ā02-20-2015 07:52 AM - edited ā03-05-2019 12:51 AM
Hi,
I'm new into networking and I have a problem setting up ASA 5512 firewall. The problem is that I can't setup internet connection inside my network.
I've created two interfaces WAN with the public IP address (security level 0), and LAN with the ip of 192.168.35.4, security level 100. Actually, we are replacing the old router, and this one should take his address. I've added static route 0\0 to my default gateway, and I'm able to ping Google DNS server from the router, but can't from network computer. The network switch is also present on 192.168.35.254.
For the testing purpose I've changed WAN IP address to 192.168.99.1, and attached computer to it with IP 192.168.99.2, and when I try to ping it from the LAN interface, it does not return ping.
I would appreciate any help.
Solved! Go to Solution.
ā02-24-2015 04:57 AM
How could I do that?
ā02-24-2015 05:02 AM
Well if you temporarily want to disable it -
"no access-group global_access global"
the above won't remove the acl from the configuration but it will stop it being used.
I don't know your company security rules so I don't know whether it needs to be there or not.
If it does try adding this line -
access-list global_access permit icmp host 192.168.35.11 host 192.168.99.2 echo
this will allow you from inside to out and ICMP inspection should allow it back in.
However you won't be able to start the ping from the outside host. For that you would need another line in the above acl.
Jon
ā02-24-2015 05:14 AM
That will solve pinging, but what about Internet connection? Will my LAN user be able to access Internet cause that's actually the main problem? And disabling acl represents a security issue.
ā02-24-2015 05:22 AM
No they wouldn't.
You could try adding -
access-list global_access permit ip 192.168.35.0 255.255.255.0 any
to that acl and that should work or you can be more specific if you know the ports are just http/https etc. eg.
access-list global_access permit tcp 192.168.35.0 255.255.255.0 any eq 80
access-list global_access permit tcp 192.168.35.0 255.255.255.0 any eq 443
etc
but that would apply it to all interfaces and I can't see the logic of doing that.
Or perhaps you can have an acl on the inside interface to allow that specific traffic rather than on all interfaces.
To be honest I haven't used global acls and I'm not sure what the best practice is in terms of how you use them.
I'm assuming the global acl merges with any acl applied to the interface but I can't say for sure.
Looking at the existing rules in that acl I can't see why you would want to apply some of the lines in the acl to all interfaces but perhaps I am misunderstanding something.
Jon
ā02-24-2015 05:31 AM
Just had a quick read of the docs.
If you have an acl applied inbound to an interface and a global acl then the rules in the acl applied to the interface are processed first and then the global ones.
So you could have an inside acl allowing that traffic.
As to which to use I can't say because I don't know what your company's security policies are.
Jon
ā02-24-2015 05:41 AM
I'll test and let you know. I think that I've tried to allow ip from any to any, but internet did not work.
ā02-24-2015 05:51 AM
If it's still not working after modifying the acl then run the "packer-tracer ..." command again to see what is happening and post back here if you need more help.
Jon
ā02-25-2015 04:22 AM
Hi Jon,
still no progress. I've made some changes into configuration, added another interface and connected pc directly to it, but still no luck. Here is the output:
ā02-25-2015 04:37 AM
Okay, that packet-tracer output is showing you that the packet was allowed out and had matching NAT rules.
So as far as the ASA is concerned that traffic is allowed through.
Because TCP is stateful the return traffic should also be allowed back to the client.
So can you check your client and the server you are connecting to ie. that they have the right default gateways, that the web server is actually up and running etc.
Jon
ā02-25-2015 04:39 AM
When you say you have added another interface and connected the PC to it what is the interface name.
That is the name you need to use in your packet-tracer test.
Can you clarify ?
Jon
ā02-25-2015 05:39 AM
I've got it to work. Can ping, access shared folders and http. Like you said the access rules were causing the problems. Now I just need to modify settings and permit http and https
ā02-25-2015 05:41 AM
Good news.
Glad you got it working.
Jon
ā02-25-2015 05:43 AM
Thank you so much for your help!
ā02-25-2015 05:45 AM
No problem, happy to do it.
Jon
ā02-23-2015 08:00 AM
Roberto,
can you check the configs below, and tell me what's needed to be done? I would appreciate your help a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: