EMAIL
access-list outside_access_in remark permit vpn
access-list outside_access_in extended permit tcp any eq pptp object-group VPNSERVERS eq pptp
access-list outside_access_in remark allow vpn
access-list outside_access_in extended permit gre any object-group VPNSERVERS
pager lines 24
logging enable
logging asdm informational
logging host inside 1.0.0.103
logging debug-trace
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp deny any echo outside
icmp permit any inside
asdm image disk0:/asdm511.bin
asdm history enable
arp timeout 14400
global (outside) 200 207.x.x..253
static (outside,inside) 1.x.x.x.x.x.242 netmask 255.255.255.255 dns
static (outside,inside) 1.x.x.151 207.x.x.243 netmask 255.255.255.255 dns
static (outside,inside) 1.0.0.152 207.x.x.244 netmask 255.255.255.255 dns
static (outside,inside) 1.0.0.153 207.x.x.246 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
rip outside passive version 1
rip outside default version 1
rip inside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 207.x.x.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 1.0.0.103 community bushmaster
snmp-server location Wiring Closet
snmp-server contact PD
snmp-server community bbb
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 1.0.0.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Cryptochecksum:
03-26-2006 02:32 PM
need to add a nat for the inside
nat (inside) 200 0.0.0.0 0.0.0.0
03-26-2006 02:35 PM
Great, I'll do that and give it a try.
Everything else looks good?
Percy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide