09-25-2012 09:58 AM - edited 03-07-2019 09:06 AM
I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network. Here is the basic layout:
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
I'm able to get onto the Internet without any problems. Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x). However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9. I've tried using ACL's but end up killing my Internet connection. 192.168.10.1 is the default route and is how I get out to the Internet. Is this possible? Essentially, I'm trying to set up a small Network that guests can connect to. The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
Here is the config:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.10.9 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.10.1
!
dhcpd address 192.168.40.5-192.168.40.100 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aeda67798b0e31c50b0824462a759a8a
: end
09-26-2012 01:43 AM
hello Jm,
you can use this command
hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed
this will tell you where ASA drops the packet and detail key word will also show you the detailed infromation
about the reason for connection drop. then start fron there.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
please rate if this helps.
thanks
09-26-2012 08:32 AM
Hi, Amrinder!
I've looked at this in the ASDM and it says the packets are dropped. However, via a ping, packets are still going through to the 192.168.10.x Network. Also, using the example you specified (I looked at the link as well), I'm not able to get the command to run.
"packet-tracer input inside tcp 192.168.40.5 192.168.10.15 detailed"
09-26-2012 01:29 PM
try like this
"packet-tracer input inside tcp 192.168.40.5 555 192.168.10.15 80 detailed"
you need to add port numbers as well. pick any source port like i did 555 and destination 80 which is web port.
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
it should give you out put like this if it drops the packet.
thanks
10-04-2012 06:24 PM
Hello Singh,
thanks for sharing this command, its really helpfull.
thanks
09-27-2012 02:17 AM
Hi JM,
the first requirement getting failed that is "Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x)" it due to subnet on 192.168.10.x has lower security level and subnet on 192.168.40.x has higher security level so it will deby by default from outside to inside.
secondly, do you want - guest users should access to the internet in network 192.168.40.x, Right? if so then try below may work for you -
on the firewall -
$enable nat-control$
nat-control
$ apply access-list for related to inside and Outsiede$
access-list INSIDE_IN permit ip 10.1.40.0 255.255.255.0 any
access-list INSIDE_IN deny ip any any
access-group INSIDE_IN in interface inside
=== this may serve your requirement, if you want to allow any outside to inside the it will require ACL & ACL-Group to be enable=== Good Luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide