asa5520 problems

Unanswered Question
Jun 4th, 2007

I just got a asa5520 to replace my current firewall. I am having problems getting it even to work .I can 't get any traffic to pass through outbound or inbound even with the basic configs....am I missing something with this device??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kmcilvaine Mon, 06/04/2007 - 12:06

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxxx.

enable password xnGqPhwrHRAXC1MM encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address xx.xxx.xxx.xx 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address xx.xxx.x.xx 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns domain-lookup Wan

dns server-group DefaultDNS

name-server xxx.xxx.x.xx

name-server xxx.xxx.x.xx

domain-name xxxxxxxxxx.com

pager lines 24

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (Lan) 0 0.0.0.0 0.0.0.0

route Wan xx.xxx.xxx.xx 255.255.255.255 xx.xxx

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7a9b298480632c1bbfa46b3609bdf03b

: end

acomiskey Mon, 06/04/2007 - 12:19

I don't know what your inside subnet is so I can only guess if you want to nat/pat. If so, this should get you from inside to outside. If not then just add the default route.

no nat (Lan) 0 0.0.0.0 0.0.0.0

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0

route Wan 0.0.0.0 0.0.0.0

kmcilvaine Mon, 06/04/2007 - 12:37

I am using nat and also have some static routes. I have fully configured the firewall and could not get it to work.I have brought it back to the begining. If all I want is to get to the internet I should just need my wan ip and gateway and lan ip...correct? I have any outbound to allow

kmcilvaine Tue, 06/05/2007 - 10:59

Could someone check this config out I still cannot get to the internet.

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxx.com

enable password xxxxxxxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address xx.xx.xx.xx 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address xx.xx.x.xx 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encryp

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns domain-lookup Wan

dns server-group DefaultDNS

name-server xxx.xxx.x.xx

name-server xxx.xxx.x.xx

domain-name foleyinc.com

object-group network test

network-object 0.0.0.0 0.0.0.0

access-list Lan_nat_static extended permit ip interface Lan interface Wan

pager lines 24

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout

nat-control

nat (Wan) 0 0.0.0.0 0.0.0.0

static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static

route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

srue Tue, 06/05/2007 - 11:21

no nat (Wan) 0 0.0.0.0 0.0.0.0

no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static

no route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1

----then do---

nat (Lan) 1 0 0

global (Wan) 1 interface

route Wan 0.0.0.0 0.0.0.0 65.112.215.97

this assumes 65.112.215.97 is the next hop EXTERNAL to your ASA device.

kmcilvaine Tue, 06/05/2007 - 12:23

I added those rules in and still no luck. If i go into asdm and do a packet trace it dies at the acl.It point to an implicit rule that you cannot modify.

acomiskey Tue, 06/05/2007 - 12:29

When you do packet trace make sure you are selecting Lan interface.

kmcilvaine Tue, 06/05/2007 - 12:33

Lan(incoming Rules)

any any ip deny implicit rule

I did use the lan interface as well for the test

acharyr123 Tue, 06/05/2007 - 20:54

Hi,

first of all remove the service policy. i believe u have some ssm module installed on your f/w.

then add these lines:

nat (lan) 1 0.0.0.0 0.0.0.0

global(wan) 1 interface outside

route wan 0.0.0.0 0.0.0.0 65.112.215.97

no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static

access-list 110 extended permit ip any any

access-group 110 in interface outside

Note: if you allow ip any any, then virus will attack, so try once with this command, then change to ur desired access:

access-list 110 extended permit tcp any eq domain any

access-list 110 extended permit tcp any eq smtp any

access-list 110 extended permit tcp any eq pop3 any

access-list 110 extended permit udp any eq domain any

access-list 110 extended permit tcp any any eq https

access-list 110 extended permit tcp any any eq ftp

access-list 110 extended permit tcp any any eq ftp-data

access-list 110 extended permit tcp any any eq www

Actions

This Discussion