for example if you want to

gledford · ‎11-19-2014

I could really use some help here. I've inherited a Cisco device and none of the workstations behind it (192.168.100.0) can access anything, except http on the internet. I've got a new phone switch that needs to communicate with XO to work. Can you tell me what I need to add here to make everything open outbound for every protocol? The main devices are 192.168.100.7 and 192.168.100.100 but I'd like to open everything for the entire range. Thanks for any help!

ASA Version 8.2(2)
!
hostname CISCO-ASA
domain-name COMPANY.COM
enable password sdfsdfsdf5667587Q encrypted
passwd sdfsdfsdf5667587Q encrypted
names
name 192.168.100.102 INETBanking-inside
name 172.16.1.0 VPN-network
name 72.242.245.43 INETBanking-outside
name 10.15.1.164 ATM-Outside
name 192.168.100.252 JConnect
name 192.168.100.52 PACKET_SMART
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.XX 255.255.255.248
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name COMPANY.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list VPNGroup_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0
VPN-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip any any
access-list 1 standard permit 192.168.100.0 255.255.255.0
access-list internet extended permit tcp any 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool 172.16.1.1-172.16.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 173.164.7.134 1
route inside 132.31.165.240 255.255.255.240 192.168.100.7 1
route inside 172.31.165.208 255.255.255.240 192.168.100.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 216.248.36.240 255.255.255.240 outside
http 192.168.100.100 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 inside
http 216.248.17.0 255.255.255.0 outside
http VPN-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet VPN-network 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGroup internal
group-policy VPNGroup attributes
dns-server value 192.168.100.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGroup_splitTunnelAcl
default-domain value company.local
vpn-group-policy VPNGroup
tunnel-group VPNGroup type remote-access
tunnel-group VPNGroup general-attributes
address-pool VPNPool
default-group-policy VPNGroup
tunnel-group VPNGroup ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

houtan haddadlarijani · ‎11-19-2014

Hi,

I think you've missed this part for your defined ACLs:

"access-group <name> <in/out> <interface> <if-name>"

gledford · ‎11-19-2014

I tried adding one to the ASDM but had no luck. Would you mind giving me an example? I appreciate your response.

houtan haddadlarijani · ‎11-19-2014

for example if you want to give full access to your vlan 1 hosts:

access-list INTERNET_ACCESS extended permit ip 192.168.100.0 255.255.255.0 any

access-group INTERNET_ACCESS in interface inside

gledford · ‎11-19-2014

I dropped that in and wrote mem but pings still don't return. Did I miss something? Thanks!

houtan haddadlarijani · ‎11-19-2014

for test purpose add this configuration to your ASA then test for ping:

access-list outside_in_1 extended permit icmp any any echo-reply

access-group outside_in_1 in interface outside

gledford · ‎11-21-2014

It's not just pings. I want ALL traffic allowed out. We are attempting to put in a hosted phone system and it needs access to the internet on a range of ports. I don't want to just allow the range, either. They are about to scrap the Cisco and go with a Sonicwall so I hope to get this fixed today. Thanks for any additional help.

gledford · ‎11-21-2014

I dropped in the

access-list outside_in_1 extended permit icmp any any echo-reply

access-group outside_in_1 in interface outside

as a test and I can now ping and get replies! Is there a string I can put in to get ALL of the outbound ports open now? Thanks!

gledford · ‎11-21-2014

access-group INTERNET_ACCESS in interface outside

Well dropping that in might have fixed it. Testing now.

John Blakley · ‎11-19-2014

You don't need an acl on the inside interface for traffic to be allowed out . All traffic is allowed out by default as well as the return traffic. For pings, inspect icmp under your policy:

policy-map global_policy
class inspection_default
inspect icmp

HTH,

John

HTH, John *** Please rate all useful posts ***

ASA config not letting access to outside or ping