11-15-2008 03:42 AM - edited 03-04-2019 12:20 AM
Hi All,
I'm fighting my ASA 5505 for a couple of days now, but I can't get it work for me the way it should....Situation:
SDSL Routed Subnet Internet Connection
IP: x.x.x.83/29
I setup my Outside port (port '0') with IP x.x.x.84/29
Cisco IP: 192.168.1.55 (connected ASDM GUI)
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.55 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.84 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool x_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 x.x.x.83 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.220-192.168.1.250 inside
dhcpd enable inside
!
group-policy Demiam_Tunnel internal
group-policy Demiam_Tunnel attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec
username ralfmusterd password xxx encrypted privilege 0
username ralfmusterd attributes
vpn-group-policy Demiam_Tunnel
tunnel-group Demiam_Tunnel type ipsec-ra
tunnel-group Demiam_Tunnel general-attributes
address-pool Demiam_Pool1
default-group-policy Demiam_Tunnel
tunnel-group Demiam_Tunnel ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
I can't connect from the inside network to the internet...I guess I need to modify/add any rules. but don'no what en where...Please help, thanks!
11-15-2008 04:01 AM
Hi,
I think you are missing the following:
Global (Outside) 1 intterface , as long as (Nat) inside 1 , Global (Outside)1 configured , then there is no additional rules to permit the traffic from higher Security Level to a lower Security level.
also you need to correct the following:
from
route inside 0.0.0.0 0.0.0.0 x.x.x.83
to
route outside 0.0.0.0 0.0.0.0 x.x.x.83
HTH
Mohamed
11-15-2008 05:04 AM
Mohamed,
Thanks for your reply!
I have changed route 'inside' to 'outside' without any problems...but...can you be more explicite about the next one;
'Global (Outside) 1 intterface , as long as (Nat) inside 1 , Global (Outside)1 configured , then there is no additional rules to permit the traffic from higher Security Level to a lower Security level.'
I do not understand...thanks again!
11-15-2008 05:55 AM
What Mohamed means is that you have
nat (inside) 1 0.0.0.0 0.0.0.0
but you have no global (outside) 1 interface statement to match.
Your inside addresses are 192.168.1.x, these addresses will not route on the Internet so you need to NAT/PAT them to the public IP on your outside interface. You do this by matching
nat (inside) 1 0.0.0.0 0.0.0.0
with
global (outside) 1 interface
So apart from your nat (inside) 0 exemption all traffic destined for the Internet from inside will be natted to the public IP on the outside interface of your ASA.
Traffic by default is allowed from a higher security (your inside interface) to a lower security (your outside interface) so you do not need to update any access-lists. Remember with a stateful firewall once you allow traffic one way the return traffic is allowed without an acl.
So if you just add "global (inside) 1 interface" you should be able to get connectivity to the Internet.
Jon
11-15-2008 11:08 AM
I starting to feel a bit stupid to be honest.. :(
I set up what I think is correct, here the changes....damn this is harder then I thought...
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.55 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 87.x.x.84 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
access-list outside_nat_outbound extended permit ip 87.x.x.80 255.255.255.248 192.168.1.240 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Demiam_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 87.x.x.83 netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 access-list outside_nat_outbound
route outside 0.0.0.0 0.0.0.0 87.x.x.83 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.220-192.168.1.250 inside
dhcpd enable inside
!
group-policy Demiam_Tunnel internal
group-policy Demiam_Tunnel attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec
username ralfmusterd password xxx encrypted privilege 0
username ralfmusterd attributes
vpn-group-policy Demiam_Tunnel
tunnel-group Demiam_Tunnel type ipsec-ra
tunnel-group Demiam_Tunnel general-attributes
address-pool Demiam_Pool1
default-group-policy Demiam_Tunnel
tunnel-group Demiam_Tunnel ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
11-15-2008 12:10 PM
I starting to feel a bit stupid to be honest.. :(
:-), you should have seen my recent performance in LAN Routing & Switching after i had had a few too many !!.
Don't worry everythings easy but only once you know how to do it.
You have set the following in your config
global (outside) 1 87.x.x.83 netmask 255.255.255.248
but 87.x.x.83 is the default-gateway of the ISP router or at least that is what you have in your router statement.
87.x.x.80 255.255.255.248 is your network which gives you
87.x.x.81 -> 87.x.x.86 as useable addresses with .87 as the broadcast address.
So you can use any of the above except .83 and the broadcast. Is there some reason you do not want to use the outside interface address on your ASA ie. 87.x.x.84 ?
If you don't mind using it replace
global (outside) 1 87.x.x.83 netmask 255.255.255.248
with
global (outside) 1 interface
If you want to use one of the other addresses
global (outside) 1 87.x.x.85 netmask 255.255.255.255
Jon
11-16-2008 04:02 AM
Hi Jon,
Set it up like this now;
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.55 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 87.x.x.84 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
access-list outside_nat_outbound extended permit ip 87.x.x.80 255.255.255.248 192.168.1.240 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Demiam_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 87.x.x.85 netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 access-list outside_nat_outbound
route outside 0.0.0.0 0.0.0.0 87.x.x.83 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.220-192.168.1.250 inside
dhcpd enable inside
!
group-policy Demiam_Tunnel internal
group-policy Demiam_Tunnel attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec
username ralfmusterd password xxx encrypted privilege 0
username ralfmusterd attributes
vpn-group-policy Demiam_Tunnel
tunnel-group Demiam_Tunnel type ipsec-ra
tunnel-group Demiam_Tunnel general-attributes
address-pool Demiam_Pool1
default-group-policy Demiam_Tunnel
tunnel-group Demiam_Tunnel ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
But no go yet... I can't see this case in a helicoper view...damn. Thanks for your help Jon!
11-17-2008 02:17 PM
Things to check
1) From the firewall can you ping the default-gateway 87.x.x.83
2) What is the source IP address you are trying to access the internet from ?
3) If do you do a "sh xlate" or "sh running-config xlate" do you see a translation for the IP address in 2)
Jon
11-17-2008 02:18 PM
Can you ping anything outside from a host on the 192.168.1.x subnet? I noticed in your dhcp settings, you aren't setting a dns server. If you can ping an address (4.2.2.1), I would add the dns settings to your scope (unless you're manually setting them, and then I'm way off).
dhcpd dns
--John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide