07-06-2007 01:52 AM - edited 03-11-2019 03:41 AM
Now I can reach the firewall from internal network. But still don't get internet access nor can I see dmz.
CiscoASA# show route
S 0.0.0.0 0.0.0.0 [1/0] via xx.xx.xxy.1, outside
C 10.16.0.0 255.255.252.0 is directly connected, outside
C 10.16.52.0 255.255.252.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, management
C 192.168.20.0 255.255.252.0 is directly connected, dmz
And the firewall config right now is:
asdm image disk0:/asdm506.bin
asdm location 192.168.20.100 255.255.255.255 dmz
asdm location 192.168.20.101 255.255.255.255 dmz
no asdm history enable
: Saved
:
ASA Version 7.0(6)
!
hostname CiscoASA
domain-name DOMAINNAME
enable password AAAAAAAAAAAAA. encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.16.1.1 255.255.252.0
!
interface Ethernet0/1
nameif inside
security-level 90
ip address 10.16.54.1 255.255.252.0
!
interface Ethernet0/2
nameif dmz
security-level 10
ip address 192.168.20.1 255.255.252.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd AAAAAAAAAAAAAA encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any host 192.168.20.100 eq www
access-list outside_access_in extended permit tcp any host 192.168.20.101 eq www
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu dmz 1500
mtu outside 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (dmz) 200 xx.xx.xxx.70-xx.xx.xxx.71 netmask 255.255.252.0
global (outside) 200 interface
nat (inside) 0 10.16.54.0 255.255.255.0
- Show quoted text -
static (dmz,inside) xx.xx.xxx.70 192.168.20.100 netmask 255.255.255.255
static (dmz,inside) xx.xx.xxx.71 192.168.20.101 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxy.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.16.54.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
What IP address should I use for the outside interface? I made one up, not sure what ip is needed there and where it is used.
07-06-2007 06:07 AM
1. Still working on this? Let's take one issue at a time. What is the topology of your network? Usually you do not make up an ip address for the outside of your firewall. It appears you have some public ip's, xx.xx.xxx.70 and xx.xx.xxx.71 for instance. Are you natting somewhere outside the ASA?
2. Your access-list entries are not correct, they need to look like this.
access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq www
3. You cannot see the internet becuase you are not natting inside hosts.
4. To see the dmz from the inside, add this...
static (inside,dmz) 10.16.54.0 10.16.54.0 netmask 255.255.252.0
07-07-2007 02:56 PM
I reset everything to factory default after learning some more about what the different settings do. The result is same though I'm afraid. I can't access internet nor dmz.
----------------------------------------
inside = 10.16.54.0 255.255.255.0
firewall ip = 10.16.54.1
dhcp = 10.16.54.10
computers in network = 10.16.54.11-10.16.54.100
----------------------------------------
dmz 192.168.20.100-192.168.20.102 255.255.255.0
I have 3 servers in dmz.
192.168.20.100 = webbserver, needs to send mail with 192.168.20.102
192.168.20.101 = webb + sql + mail server
192.168.20.102 = mail server
----------------------------------------
outside xx.xx.xxx.70
I used one of the 2 public IPs we have as outside IP, not sure if that was correct or not.
----------------------------------------
We have 2 public IPs.
xx.xx.xxx.70 255.255.252.0
xx.xx.xxx.71 255.255.252.0
xx.xx.xxx.70 -> 192.168.20.100 www
xx.xx.xxx.70 -> 192.168.20.102 smtp
xx.xx.xxx.71 -> 192.168.20.101 www
xx.xx.xxx.71 -> 192.168.20.101 smtp
----------------------------------------
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(6)
!
hostname CiscoASA
domain-name AAAAAAAAAAA
enable password AAAAAAAAAAAAAAAAAA encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 100
ip address xx.xx.xxx.70 255.255.252.0
!
interface Ethernet0/1
nameif inside
security-level 90
ip address 10.16.54.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.20.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq smtp
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
static (inside,dmz) 10.16.54.0 10.16.54.0 netmask 255.255.255.0
static (dmz,outside) xx.xx.xxx.70 192.168.20.100 netmask 255.255.255.255
static (dmz,outside) xx.xx.xxx.71 192.168.20.101 netmask 255.255.255.255
access-group outside_access_in in interface outside
route dmz xx.xx.xxx.71 255.255.255.255 xx.xx.xxy.1 1
route dmz xx.xx.xxx.70 255.255.255.255 xx.xx.xxz.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.16.54.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: end
07-07-2007 04:28 PM
Please try the following:
Your security levels are backwards. The outside interface is considered less secure and should be given a lower security level such as 0. The inside is most trusted and should be given the highest (100). Higher Security levels have access to lower security levels by default.
interface Ethernet0/0
security-level 0
interface Ethernet0/1
security-level 100
exit
You are creating a static from the outside ip of your asa to an inside host. Lets configure port translation instead. We will also want to use the outside interface IP for PAT which will be needed by the inside interface hosts to get out to the internet.
no static (dmz,outside) xx.xx.xxx.70 192.168.20.100 netmask 255.255.255.255
static (dmz,outside) tcp interface 80 192.168.20.100 80
static (dmz,outside) tcp interface 25 192.168.20.100 25
nat (inside) 1 0 0
global (outside) 1 interface
wr mem
Now make sure you can ping your default gatway from the ASA. Also post the result of a "sh int e0/0"
Also the tutorial I made is for 6.3(5) but is still pretty much relevant:
07-08-2007 06:17 AM
Now I could access dmz but it was very slow. Couldn't ping it either and no internet access.
---
Result of the command: "sh int e0/0"
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address A, MTU 1500
IP address xx.xx.xxx.70, subnet mask 255.255.252.0
170 packets input, 10900 bytes, 0 no buffer
Received 163 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
286 packets output, 18304 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (7/0) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/0)
Traffic Statistics for "outside":
8 packets input, 382 bytes
1 packets output, 28 bytes
7 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
---
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(6)
!
hostname CiscoASA
domain-name A
enable password A encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address xx.xx.xxx.70 255.255.252.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.16.54.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.20.1 255.255.255.0
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd A encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xxx.70 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xxx.71 eq smtp
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www 192.168.20.100 www netmask 255.255.255.255
static (dmz,outside) tcp interface smtp 192.168.20.100 smtp netmask 255.255.255.255
static (inside,dmz) 10.16.54.0 10.16.54.0 netmask 255.255.255.0
static (dmz,outside) xx.xx.xxx.71 192.168.20.101 netmask 255.255.255.255
access-group outside_access_in in interface outside
route dmz xx.xx.xxx.71 255.255.255.255 xx.xx.xxy.1 1
route dmz xx.xx.xxx.70 255.255.255.255 xx.xx.xxy.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.16.54.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:AAA
: end
07-08-2007 06:38 AM
So from the ASA you could not ping the internet? What is the ASA connected to? Are you on a cable connection va t1? Can you ping your default gateway?
07-08-2007 06:45 AM
I don't know how to ping stuff from the ASA.
My gateway that I received from ISP is xx.xx.xxy.1 and I can ping it with the old firewall. The firewall is connected to the wall and that leads us to the city network.
Gateway for the computers in the network is = firewall ip.
We have an really old firewall here that I'm trying to replace. It's so old that we can't even access it to check the configuration.
07-08-2007 07:11 AM
Ok. What type of firewall is the "old firewall"?
From the command line on the ASA just type the following:
ping xx.xx.xxy.1
07-08-2007 11:00 AM
The old firewall is a Pentium MMX computer with some Clavister firewall software I think.
I couldn't ping the gateway.
-------------------------------------------
Result of the command: "ping xx.xx.xxy.1"
Sending 5, 100-byte ICMP Echos to xx.xx.xxy.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
07-08-2007 12:36 PM
Is the old firewall still plugged in? Can you verify the IP/subnet mask of it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: