06-04-2007 06:21 AM - edited 03-11-2019 03:24 AM
I just got a asa5520 to replace my current firewall. I am having problems getting it even to work .I can 't get any traffic to pass through outbound or inbound even with the basic configs....am I missing something with this device??
06-04-2007 07:06 AM
Could you post a config?
06-04-2007 12:06 PM
ASA Version 7.2(2)19
!
hostname ciscoasa
domain-name xxxxxxx.
enable password xnGqPhwrHRAXC1MM encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Wan
security-level 0
ip address xx.xxx.xxx.xx 255.255.255.224
!
interface GigabitEthernet0/1
nameif Lan
security-level 100
ip address xx.xxx.x.xx 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-19-k8.bin
ftp mode passive
dns domain-lookup Wan
dns server-group DefaultDNS
name-server xxx.xxx.x.xx
name-server xxx.xxx.x.xx
domain-name xxxxxxxxxx.com
pager lines 24
logging asdm informational
mtu Wan 1500
mtu Lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (Lan) 0 0.0.0.0 0.0.0.0
route Wan xx.xxx.xxx.xx 255.255.255.255 xx.xxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7a9b298480632c1bbfa46b3609bdf03b
: end
06-04-2007 12:19 PM
I don't know what your inside subnet is so I can only guess if you want to nat/pat. If so, this should get you from inside to outside. If not then just add the default route.
no nat (Lan) 0 0.0.0.0 0.0.0.0
global (Wan) 1 interface
nat (Lan) 1 0.0.0.0 0.0.0.0
route Wan 0.0.0.0 0.0.0.0
06-04-2007 12:37 PM
I am using nat and also have some static routes. I have fully configured the firewall and could not get it to work.I have brought it back to the begining. If all I want is to get to the internet I should just need my wan ip and gateway and lan ip...correct? I have any outbound to allow
06-05-2007 10:59 AM
Could someone check this config out I still cannot get to the internet.
ASA Version 7.2(2)19
!
hostname ciscoasa
domain-name xxxxxx.com
enable password xxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Wan
security-level 0
ip address xx.xx.xx.xx 255.255.255.224
!
interface GigabitEthernet0/1
nameif Lan
security-level 100
ip address xx.xx.x.xx 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encryp
boot system disk0:/asa722-19-k8.bin
ftp mode passive
dns domain-lookup Wan
dns server-group DefaultDNS
name-server xxx.xxx.x.xx
name-server xxx.xxx.x.xx
domain-name foleyinc.com
object-group network test
network-object 0.0.0.0 0.0.0.0
access-list Lan_nat_static extended permit ip interface Lan interface Wan
pager lines 24
logging asdm informational
mtu Wan 1500
mtu Lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout
nat-control
nat (Wan) 0 0.0.0.0 0.0.0.0
static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static
route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
06-05-2007 11:21 AM
no nat (Wan) 0 0.0.0.0 0.0.0.0
no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static
no route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1
----then do---
nat (Lan) 1 0 0
global (Wan) 1 interface
route Wan 0.0.0.0 0.0.0.0 65.112.215.97
this assumes 65.112.215.97 is the next hop EXTERNAL to your ASA device.
06-05-2007 12:23 PM
I added those rules in and still no luck. If i go into asdm and do a packet trace it dies at the acl.It point to an implicit rule that you cannot modify.
06-05-2007 12:29 PM
what ACL does it die at?
06-05-2007 12:29 PM
When you do packet trace make sure you are selecting Lan interface.
06-05-2007 12:33 PM
Lan(incoming Rules)
any any ip deny implicit rule
I did use the lan interface as well for the test
06-05-2007 08:54 PM
Hi,
first of all remove the service policy. i believe u have some ssm module installed on your f/w.
then add these lines:
nat (lan) 1 0.0.0.0 0.0.0.0
global(wan) 1 interface outside
route wan 0.0.0.0 0.0.0.0 65.112.215.97
no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static
access-list 110 extended permit ip any any
access-group 110 in interface outside
Note: if you allow ip any any, then virus will attack, so try once with this command, then change to ur desired access:
access-list 110 extended permit tcp any eq domain any
access-list 110 extended permit tcp any eq smtp any
access-list 110 extended permit tcp any eq pop3 any
access-list 110 extended permit udp any eq domain any
access-list 110 extended permit tcp any any eq https
access-list 110 extended permit tcp any any eq ftp
access-list 110 extended permit tcp any any eq ftp-data
access-list 110 extended permit tcp any any eq www
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide