05-19-2010 04:29 AM - edited 03-11-2019 10:48 AM
Hi,
lan users unable to access outside network which has permitted in the accesslist, but if i try access same network from outside interface i can access that network.
find below configuration done on firewall................................
FW-HyundaiHMM# show run
: Saved
:
PIX Version 8.0(3)
!
hostname FW-HyundaiHMM
enable password f1/B5iV9rJ.dvsDE encrypted
names
dns-guard
!
interface Ethernet0
description P2P link
speed 100
duplex full
nameif outside1
security-level 0
ip address 172.23.15.11 255.255.255.0
!
interface Ethernet1
description LAN interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.11 255.255.255.0
!
interface Ethernet2
description Internet Gateway
speed 100
duplex full
nameif outside2
security-level 0
ip address 24.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix803.bin
ftp mode passive
clock timezone IST 5 30
same-security-traffic permit inter-interface
!
access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0
access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list acl_outside extended permit tcp any 192.168.10.0 255.255.255.0 eq www
access-list acl_outside extended permit tcp any 192.168.10.0 255.255.255.0 eq https
pager lines 24
logging enable
logging asdm informational
logging host inside 172.23.15.33
mtu outside1 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
access-group icmpacl in interface outside1
access-group acl_inside in interface inside
access-group acl_outside out interface inside
access-group icmpacl in interface outside2
!
route outside2 0.0.0.0 0.0.0.0 24.0.0.2 1
route outside1 203.242.32.0 255.255.255.0 172.23.15.254 1
route outside1 203.242.35.0 255.255.255.0 172.23.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.23.15.0 255.255.255.0 outside1
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map icmp-class
match access-list icmpacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class icmp-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2479f6a773b36ca416012b410e6c5a93
: end
i am not using interface ethernet2
thanks in advance if anybody can help me sortout this error
Hasmukh
05-19-2010 04:37 AM
I am not sure how it will work if you don't use ethernet2 because your default gateway is pointing out towards ethernet2 interface (outside2). If you are not using ethernet2, which interface is connected to the internet?
You would also need to configure NAT to access the internet. Assuming that you are going to use ethernet2, then the following needs to be configured:
nat (inside) 1 0 0
global (outside2) 1 interface
If you are using the other outside1 interface instead for internet access, you would need to change the default route towards this interface. Then configure the NAT statements as well:
nat (inside) 1 0 0
global (outside1) 1 interface
Please also remove "access-group acl_outside out interface inside" for simplicity to start with.
Hope that helps.
05-19-2010 05:47 AM
Hi halijenn,
thanks for yr help, i made the changes in default route and Natting is done on my router so i don't need Nating to configure on firewall, but same situation lan user unable to access outside network, find the below config
FW-HyundaiHMM# show run
: Saved
:
PIX Version 8.0(3)
!
hostname FW-HyundaiHMM
enable password f1/B5iV9rJ.dvsDE encrypted
names
dns-guard
!
interface Ethernet0
description P2P link
speed 100
duplex full
nameif outside1
security-level 0
ip address 172.23.15.11 255.255.255.0
!
interface Ethernet1
description LAN interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.11 255.255.255.0
!
interface Ethernet2
description Internet Gateway
speed 100
duplex full
nameif outside2
security-level 0
ip address 24.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix803.bin
ftp mode passive
clock timezone IST 5 30
same-security-traffic permit inter-interface
!
access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0
access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq https
pager lines 24
logging enable
logging asdm informational
logging host outside1 172.23.15.33
mtu outside1 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
access-group icmpacl in interface outside1
access-group acl_inside in interface inside
!
!
route outside1 0.0.0.0 0.0.0.0 172.23.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.23.15.0 255.255.255.0 outside1
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map icmp-class
match access-list icmpacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class icmp-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f28faf8c4283d5edc723fe18134aebd4
: end
FW-HyundaiHMM#
Hasmukh
05-19-2010 05:54 AM
You also need to configure the following on the ASA:
no nat-control
Then "clear xlate"
Also, I assume that your router has route for 192.168.10.0/24 pointing back towards the ASA outside1 interface (172.23.15.11), and NATing on the router also include the 192.168.10.0/24 subnet?
05-19-2010 06:08 AM
Hi halijenn,
i configured no nat-control and clear xlate, i am sorry to provide incomplete info, topology is as below
LAN--FIREWALL--SWITCH(unmanageable)-ROUTER
so i don't need to have route back to firewall
do u find anything else which i can configure on firewall so it can work as i desire
thanks once again
Hasmukh
05-19-2010 06:23 AM
Of course you need a route back on the router for the firewall LAN, otherwise, how would the router knows how to route the 192.168.10.0/24 subnet to?
Alternatively, you can just PAT on the ASA and since the router will be in the same subnet as the outside1 interface, that will take care of it.
nat (inside) 1 0 0
global (outside1) 1 interface
05-19-2010 06:55 AM
Hi halijenn,
thanks for yr prompt support, as i don't hv access to router so i can't configure route back to firewall but i configured nat as u suggested. find firewall configuration below
FW-HyundaiHMM# show run
: Saved
:
PIX Version 8.0(3)
!
hostname FW-HyundaiHMM
enable password f1/B5iV9rJ.dvsDE encrypted
names
dns-guard
!
interface Ethernet0
description P2P link
speed 100
duplex full
nameif outside1
security-level 0
ip address 172.23.15.11 255.255.255.0
!
interface Ethernet1
description LAN interface
speed 100
duplex full
nameif inside
security-level 50
ip address 192.168.10.11 255.255.255.0
!
interface Ethernet2
description Internet Gateway
speed 100
duplex full
nameif outside2
security-level 0
ip address 24.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix803.bin
ftp mode passive
clock timezone IST 5 30
same-security-traffic permit inter-interface
!
access-list icmpacl extended permit icmp any 192.168.10.0 255.255.255.0
access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list acl_inside extended permit tcp 192.168.10.0 255.255.255.0 any eq https
pager lines 24
logging enable
logging asdm informational
logging host inside 172.23.15.33
mtu outside1 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group icmpacl in interface outside1
access-group acl_inside in interface inside
route outside1 0.0.0.0 0.0.0.0 172.23.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.23.15.0 255.255.255.0 outside1
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map icmp-class
match access-list icmpacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class icmp-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a1539d1ca9ff673af0f23f1ffa2d099e
: end
FW-HyundaiHMM#
05-19-2010 10:56 PM
Are you just testing browsing the Internet? Are you able to ping from the internal network? Can you ping the internet from the ASA itself? Where is the DNS server, internal or external DNS server, and are they able to perform dns resolution?
Can you test by configuring the following ACL:
access-list acl_inside extended permit ip 192.168.10.0 255.255.255.0 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide