Asa firewall configuration

chrispin · ‎01-02-2022

I have done all the necessary configuration on My firewall (access list, nat, default route) but I still cant ping to the other network (out side)

Georg Pauwen · ‎01-02-2022

Hello,

post the full running configuration of your ASA...

chrispin · ‎01-02-2022

My inside network 192.168.1.0

My outside network 10.10.10.0(outside of the firewall)

asa- in g1/1

nameif -inside

Security -level 100%

Asa(config)# route outside 10.10.10.2 255.255.255.0 10.10.10.1

Icmp configuration =(access-list oti extended permit icmp any any echo

=access-list oti extended permit icmp any any echo-reply

=access-list oti extended permit icmp any any unreachable)

Nat configuration=( object network) # host 192.168.0.0

Asa(Config-network-object) # Nat ( inside, outside) dynamic interface

That is my configuration sir

Georg Pauwen · ‎01-02-2022

Hello,

--> Asa(config)# route outside 10.10.10.2 255.255.255.0 10.10.10.1

Is this a 'real' ASA or a Packet Tracer project ?

chrispin · ‎01-02-2022

Packet tracer project

Georg Pauwen · ‎01-02-2022

Hello,

that could explain it, the Packet Tracer ASA has a few quirks. Post the zipped project (.pkt) file...

chrispin · ‎01-02-2022

paul driver · ‎01-03-2022

Hello

See attached working PT file -

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎01-03-2022

Hello,

I am not sure what file you saved, but the one you sent had a lot of errors (missing and wrong static routes on the routers, the access list on the firewall was not applied, the global policy had no ICMP o=inspection, the NAT had only one non-existing host).

Attached the working file.

chrispin · ‎01-03-2022

OK I'm working on it after which I am sending it

chrispin · ‎01-03-2022

Hello please i need a favor would you do that configuration and send it to me as my guide

Nat.

Access list

All the necessary configuration on Cisco firewall to enable outside Network routing please

Georg Pauwen · ‎01-03-2022

Hello,

here are the configs for the ASA and both routers:

ciscoasa#sh run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
object network obj_192_168_1_0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
!
access-list oti extended permit icmp any any echo
access-list oti extended permit icmp any any echo-reply
access-list oti extended permit icmp any any unreachable
!
access-group oti in interface outside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
ciscoasa#

Router0#sh run
Building configuration...

Current configuration : 773 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router0
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 10.10.10.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/0
bandwidth 5000
ip address 2.2.2.2 255.0.0.0
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 8.0.0.0 255.0.0.0 2.2.2.1
ip route 192.168.1.0 255.255.255.0 10.10.10.2
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Router1#sh run
Building configuration...

Current configuration : 672 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface FastEthernet0/0
bandwidth 5000
ip address 8.8.8.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 5.5.5.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 2.2.2.1 255.0.0.0
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.2
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

paul driver · ‎01-02-2022

Hello
Can you post the current running configuration of the ASA, in the interim please see attached as a possible default configuration of a ASA providing Inter-Vlan Routing,NAT and ICMP (ping)

kind regards
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎01-02-2022

icmp inspection need to make ASA forward ICMP traffic.