But I am pinging the Comcast gateway from the ASA. Is that ping allowed? To be honest I didn't try to bring u a web page on the PC.

Thanks, Pat.

Hi,

This document explains how to allow ping from the inside to the outside on a firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

I don't want to sound lazy and would like to fully understand firewalls but, I thought a default route was configured by default. I will add the config you mentioned.

Thanks

SJHCOMCASTFW# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname SJHCOMCASTFW
domain-name sjhcomcast.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.79.xx.xx255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name sjhcomcast.com
same-security-traffic permit intra-interface
access-list 100 extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 50.79.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 4.4.4.4 8.8.8.8 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 3600 interface inside
dhcpd domain sjhcomcast.com interface inside
dhcpd enable inside
!

username PMcHenry password DFlVIADtck1VpZzU encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f0cc64bc93f62ba225dfa576c0755162
: end
SJHCOMCASTFW#

I can ping the comcast gateway from the FW but, not anything beyond. And I can't ping the FW outside interface from the PC.

Thanks, Pat

Your configuration looks fine, make sure you have internet. can you ping 4.2.2.2 from the firewall itself?

You will never be able to ping outside interface of ASA from inside, That is how FW is architectured.

Do you mean ping 4.4.4.4 the DNS server?

What is 4.2.2.2?

I will plug my laptop directly in again to see if there is Internet. I thought they fixed that as we were having that problem last week and they worked on it.

Comcast is looking at the issue now. I can't ping out even with my laptop plugged directly into the modem and configured with the public address.

I have three VLANs configured. One VLAN(inside), one VLAN(outside) and one VLAN(dmz).

Other than configuring the outside address, an extra VLAN(dmz) and DHCP for the inside VLAN and the dmz VLAN, everything else is at the default configuration.

I can get dhcp addresses and ping out from both the inside and dmz.

The inside is set to 100 security and the dmz is set to 50 security.

That being said, is my inside and dmz network being protected and/or should I be configuring more to protect it?

Thanks

Hi,

Regarding the ICMP

Usually when I configure a new ASA firewall I will add the ICMP inspection was told earlier in this thread.

In your latest running-config I dont see it configured yet.

There should be

policy-map global_policy
 class inspection_default
  inspect icmp

With this enabled and if ICMP is allowed from the LAN -> Internet the echo-reply messages to your ICMP echos will get through the firewall

You won't need to use the outside access-list to open ICMP for the ICMP you are sending from the LAN behind the firewall or even for the ICMP echos sent from the ASA itself. You only need to open ICMP on the outside ACL if you need to ping something on your local network from the Internet. That device must also have its own public IP address (with static NAT) for it to even work.

If you want to send ICMP echos from Internet to the ASAs outside interface you can use the following format

icmp permit

for example "icmp permit any outside" would permit ICMP echos to the ASAs outside interface from any source address on the Internet. Though necesarily no need to open it so wide.

- Jouni

Thanks for the response.

Per my previous post - I've created a another VLAN with security 50. From earlier discussions -  this doesn't mean the amount of security on that port, correct?

Nevertheless, can I make the additional vlan as secure as the inside vlan?

thanks, Pat.

Hi,

I've never relied purely on the "security-level" setting.

To my knowledge the security-levels numerical value is the simplest way to do access control on an ASA firewall. (But doesnt really give you any fexibility alone)

It basicly means that any host on a higher security-level interface can communicate to any of the lower security-level interfaces.

In your situation you have:

• outside = 0
• dmz = 50
• inside = 100

If you didnt have any access-list the operation would basically be like this:

• Hosts on inside can access anything behind the interfaces dmz and outside
  
• Hosts on dmz  can access anything behind the interface outside, but NOT inside
• Hosts on outside CANT access anything behind the ASA

To my understanding as soon as you apply an access-list to an interface (with the access-group command) it affects the situation I mentioned above for the interface in question. So basically if you add an access-list to inside interface you have to deny or allow traffic on it and the security-level wont dedice anymore on allowing the traffic.

Heres also a explanation from Cisco material on the "security-level" command

 The level controls the following behavior: 
 •Network  access—By default, there is an implicit permit from a higher security  interface to a lower security interface (outbound). Hosts on the higher  security interface can access any host on a lower security interface.  You can limit access by applying an access list to the interface. 
 For same security interfaces, there is an implicit permit for interfaces  to access other interfaces on the same security level or lower. 
 •Inspection  engines—Some inspection engines are dependent on the security level.  For same security interfaces, inspection engines apply to traffic in  either direction. 
 –NetBIOS inspection engine—Applied only for outbound connections. 
 –OraServ  inspection engine—If a control connection for the OraServ port exists  between a pair of hosts, then only an inbound data connection is  permitted through the security appliance. 
 •Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). 
 For same security interfaces, you can filter traffic in either direction. 
 •NAT  control—When you enable NAT control, you must configure NAT for hosts  on a higher security interface (inside) when they access hosts on a  lower security interface (outside). 
 Without NAT control, or for same security interfaces, you can choose to  use NAT between any interface, or you can choose not to use NAT. Keep in  mind that configuring NAT for an outside interface might require a  special keyword. 
 •established command—This command allows return connections from a lower security  host to a higher security host if there is already an established  connection from the higher level host to the lower level host. 
 For same security interfaces, you can configure established commands for both directions

- Jouni