06-15-2009 12:49 PM - edited 03-06-2019 06:16 AM
Problem:
I am having problems geting the two interfaces to comunicate with each other. I can ping my Linksys Router from the outside interface of the firewall, but I am unable to do this from the inside interface. Also I heard that I need ACL's. What are they? Do I have to have them? How do you implement them?
Setup:
I currently have a Linksys RV082 connected to two ISP's, connected on the LAN side of that is a Cisco ASA 5510 firewall, connected on the lan side of that is a Cisco 2821 router.
NAT:
Original:
Interface: interior
Source Network: interior:any/0
Destination Network: any
Translated:
Interface: Exterior
Address: interface PAT
Static routes:
Linksys to Firewall:
Destination IP: 192.168.6.0
Subnet mask: 255.255.255.0
Default Gateway: 192.168.0.101
Hop count: 1
Interface: lan
Firewall to Linksys
Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1
IP Addresses:
Inside firewall: 192.168.6.0
Outside firewall: 192.168.0.101
Linksys: 192.168.0.1
Cisco Router Outside: 192.168.6.101
Cisco Router Inside: 192.168.4.0
____________Cisco ASA 5510 Configuration_____________________________
Firewall# show running-config
: Saved
:
ASA Version 7.0(8)
!
hostname Firewall
domain-name default.domain.invalid
enable password 6efABQ2cPmP7OKuA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Interior
security-level 0
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/1
nameif Exterior
security-level 100
ip address dhcp setroute
!
interface Ethernet0/2
shutdown
nameif 0
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu Exterior 1500
mtu Interior 1500
mtu 0 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Exterior) 100 interface
nat (Interior) 100 0.0.0.0 0.0.0.0
nat (Interior) 100 0.0.0.0 0.0.0.0 outside
route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp 0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address 192.168.6.2-192.168.6.10 Interior
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable Interior
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp error
inspect mgcp
inspect pptp
inspect ctiqbe
inspect snmp
inspect http
inspect icmp
inspect ils
!
service-policy global_policy global
Cryptochecksum:ff820992c3c5d0aa4866e518fe0f9766
: end
06-15-2009 12:58 PM
Well, I've helped you in another post, but I think I see something in this one. You're eth0/0 is labeled as "Interior", yet is has the security level of 0, and your eth0/1 is labeled as exterior with a level of 100. This would be backwards.
Your public side, less secure, is usually set to 0 by default. The inside is 100 by default. On an ASA, traffic is always allowed out from a higher security to lower security (100 -> 0) without the need for an ACL. You will NEED an acl if you are going from 0 -> 100. In your case, if the labels are correct, you'd need an acl and statics to let yourself out of your network. I would suggest reversing the security levels to see if it fixes your issue.
HTH,
John
*BTW - let's stick to one thread. =)
06-15-2009 01:03 PM
Sorry about the threads, this is one of my first times ever using a forum. Unfortunatly the switching of security levels did not work however. Is there anything else wrong?
06-15-2009 01:12 PM
Is there a way that you can draw a diagram of the way that you have everything connected?
06-15-2009 02:45 PM
Linksys rv082
|
Asa 5510
|
2821
|
Computer
06-16-2009 05:05 AM
Here is where I am, I am DEAD stuck. I can not get trafic of any kind to pass through the ASA 5510. I have tried what I beleive to be everything. Below I have posted my new configuration file. I need to know what is wrong with it and how to fix it. I have also cut the 2821 out of the equation so now the computer is connected directly to the asa 5510. Before this all came about I did have the Linksys and the 2821 communicating, I also have heard that you can put the asa 5510 in the middle in transparent mode (not routed) and keep the packet flow the way it was before. Any help is greatly appreciated.
Cisco ASA 5510 configuration:
ASA Version 7.0(8)
!
hostname Firewall
domain-name default.domain.invalid
enable password 6efABQ2cPmP7OKuA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Interior
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/1
nameif Exterior
security-level 0
ip address dhcp setroute
!
interface Ethernet0/2
shutdown
nameif 0
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list Exterior_access_in extended permit tcp interface Exterior interface Interior
access-list Exterior_access_in extended permit icmp interface Exterior interface Interior
access-list Exterior_access_in extended permit ip interface Exterior interface Interior
access-list Exterior_access_out extended permit tcp interface Interior interface Exterior
access-list Exterior_access_out extended permit icmp interface Interior interface Exterior
access-list Exterior_access_out extended permit ip interface Interior interface Exterior
access-list Interior_access_in extended permit tcp interface Interior interface Exterior
access-list Interior_access_in extended permit icmp interface Interior interface Exterior
access-list Interior_access_in extended permit ip interface Interior interface Exterior
access-list Interior_access_out extended permit tcp interface Exterior interface Interior
access-list Interior_access_out extended permit icmp interface Exterior interface Interior
access-list Interior_access_out extended permit ip interface Exterior interface Interior
access-list 0_access_in extended permit tcp any interface Exterior
pager lines 24
logging asdm informational
mtu management 1500
mtu Exterior 1500
mtu Interior 1500
mtu 0 1500
icmp permit any management
icmp permit any Exterior
icmp permit any Interior
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Exterior) 100 interface
global (Interior) 101 192.168.6.2-192.168.6.10
nat (Interior) 100 0.0.0.0 0.0.0.0 dns
nat (Interior) 100 0.0.0.0 0.0.0.0 outside
access-group Exterior_access_in in interface Exterior per-user-override
access-group Exterior_access_out out interface Exterior
access-group Interior_access_in in interface Interior per-user-override
access-group Interior_access_out out interface Interior
access-group 0_access_in in interface 0
route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp 0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address 192.168.6.2-192.168.6.10 Interior
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config Interior
dhcpd enable management
dhcpd enable Interior
Cryptochecksum:...
06-16-2009 05:35 AM
First thing is you should get back to basics. Take all of your access groups off. All traffic coming from the inside going out is allowed out by default IF you don't have an access-list applied to the inside interface.
Next, try getting rid of these two lines:
nat (Interior) 100 0.0.0.0 0.0.0.0 dns
nat (Interior) 100 0.0.0.0 0.0.0.0 outside
add only:
nat (interior) 100 0 0
Get rid of these:
access-group Exterior_access_in in interface Exterior per-user-override
access-group Exterior_access_out out interface Exterior
access-group Interior_access_in in interface Interior per-user-override
access-group Interior_access_out out interface Interior
access-group 0_access_in in interface 0
Make sure the gateway on your workstation is set to 192.168.6.1.
HTH,
John
06-16-2009 05:50 AM
I still can not ping within the inside interface of the ASA 5510 to the outside interface of the Linksys RV082.
06-16-2009 05:53 AM
Can you ping the Linksys from the ASA?
Can you ping the ASA from your workstation?
06-16-2009 05:40 AM
Hi,
I suppose you have this setup going now:
Linksys rv082
|
(Exterior)
Asa 5510
(Interior)
|
Computer
Just to add to Johns Post:
Looking at the ACL statementsyou posted, you seem to have specified the Exterior and Interior interfaces as source and destination.
You will either need to substitute these with "any", or create objectes referencing the networks/hosts you want to permit.
e.g. These ACL statements should allow ping through your ASA:
access-list Interior_access_in extended permit icmp any any echo
access-list Exterior_access_in extended permit icmp any any echo-reply
The first statement allows ping (echo) from the inside to the outside, and the second statements allows the echo-reply to come back (since ping is handled stateless by default on the ASA).
06-16-2009 05:55 AM
I have done that and I still can not ping :-(
06-16-2009 06:00 AM
what do your logs show? normally packets blocked by ACLs show up in the ASA log.
06-16-2009 06:04 AM
I do not have any logs enabled. What should I enable and how?
06-16-2009 06:26 AM
easiest would be to start up ASDM and check the realtime logs while pinging through the device.
with CLI you could enable logging to the buffer, console, or monitor (telnet session). It depends how youre connected. The logging level set to warnings should be enough. When logging to monitor, be sure to turn on terminal monitor in global config
e.g.
ASA(config)# logging monitor warnings
ASA# terminal monitor
now logs should display in you telnet session.
06-16-2009 06:30 AM
I think I figured out how to log and this is the results:
6|Jun 16 2009 07:24:14|302014: Teardown TCP connection 711 for management:192.168.1.2/55375 to NP Identity Ifc:192.168.1.1/443 duration 0:00:10 bytes 945 TCP FINs
5|Jun 16 2009 07:24:14|111008: User 'enable_15' executed the 'ping Interior 192.168.0.1' command.
6|Jun 16 2009 07:24:04|110003: Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.6.1/0 to Interior:192.168.0.1/0
6|Jun 16 2009 07:24:04|605005: Login permitted from 192.168.1.2/55375 to management:192.168.1.1/https for user "enable_15"
6|Jun 16 2009 07:24:04|302013: Built inbound TCP connection 711 for management:192.168.1.2/55375 (192.168.1.2/55375) to NP Identity Ifc:192.168.1.1/443 (192.168.1.1/443)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide