05-11-2007 07:09 PM - edited 03-11-2019 03:13 AM
Just got a new ASA 5510 and I am having a hard time letting any trafic through. I can ping the outside interface xxx.xxx.xxx.xxx but none of the ports are open.
Ethernet0/0 outside xxx.xxx.xxx.xxx
Ethernet0/1 inside 10.10.10.10
The nic on my iis server is 10.10.10.13
This is about as far as I have gotten. I have been using the ASDM so far. I have tried everything I can think of. Static routes (not even really sure if i need this) inside outside secuity policies.
I posted the code below. Thanks,
Mike
asdm image disk0:/asdm506.bin
asdm location server 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(6)
!
hostname badgernetcisco
domain-name dotnet.com
names
name 10.10.10.11 server
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group service www tcp-udp
port-object eq www
access-list outside_access_in extended permit tcp interface outside eq https interface inside eq https
access-list outside_access_out extended permit tcp interface inside eq https interface outside eq https
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat (management) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 10.10.10.13 255.255.255.255 xxx.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address server-10.10.10.15 inside
dhcpd dns 216.x.x.192 216.127.221.221
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
05-12-2007 02:15 AM
Mike,
Take a look at the following document to assist, this document is explaining how to allow SMTP traffic with the mail server on the inside network.
But the principle for allowing HTTPS (port 443) is the same....
i.e.,
access-list https_in extended permit tcp any host 209.164.3.5 eq https
access-group https_in in interface outside
static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255
Save and also issue - clear xlate.
PS. Advisable that you start from a fresh configuration as the posted configuration looks a bit messey :)
Hope it helps and please rate posts if it does - good luck, let us know if you need any further help.
Jay
05-13-2007 10:20 AM
Jay,
I entered the first 3 commands
access-list https_in extended permit tcp any host 209.164.3.5 eq https
access-group https_in in interface outside
static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255
then I submitted. There was a warning error.
Then I could not use the asdm interface anymore (most) parts were blanked out.
Then I tried a clear config command.
Now I can't get in to asdm and it is not assigning dhcp anymore.
Any ideas? I can't get to the server to do a hard reset on the firewall
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide