Problem setting up ASA 5510

Unanswered Question
Jul 6th, 2007

Now I can reach the firewall from internal network. But still don't get internet access nor can I see dmz.

CiscoASA# show route

S 0.0.0.0 0.0.0.0 [1/0] via xx.xx.xxy.1, outside

C 10.16.0.0 255.255.252.0 is directly connected, outside

C 10.16.52.0 255.255.252.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, management

C 192.168.20.0 255.255.252.0 is directly connected, dmz

And the firewall config right now is:

asdm image disk0:/asdm506.bin

asdm location 192.168.20.100 255.255.255.255 dmz

asdm location 192.168.20.101 255.255.255.255 dmz

no asdm history enable

: Saved

:

ASA Version 7.0(6)

!

hostname CiscoASA

domain-name DOMAINNAME

enable password AAAAAAAAAAAAA. encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.16.1.1 255.255.252.0

!

interface Ethernet0/1

nameif inside

security-level 90

ip address 10.16.54.1 255.255.252.0

!

interface Ethernet0/2

nameif dmz

security-level 10

ip address 192.168.20.1 255.255.252.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd AAAAAAAAAAAAAA encrypted

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

access-list outside_access_in extended permit tcp any host 192.168.20.100 eq www

access-list outside_access_in extended permit tcp any host 192.168.20.101 eq www

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu dmz 1500

mtu outside 1500

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (dmz) 200 xx.xx.xxx.70-xx.xx.xxx.71 netmask 255.255.252.0

global (outside) 200 interface

nat (inside) 0 10.16.54.0 255.255.255.0

- Show quoted text -

static (dmz,inside) xx.xx.xxx.70 192.168.20.100 netmask 255.255.255.255

static (dmz,inside) xx.xx.xxx.71 192.168.20.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xxy.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.16.54.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

What IP address should I use for the outside interface? I made one up, not sure what ip is needed there and where it is used.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 07/06/2007 - 06:07

1. Still working on this? Let's take one issue at a time. What is the topology of your network? Usually you do not make up an ip address for the outside of your firewall. It appears you have some public ip's, xx.xx.xxx.70 and xx.xx.xxx.71 for instance. Are you natting somewhere outside the ASA?

2. Your access-list entries are not correct, they need to look like this.

access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq www

access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq www

3. You cannot see the internet becuase you are not natting inside hosts.

4. To see the dmz from the inside, add this...

static (inside,dmz) 10.16.54.0 10.16.54.0 netmask 255.255.252.0

SanderTaats Sat, 07/07/2007 - 14:56

I reset everything to factory default after learning some more about what the different settings do. The result is same though I'm afraid. I can't access internet nor dmz.

----------------------------------------

inside = 10.16.54.0 255.255.255.0

firewall ip = 10.16.54.1

dhcp = 10.16.54.10

computers in network = 10.16.54.11-10.16.54.100

----------------------------------------

dmz 192.168.20.100-192.168.20.102 255.255.255.0

I have 3 servers in dmz.

192.168.20.100 = webbserver, needs to send mail with 192.168.20.102

192.168.20.101 = webb + sql + mail server

192.168.20.102 = mail server

----------------------------------------

outside xx.xx.xxx.70

I used one of the 2 public IPs we have as outside IP, not sure if that was correct or not.

----------------------------------------

We have 2 public IPs.

xx.xx.xxx.70 255.255.252.0

xx.xx.xxx.71 255.255.252.0

xx.xx.xxx.70 -> 192.168.20.100 www

xx.xx.xxx.70 -> 192.168.20.102 smtp

xx.xx.xxx.71 -> 192.168.20.101 www

xx.xx.xxx.71 -> 192.168.20.101 smtp

----------------------------------------

Result of the command: "show running-config"

: Saved

:

ASA Version 7.0(6)

!

hostname CiscoASA

domain-name AAAAAAAAAAA

enable password AAAAAAAAAAAAAAAAAA encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 100

ip address xx.xx.xxx.70 255.255.252.0

!

interface Ethernet0/1

nameif inside

security-level 90

ip address 10.16.54.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.20.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq www

access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq www

access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq smtp

access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq smtp

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip verify reverse-path interface outside

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

static (inside,dmz) 10.16.54.0 10.16.54.0 netmask 255.255.255.0

static (dmz,outside) xx.xx.xxx.70 192.168.20.100 netmask 255.255.255.255

static (dmz,outside) xx.xx.xxx.71 192.168.20.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

route dmz xx.xx.xxx.71 255.255.255.255 xx.xx.xxy.1 1

route dmz xx.xx.xxx.70 255.255.255.255 xx.xx.xxz.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.16.54.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

: end

JBDanford2002 Sat, 07/07/2007 - 16:28

Please try the following:

Your security levels are backwards. The outside interface is considered less secure and should be given a lower security level such as 0. The inside is most trusted and should be given the highest (100). Higher Security levels have access to lower security levels by default.

interface Ethernet0/0

security-level 0

interface Ethernet0/1

security-level 100

exit

You are creating a static from the outside ip of your asa to an inside host. Lets configure port translation instead. We will also want to use the outside interface IP for PAT which will be needed by the inside interface hosts to get out to the internet.

no static (dmz,outside) xx.xx.xxx.70 192.168.20.100 netmask 255.255.255.255

static (dmz,outside) tcp interface 80 192.168.20.100 80

static (dmz,outside) tcp interface 25 192.168.20.100 25

nat (inside) 1 0 0

global (outside) 1 interface

wr mem

Now make sure you can ping your default gatway from the ASA. Also post the result of a "sh int e0/0"

Also the tutorial I made is for 6.3(5) but is still pretty much relevant:

http://firewalls.ath.cx/viewtopic.php?t=2

SanderTaats Sun, 07/08/2007 - 06:17

Now I could access dmz but it was very slow. Couldn't ping it either and no internet access.

---

Result of the command: "sh int e0/0"

Interface Ethernet0/0 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address A, MTU 1500

IP address xx.xx.xxx.70, subnet mask 255.255.252.0

170 packets input, 10900 bytes, 0 no buffer

Received 163 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

286 packets output, 18304 bytes, 0 underruns

0 output errors, 0 collisions

0 late collisions, 0 deferred

input queue (curr/max blocks): hardware (7/0) software (0/0)

output queue (curr/max blocks): hardware (0/1) software (0/0)

Traffic Statistics for "outside":

8 packets input, 382 bytes

1 packets output, 28 bytes

7 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

---

Result of the command: "show running-config"

: Saved

:

ASA Version 7.0(6)

!

hostname CiscoASA

domain-name A

enable password A encrypted

names

dns-guard

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address xx.xx.xxx.70 255.255.252.0

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.16.54.1 255.255.255.0

!

interface Ethernet0/2

speed 100

duplex full

nameif dmz

security-level 50

ip address 192.168.20.1 255.255.255.0

!

interface Management0/0

speed 100

duplex full

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd A encrypted

ftp mode passive

access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq www

access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq www

access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq smtp

access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq smtp

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip verify reverse-path interface outside

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 192.168.20.100 www netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 192.168.20.100 smtp netmask 255.255.255.255

static (inside,dmz) 10.16.54.0 10.16.54.0 netmask 255.255.255.0

static (dmz,outside) xx.xx.xxx.71 192.168.20.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

route dmz xx.xx.xxx.71 255.255.255.255 xx.xx.xxy.1 1

route dmz xx.xx.xxx.70 255.255.255.255 xx.xx.xxy.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.16.54.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:AAA

: end

JBDanford2002 Sun, 07/08/2007 - 06:38

So from the ASA you could not ping the internet? What is the ASA connected to? Are you on a cable connection va t1? Can you ping your default gateway?

SanderTaats Sun, 07/08/2007 - 06:45

I don't know how to ping stuff from the ASA.

My gateway that I received from ISP is xx.xx.xxy.1 and I can ping it with the old firewall. The firewall is connected to the wall and that leads us to the city network.

Gateway for the computers in the network is = firewall ip.

We have an really old firewall here that I'm trying to replace. It's so old that we can't even access it to check the configuration.

JBDanford2002 Sun, 07/08/2007 - 07:11

Ok. What type of firewall is the "old firewall"?

From the command line on the ASA just type the following:

ping xx.xx.xxy.1

SanderTaats Sun, 07/08/2007 - 11:00

The old firewall is a Pentium MMX computer with some Clavister firewall software I think.

I couldn't ping the gateway.

-------------------------------------------

Result of the command: "ping xx.xx.xxy.1"

Sending 5, 100-byte ICMP Echos to xx.xx.xxy.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

JBDanford2002 Sun, 07/08/2007 - 12:36

Is the old firewall still plugged in? Can you verify the IP/subnet mask of it.

Actions

This Discussion