Re: New to ASA 5510

bushmaster · ‎03-26-2006

Hi there

I'm new to Cisco and our ASA 5510. I'm not new to firewalls in general but this is my first time working with a Cisco product.

I have configured my ASA with all my network info but it is not allowing any computers connected to my network to access the internet.

If I post my configuration (which is very simple), which information do I need to remove if any for security purposes? Hopefully someone will point out what I did incorrectly.

Thanks in advance for your time.

Percy

sebastan_bach · ‎03-26-2006

hi percy. for ur internal users to access the internet. when a packet is flowing from a higher level security interface say ur inside interface segment of the asa where ur users are connected to a lower security level interface say ur outside interface where the ouside router will be connected to the isp.u have to configure natting for the internal users. without natting in pix u cannot have packet flowing from higher to lower interface. unless u have configured nat 0 which is nat exemption. incase u have more issues write back, see ya

sebastan

bushmaster · ‎03-26-2006

Thanks for your reply, so what would be the appropriate CLI commands to enable the nat 0?

I don't use a pool of addresses, just a single address for outgoing traffic if that helps you.

Should I post my config so you can get the whole picture? Again, If I do, what should I delete from it before posting it?

Percy

froggy3132000 · ‎03-26-2006

remove your ip's from the config

bushmaster · ‎03-26-2006

Ok.. Here we go

ASA Version 7.0(4)

!

hostname asa5510-ME-01

domain-name xxxxx.com

enable password encrypted

names

!

interface Ethernet0/0

description Interfce connects to Cisco 2600

duplex half

nameif outside

security-level 0

ip address 207.x.x.254 255.255.255.240

!

interface Ethernet0/1

description Internal Interface

nameif inside

security-level 100

ip address 1.0.x.x.0.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd encrypted

banner login ACCESS TO THIS DEVICE IS STRICLTY PROHIBITED. ALL CONNECTIONS AND MONITORED AND LOGGED.

boot config disk0:/asa704

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns name-server 64.x.x.x.x

object-group service MYSERVICES-EMAIL tcp

port-object eq pop3

port-object eq smtp

object-group service MYSERVICES-WEB tcp

port-object eq www

port-object eq https

object-group network WEBSERVERS

network-object 1.0.0.150 255.255.255.255

network-object 1.0.0.151 255.255.255.255

network-object 1.0.0.152 255.255.255.255

object-group network EMAILSERVERS

network-object 1.0.0.150 255.255.255.255

network-object 1.0.0.152 255.255.255.255

object-group network VPNSERVERS

network-object 1.0.0.150 255.255.255.255

network-object 1.0.0.151 255.255.255.255

access-list outside_access_in remark permit web services

access-list outside_access_in extended permit tcp any any object-group MYSERVICES-WEB

access-list outside_access_in remark permit email services

access-list outside_access_in extended permit tcp any any object-group MYSERVICES-EMAIL

access-list outside_access_in remark permit vpn

access-list outside_access_in extended permit tcp any eq pptp object-group VPNSERVERS eq pptp

access-list outside_access_in remark allow vpn

access-list outside_access_in extended permit gre any object-group VPNSERVERS

pager lines 24

logging enable

logging asdm informational

logging host inside 1.0.0.103

logging debug-trace

logging permit-hostdown

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

no failover

monitor-interface outside

monitor-interface inside

monitor-interface management

icmp deny any echo outside

icmp permit any inside

asdm image disk0:/asdm511.bin

asdm history enable

arp timeout 14400

global (outside) 200 207.x.x..253

static (outside,inside) 1.x.x.x.x.x.242 netmask 255.255.255.255 dns

static (outside,inside) 1.x.x.151 207.x.x.243 netmask 255.255.255.255 dns

static (outside,inside) 1.0.0.152 207.x.x.244 netmask 255.255.255.255 dns

static (outside,inside) 1.0.0.153 207.x.x.246 netmask 255.255.255.255 dns

access-group outside_access_in in interface outside

rip outside passive version 1

rip outside default version 1

rip inside passive version 1

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 207.x.x.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

snmp-server host inside 1.0.0.103 community bushmaster

snmp-server location Wiring Closet

snmp-server contact PD

snmp-server community bbb

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 1.0.0.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

Cryptochecksum:

froggy3132000 · ‎03-26-2006

need to add a nat for the inside

nat (inside) 200 0.0.0.0 0.0.0.0

bushmaster · ‎03-26-2006

Great, I'll do that and give it a try.

Everything else looks good?

Percy