cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
186
Views
0
Helpful
9
Replies
Beginner

ASA config not letting access to outside or ping

I could really use some help here. I've inherited a Cisco device and none of the workstations behind it (192.168.100.0) can access anything, except http on the internet. I've got a new phone switch that needs to communicate with XO to work. Can you tell me what I need to add here to make everything open outbound for every protocol? The main devices are 192.168.100.7 and 192.168.100.100 but I'd like to open everything for the entire range. Thanks for any help!

 

ASA Version 8.2(2)
!
hostname CISCO-ASA
domain-name COMPANY.COM
enable password sdfsdfsdf5667587Q encrypted
passwd sdfsdfsdf5667587Q encrypted
names
name 192.168.100.102 INETBanking-inside
name 172.16.1.0 VPN-network
name 72.242.245.43 INETBanking-outside
name 10.15.1.164 ATM-Outside
name 192.168.100.252 JConnect
name 192.168.100.52 PACKET_SMART
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.XX 255.255.255.248
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name COMPANY.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list VPNGroup_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0
VPN-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip any any
access-list 1 standard permit 192.168.100.0 255.255.255.0
access-list internet extended permit tcp any 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool 172.16.1.1-172.16.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 173.164.7.134 1
route inside 132.31.165.240 255.255.255.240 192.168.100.7 1
route inside 172.31.165.208 255.255.255.240 192.168.100.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 216.248.36.240 255.255.255.240 outside
http 192.168.100.100 255.255.255.255 inside
http 192.168.100.0 255.255.255.0 inside
http 216.248.17.0 255.255.255.0 outside
http VPN-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet VPN-network 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGroup internal
group-policy VPNGroup attributes
 dns-server value 192.168.100.100
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNGroup_splitTunnelAcl
 default-domain value company.local
 vpn-group-policy VPNGroup
tunnel-group VPNGroup type remote-access
tunnel-group VPNGroup general-attributes
 address-pool VPNPool
 default-group-policy VPNGroup
tunnel-group VPNGroup ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

9 REPLIES 9

Hi,I think you've missed this

Hi,

I think you've missed this part for your defined ACLs:

"access-group <name> <in/out> <interface> <if-name>"

Beginner

I tried adding one to the

I tried adding one to the ASDM but had no luck. Would you mind giving me an example? I appreciate your response.

 

for example if you want to

for example if you want to give full access to your vlan 1 hosts:

 

access-list INTERNET_ACCESS extended permit ip 192.168.100.0 255.255.255.0 any 

access-group INTERNET_ACCESS in interface inside

Beginner

I dropped that in and wrote

I dropped that in and wrote mem but pings still don't return. Did I miss something? Thanks!

Highlighted

for test purpose add this

for test purpose add this configuration to your ASA then test for ping:

 

access-list outside_in_1 extended permit icmp any any echo-reply

access-group outside_in_1 in interface outside

Beginner

It's not just pings. I want

It's not just pings. I want ALL traffic allowed out. We are attempting to put in a hosted phone system and it needs access to the internet on a range of ports. I don't want to just allow the range, either. They are about to scrap the Cisco and go with a Sonicwall so I hope to get this fixed today. Thanks for any additional help.

Beginner

I dropped in the access-list

I dropped in the 

access-list outside_in_1 extended permit icmp any any echo-reply

access-group outside_in_1 in interface outside

as a test and I can now ping and get replies! Is there a string I can put in to get ALL of the outbound ports open now? Thanks!

Beginner

access-group INTERNET_ACCESS

access-group INTERNET_ACCESS in interface outside

 

Well dropping that in might have fixed it. Testing now. 

Advisor

You don't need an acl on the

You don't need an acl on the inside interface for traffic to be allowed out . All traffic is allowed out by default as well as the return traffic. For pings, inspect icmp under your policy:

 

policy-map global_policy
 class inspection_default
   inspect icmp

HTH,

John

HTH, John *** Please rate all useful posts ***
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards