i test the step 5 configuring

Muhammadhabib1 · ‎12-11-2014

Hi All,

I'm new with CISCO Firewall, I have an ASA 5510 which i've configured for internet access.I can not connect to the internet from firewall please can any one check the configuration and tell me where is the problem,

Thanks in advance

here is the configuration:

drcadmin# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname drcadmin
enable password jDUXMyqeIzxQIVgK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 172.20.10.245 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
regex google "\.google\.com"
ftp mode passive
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 172.20.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:20:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password vUmuS.K/5e5ukZ3i encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http GOOGLE
parameters
match not request header host regex google
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:17111f7d668ea47e2970a16a5d67e06c
: end

Jon Marshall · ‎12-11-2014

The outside interface has an IP of 172.20.10.245. This is not a routable IP on the internet so is something else doing the NAT for you ie. does the next hop device 172.20.10.2 do it ?

Jon

Muhammadhabib1 · ‎12-11-2014

thanks for reply

this is all configuration that i have do it, in outside i have router that has an ip 172.20.10.2

thanks

Jon Marshall · ‎12-11-2014

Does the router have NAT setup ?

From a client on your LAN can you ping the router IP 172.20.10.2 ?

Jon

Muhammadhabib1 · ‎12-11-2014

yes i can ping the router IP 172.20.10.2

for NAT Please see the attachment

Jon Marshall · ‎12-11-2014

If you can ping the router IP from a client on your LAN ie. on the inside of the ASA then it looks like your ASA configuration is working.

The router does not need a route back to the internal network because you are translating all internal IPs to the outside interface of the ASA and the router knows how to get to this.

How are you testing connectivity from a client ie. are you pinging an IP on the internet ?

Jon

Muhammadhabib1 · ‎12-11-2014

you mean testing connectivity from a client after firewall?

i test the connectivity with out firewall

Jon Marshall · ‎12-11-2014

I don't understand your last statement about testing without the firewall.

I thought your problem was that clients cannot access the internet ie. you are testing from a client on your LAN which sends traffic to the ASA which then forwards it on to the router.

So my question was when you say the clients cannot access the internet what are they trying to access ie. what test are you using on the client ?

Jon

Muhammadhabib1 · ‎12-11-2014

please see the attached files, the description on name of pictures

Jon Marshall · ‎12-11-2014

For ping to work you need to enable ICMP inspection (or allow the responses back through from the router).

See this link for configuring ICMP inspection -

https://supportforums.cisco.com/document/146031/allow-icmp-through-cisco-asa

step 5 is the one you need to use.

Jon

Muhammadhabib1 · ‎12-11-2014

i test the step 5 configuring ICMP inspection, it does not work

is there wrong in my config?, i'm not sure is that right way

Jon Marshall · ‎12-11-2014

I can't see anything obviously wrong in your configuration.

From your attachments it looks like you cannot ping from a client through the firewall to the router.

Try this -

access-list outside_in permit icmp host 172.20.10.2 any

access-group outside_in in interface Outside

and try pinging again.

Jon

Muhammadhabib1 · ‎12-13-2014

thanks Jon

by Access List i can ping to router 172.20.10.2 from client, but I'm still cannot connect to the internet by client

thanks in advance

Jon Marshall · ‎12-15-2014

You can only ping the router because that is all the acl is allowing.

The acl was there just as a test.

If you wanted to ping the internet the acl would have to be -

access-list outside_in permit icmp any any

which would allow any IP address to send ICMP back to your internal hosts.

But you don't want to do this as it is a security issue.

What you need to do is test connecting to web site using it's IP address from a client.

If you want to be able to ping then you need to get the ICMP inspection working properly as this will only allow ICMP back in if the client inside initiated the connection which is a lot more secure than the acl above.

Jon

Muhammadhabib1 · ‎12-15-2014

yes i can test connecting to any web site using it's IP address by ping from any client

so how can i get the correct configure to working properly and i need to block youtube for specific clients

ASA 5510 - Users Unable To Access Internet Through Firewall