12-30-2013 05:19 PM - edited 02-21-2020 05:04 AM
HI, i just got an ASA 5505 and iam trying to get to the internet and i cant , i traced the problem to an implicit rule that can't be deleted or changes that denys outside ip any>any. how can i solve this ?
Thanks
12-30-2013 11:34 PM
Each ACL that is bound to an interface has an invisible "deny ip any any" statement (there are exceptions to that with global ACLs on the ASA). That is the implicit deny. You can't remove that entry but you can force your ASA to never reach that Access-List-Entry. Just add an "permit ip any any" as the last line to your ACL.
Sent from Cisco Technical Support iPad App
01-01-2014 12:43 PM
I already made an ACL to permit any>any ip now i still can't get to the router's interface (the ASA exteral Ethernet is connected to the router's internal ethernet port) i already did static nat on the ASA'S internal network which is (192.168.1.0/24) to be translated into the external ASA's entherner (which is 192.168.0.0/24) which is also the router's internal network.
Do you think that imight be missing something else?
Oh and i alreday added static route to any netwotk to the router IP address as a default gateway for the ASA to get to the internet.
Thank you.
01-02-2014 05:01 AM
Perhaps you could post your config minus any public IP info ?
Jon
01-03-2014 01:34 AM
hostname ciscoasa
domain-name nav.info
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.1 router description router
name 192.168.1.10 WebServer-Internal
name 192.168.0.0 Outside-network
name 192.168.0.10 WebServer-External
name 192.168.1.6 Aeroresearcher-IN
name 192.168.0.230 Aeroresearcher-OUT
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.6 255.255.255.0
!
interface Vlan5
no nameif
security-level 50
ip address dhcp
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.4.4.2
domain-name nav.info
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object tcp eq www
service-object tcp eq https
service-object udp eq snmp
service-object udp eq snmptrap
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object icmp6
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object icmp6
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object icmp6
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object icmp6
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object icmp6
access-list testvpn2_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a
ny interface outside
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
ny any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
ny any
access-list inside_authentication extended deny tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_5
any any
access-list outside_access_out extended permit ip any any
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_2
any any
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.25
5.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
2.168.1.208 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn 192.168.1.100-192.168.1.200 mask 255.255.255.0
ip local pool vpn2 192.168.1.205-192.168.1.210 mask 255.255.255.255
ip local pool vpn3 192.168.1.215-192.168.1.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 192.168.0.8-192.168.0.15 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) Outside-network 192.168.1.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication match inside_authentication inside LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy testvpn2 internal
group-policy testvpn2 attributes
vpn-tunnel-protocol IPSec
default-domain value nav.info
group-policy testvpn2_1 internal
group-policy testvpn2_1 attributes
dns-server value 4.4.4.2
vpn-tunnel-protocol IPSec
01-03-2014 03:10 AM
Your ACL-implemetation (and much of the complete config) is a real mess (sorry to say that).
Please specify what you want to achieve and then let's work out how the config should be modified.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-03-2014 10:43 AM
Thanks Karsten,
I need inbound traffic to be able to go back to the internet and browse HTTP,HTTPS i have a VPN setup and iam using VPN cleint software, everything works fine in the vpn but when i disable split tunneling(which is what i want to do) the vpn clients can't go to the internet (naturally because my internal network can't) , the vpn pool i set up is in the same internal network ip range.
When i first got the ASA i did a change in the CLI which i learned which is to allow http and https to my web server by creating an access list specifying the IP of my server, the only computer that can go to the internet from the internal network is my webserver computer.I am not sure which version you are refering to here, the ASDM version is (6.4).
The answers to your number 5 is YES,YES.
Thanks
01-03-2014 11:16 AM
I am not sure which version you are refering to here, the ASDM version is (6.4).
I'm refering to the ASA-version. You see the version with "show version" at the top of the output.
The answers to your number 5 is YES,YES.
is it a DSL-router (PPPoE?) that you can reconfigure to bridge-mode? With that, the public IP that is now on that router would be moved to the ASA. With that you have more control over the needed functions like NAT. The rest of the config is dependant on that so we have to figure that out first.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-03-2014 01:30 PM
This is the router which is actally a modem and a router and an access point (3 in 1): http://www.motorola.com/us/SBG6580-SURFboard%C2%AE-eXtreme-Wireless-Cable-Modem/70902.html but if there is bridging in the router (which i dobt it) then what is the static route on the ASA going to be ? (Now the static route on the asa is >OUTSIDE INTERFACE>NETWORK ANY>GATEWAY> (the router's internal IP addess).
01-04-2014 03:27 AM
Based on your needs I would try to reduce the complexity of the config:
1) NAT
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html
As you are doing NAT on the cable-router, you can remove NAT completely from the ASA.
For that the cable router needs a route for all internally used networks pointing to your ASA. You can configure a static route on the Motorola-router for 192.168.0.0 255.255.0.0 pointing to your ASA-address 192.168.0.6. That one is really important. Without that route not outbound traffic will work.
The router also needs to send all traffic that arrives on the external interface to the ASA. This function is often named "exposed host" or "DMZ-host". Thats for you incoming traffic like VPN.
On the ASA disable all NAT:
clear configure nat
clear configure global
clear configure static
clear configure access-list inside_nat0_outbound
no nat-control
2) Access-Control
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_overview.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_nw.html
If you don't want to control outgoing traffic you can remove all access-control in outboud direction. The Access-control in inbound direction can be skipped if you don't have internal hosts that sould be reachable from outside:
no access-group inside_access_in in interface inside
no access-group inside_access_out out interface inside
no access-group outside_access_in in interface outside
no access-group outside_access_out out interface outside
clear configure access-list outside_access_in
clear configure access-list inside_access_out
clear configure access-list outside_access_in
clear configure access-list outside_access_out
no object-group service DM_INLINE_SERVICE_1
no object-group protocol DM_INLINE_PROTOCOL_1
no object-group protocol DM_INLINE_PROTOCOL_2
no object-group protocol DM_INLINE_PROTOCOL_3
no object-group protocol DM_INLINE_PROTOCOL_4
no object-group protocol DM_INLINE_PROTOCOL_5
3) For hairpinning vpn-traffic you have to allow that trafic enters and leaves the same interface:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479
same-security-traffic permit intra-interface
4) For firewalling there are the typical inspections missing:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect http
!
service-policy global_policy global
5) Your VPN-config allows many insecure and unneeded algorithms and it's unlikely that you need VPN on the inside interface:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ike.html
no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
no crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
no crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
no crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
no crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
no crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
no crypto map inside_map interface inside
no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto isakmp enable inside
It's likely that there is still something missing. But that could be the starting-point for your further config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-05-2014 10:13 PM
Thank you much, there is one thing though, the router doesn't have any NAT options so, what if i wanna do it with the current config. i mean with the addition of your suggested config. what is the final config would look like? oh and there is something else, when i do a packet trace to the router's int. (192.168.0.1) or any other host on the internet, sometimes it says allowed but i can't actually get to it, and sometimes it says Denied or dropped and when i trace the ACL that drops it, i see that it is one of the implisit access lists!! it is a little confusing..i mean it is not really black and white thing.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: