06-04-2007 06:21 AM - edited 03-11-2019 03:24 AM
I just got a asa5520 to replace my current firewall. I am having problems getting it even to work .I can 't get any traffic to pass through outbound or inbound even with the basic configs....am I missing something with this device??
06-04-2007 07:06 AM
Could you post a config?
06-04-2007 12:06 PM
ASA Version 7.2(2)19
!
hostname ciscoasa
domain-name xxxxxxx.
enable password xnGqPhwrHRAXC1MM encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Wan
security-level 0
ip address xx.xxx.xxx.xx 255.255.255.224
!
interface GigabitEthernet0/1
nameif Lan
security-level 100
ip address xx.xxx.x.xx 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-19-k8.bin
ftp mode passive
dns domain-lookup Wan
dns server-group DefaultDNS
name-server xxx.xxx.x.xx
name-server xxx.xxx.x.xx
domain-name xxxxxxxxxx.com
pager lines 24
logging asdm informational
mtu Wan 1500
mtu Lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (Lan) 0 0.0.0.0 0.0.0.0
route Wan xx.xxx.xxx.xx 255.255.255.255 xx.xxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7a9b298480632c1bbfa46b3609bdf03b
: end
06-04-2007 12:19 PM
I don't know what your inside subnet is so I can only guess if you want to nat/pat. If so, this should get you from inside to outside. If not then just add the default route.
no nat (Lan) 0 0.0.0.0 0.0.0.0
global (Wan) 1 interface
nat (Lan) 1 0.0.0.0 0.0.0.0
route Wan 0.0.0.0 0.0.0.0
06-04-2007 12:37 PM
I am using nat and also have some static routes. I have fully configured the firewall and could not get it to work.I have brought it back to the begining. If all I want is to get to the internet I should just need my wan ip and gateway and lan ip...correct? I have any outbound to allow
06-05-2007 10:59 AM
Could someone check this config out I still cannot get to the internet.
ASA Version 7.2(2)19
!
hostname ciscoasa
domain-name xxxxxx.com
enable password xxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Wan
security-level 0
ip address xx.xx.xx.xx 255.255.255.224
!
interface GigabitEthernet0/1
nameif Lan
security-level 100
ip address xx.xx.x.xx 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encryp
boot system disk0:/asa722-19-k8.bin
ftp mode passive
dns domain-lookup Wan
dns server-group DefaultDNS
name-server xxx.xxx.x.xx
name-server xxx.xxx.x.xx
domain-name foleyinc.com
object-group network test
network-object 0.0.0.0 0.0.0.0
access-list Lan_nat_static extended permit ip interface Lan interface Wan
pager lines 24
logging asdm informational
mtu Wan 1500
mtu Lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout
nat-control
nat (Wan) 0 0.0.0.0 0.0.0.0
static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static
route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
06-05-2007 11:21 AM
no nat (Wan) 0 0.0.0.0 0.0.0.0
no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static
no route Wan xx.xxx.xxx.xx 255.255.255.255 65.112.215.97 1
----then do---
nat (Lan) 1 0 0
global (Wan) 1 interface
route Wan 0.0.0.0 0.0.0.0 65.112.215.97
this assumes 65.112.215.97 is the next hop EXTERNAL to your ASA device.
06-05-2007 12:23 PM
I added those rules in and still no luck. If i go into asdm and do a packet trace it dies at the acl.It point to an implicit rule that you cannot modify.
06-05-2007 12:29 PM
what ACL does it die at?
06-05-2007 12:29 PM
When you do packet trace make sure you are selecting Lan interface.
06-05-2007 12:33 PM
Lan(incoming Rules)
any any ip deny implicit rule
I did use the lan interface as well for the test
06-05-2007 08:54 PM
Hi,
first of all remove the service policy. i believe u have some ssm module installed on your f/w.
then add these lines:
nat (lan) 1 0.0.0.0 0.0.0.0
global(wan) 1 interface outside
route wan 0.0.0.0 0.0.0.0 65.112.215.97
no static (Lan,Wan) xx.xxx.xxx.xx access-list Lan_nat_static
access-list 110 extended permit ip any any
access-group 110 in interface outside
Note: if you allow ip any any, then virus will attack, so try once with this command, then change to ur desired access:
access-list 110 extended permit tcp any eq domain any
access-list 110 extended permit tcp any eq smtp any
access-list 110 extended permit tcp any eq pop3 any
access-list 110 extended permit udp any eq domain any
access-list 110 extended permit tcp any any eq https
access-list 110 extended permit tcp any any eq ftp
access-list 110 extended permit tcp any any eq ftp-data
access-list 110 extended permit tcp any any eq www
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: