cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
879
Views
0
Helpful
11
Replies

asa5520 problems

kmcilvaine
Level 1
Level 1

I just got a asa5520 to replace my current firewall. I am having problems getting it even to work .I can 't get any traffic to pass through outbound or inbound even with the basic configs....am I missing something with this device??

11 Replies 11

acomiskey
Level 10
Level 10

Could you post a config?

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxxx.

enable password xnGqPhwrHRAXC1MM encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address xx.xxx.xxx.xx 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address xx.xxx.x.xx 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns domain-lookup Wan

dns server-group DefaultDNS

name-server xxx.xxx.x.xx

name-server xxx.xxx.x.xx

domain-name xxxxxxxxxx.com

pager lines 24

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (Lan) 0 0.0.0.0 0.0.0.0

route Wan xx.xxx.xxx.xx 255.255.255.255 xx.xxx

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7a9b298480632c1bbfa46b3609bdf03b

: end

I don't know what your inside subnet is so I can only guess if you want to nat/pat. If so, this should get you from inside to outside. If not then just add the default route.

no nat (Lan) 0 0.0.0.0 0.0.0.0

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0

route Wan 0.0.0.0 0.0.0.0

I am using nat and also have some static routes. I have fully configured the firewall and could not get it to work.I have brought it back to the begining. If all I want is to get to the internet I should just need my wan ip and gateway and lan ip...correct? I have any outbound to allow

Could someone check this config out I still cannot get to the internet.

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxx.com

enable password xxxxxxxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address xx.xx.xx.xx 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address xx.xx.x.xx 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encryp

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns domain-lookup Wan

dns server-group DefaultDNS

name-server xxx.xxx.x.xx

name-server xxx.xxx.x.xx

domain-name foleyinc.com

object-group network test

network-object 0.0.0.0 0.0.0.0

access-list Lan_nat_static extended permit ip interface Lan interface Wan

pager lines 24

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout

nat-control

nat (Wan) 0 0.0.0.0 0.0.0.0

static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static

route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

no nat (Wan) 0 0.0.0.0 0.0.0.0

no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static

no route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1

----then do---

nat (Lan) 1 0 0

global (Wan) 1 interface

route Wan 0.0.0.0 0.0.0.0 65.112.215.97

this assumes 65.112.215.97 is the next hop EXTERNAL to your ASA device.

I added those rules in and still no luck. If i go into asdm and do a packet trace it dies at the acl.It point to an implicit rule that you cannot modify.

what ACL does it die at?

When you do packet trace make sure you are selecting Lan interface.

Lan(incoming Rules)

any any ip deny implicit rule

I did use the lan interface as well for the test

acharyr123
Level 3
Level 3

Hi,

first of all remove the service policy. i believe u have some ssm module installed on your f/w.

then add these lines:

nat (lan) 1 0.0.0.0 0.0.0.0

global(wan) 1 interface outside

route wan 0.0.0.0 0.0.0.0 65.112.215.97

no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static

access-list 110 extended permit ip any any

access-group 110 in interface outside

Note: if you allow ip any any, then virus will attack, so try once with this command, then change to ur desired access:

access-list 110 extended permit tcp any eq domain any

access-list 110 extended permit tcp any eq smtp any

access-list 110 extended permit tcp any eq pop3 any

access-list 110 extended permit udp any eq domain any

access-list 110 extended permit tcp any any eq https

access-list 110 extended permit tcp any any eq ftp

access-list 110 extended permit tcp any any eq ftp-data

access-list 110 extended permit tcp any any eq www

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: