04-19-2012 07:42 PM - edited 03-04-2019 04:05 PM
For some reason my ASA is preventing my traffic from going out. I've added some crumby access-list and applied it to NAT for it to work. I don't like this. I know it is not right, but I am not sure what part is wrong. I will highlight the stuff I have added to make it work. I don't see what I am missing. If I were to remove these lines my ASA could ping in both directions (in and out), but my LAN cannot do anything but ping the ASA. No other traffic is going out unless I have added these unsafe lines of code.
Please help!
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
access-list Split_Tunnel_ACL standard permit 10.0.1.0 255.255.255.0
access-list 1 extended permit ip any 10.0.0.0 255.255.255.0
access-list 1 extended permit icmp any any
access-list 1 extended permit tcp any 10.0.0.0 255.255.255.0
access-list 1 extended permit ip 10.0.0.0 255.255.255.0 any
access-list 1 extended permit icmp 10.0.0.0 255.255.255.0 any
access-list 1 extended permit tcp 10.0.0.0 255.255.255.0 any
access-list 1 extended permit udp 10.0.0.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool_fixed 10.0.1.2-10.0.1.11 mask 255.255.255.0
ip local pool vpnssl_fixed 10.0.1.12-10.0.1.14 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list 1
nat (inside) 1 0.0.0.0 0.0.0.0 outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec transform-set Mike_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto dynamic-map Mike 65535 set pfs group1
crypto dynamic-map Mike 65535 set transform-set Mike_SET
crypto map Mike 65535 ipsec-isakmp dynamic dynmap
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic Mike
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 1
vpn-sessiondb max-webvpn-session-limit 1
telnet 10.0.1.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 30
ssh 10.0.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 10.0.0.1
dhcpd auto_config outside
!
dhcpd address 10.0.0.2-10.0.0.33 inside
dhcpd enable inside
Solved! Go to Solution.
04-20-2012 04:23 AM
Michael,
Take this off:
nat (inside) 1 access-list 1
nat (inside) 1 0.0.0.0 0.0.0.0 outside
Add this:
nat (inside) 1 0.0.0.0 0.0.0.0
class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect http
inspect icmp
service-policy global_policy global
Also, make sure that you are getting a default route from the provider. You can do a "show route" to see this.
HTH,
John
04-20-2012 04:23 AM
Michael,
Take this off:
nat (inside) 1 access-list 1
nat (inside) 1 0.0.0.0 0.0.0.0 outside
Add this:
nat (inside) 1 0.0.0.0 0.0.0.0
class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect http
inspect icmp
service-policy global_policy global
Also, make sure that you are getting a default route from the provider. You can do a "show route" to see this.
HTH,
John
04-23-2012 09:12 PM
Thanks John!!
This is exactly what I needed to do. I was so tired of reading over and over my config that I completely didn't notice that I had tacked on the word "outside" on my nat (inside) 1 0 0 statement.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide