09-26-2013 11:54 PM - edited 03-11-2019 07:44 PM
Hyi have face problem regradin traffic from outside to insdie having applying acl below here
access-list 101 permit ip any any
APPLY on outside interface
access-group 101 in interface outside
but my traffice didnt pass through from outside to indie
Navaz
Solved! Go to Solution.
10-10-2013 09:02 PM
09-27-2013 01:17 AM
can you exactly describe what you want to allow on your ASA? Which is the ASA-version you are running and can the ASA reach the internet and the internal server that you want to expose to the internet? The actual config can also help.
And "permit ip any any" is most likely not what you want to use on a firewall.
Sent from Cisco Technical Support iPad App
09-27-2013 02:58 AM
Version 8.0(2) and ASA ping both sides (outside to internet and inside to internal network).
Here is the show running configuration
ASA(config)# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 10.1.1.30
nat (inside) 1 192.168.1.0 255.255.255.0
access-group 101 in interface outside
access-group 101 in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:a910fcee5200493f2ed21db7bd2f82d6
: end
ASA(config)#
Navaz
Message was edited by: Navaz Wattoo
09-27-2013 03:29 AM
So it's not a real network but learning how to operate the ASA?
You should start with NAT and think about if you really need NAT. In your diagram inside and outside should have full routing reachability, so NAT is not needed.
On the Config-Guide you find all info how NAT works on the ASA:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html
start with the commands "nat", "global" and "nat-control". For your case, all of these can be removed from the config and reachability should be there.
If you want to simulate a situation where the outside interface connects to the internet you need to configure a ststic translation and you should keep the "nat" and "global". The additional config you need is a "static" command.
After that go over to the configuration of access-control:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/nwaccess.html
You don't want to allow any traffic into your network.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-27-2013 05:07 AM
Hi,
Check routing , i dont see any.
- Pankaj
09-27-2013 06:06 AM
the systems in this scenario are directly connected so there is no need for an extra routing-config. Of course you are right if this would be an internet-connected setup. There at least a default-route would be needed.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-28-2013 05:42 PM
Have a look here:
http://www.darkmoon.org.uk/173
Regards Simon
http://www.linksysinfo.org
09-29-2013 08:31 PM
Hello Navaz,
Along with routing and the ACL, you will also need to have a static xlate configured to allow the inbound traffic. I don't see that in your configuration.
Sent from Cisco Technical Support iPad App
09-30-2013 12:02 AM
can you please send me the xlate configuration?
Navaz
09-30-2013 12:16 PM
It should look like this:
Static (inside,outside) 192.168.1.0 192.168.1.0 net mask 255.255.255.0
I'm not sure what your topology is, but you will have to be able to route to the 192.168.1.0 network from your outside host(s).
Sent from Cisco Technical Support iPad App
09-30-2013 12:19 PM
Sorry, no space in the netmask keyword. The iPad auto correct strikes again... :-)
Sent from Cisco Technical Support iPad App
09-30-2013 09:20 PM
David i am sending you topology and the configuration that i configured.
ASA(config)# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 10.1.1.30
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) 10.1.1.30 10.1.1.2 netmask 255.255.255.255
access-group 101 in interface outside
access-group 101 in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:a910fcee5200493f2ed21db7bd2f82d6
: end
ASA(config)#
Navaz
10-01-2013 10:36 PM
anyone have solution of this?
Navaz
10-01-2013 11:56 PM
what traffic (ports) are you try to let in from outside in and to where?
Regards Simon
http://www.linksysinfo.org
10-02-2013 10:06 PM
i need any kind of traffice pass through both side that from inside to outside and outside to inside
Thanks and Regards
Navaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide