08-03-2007 09:11 AM - edited 02-21-2020 01:37 AM
Hi Guys,
I have an ASA5520 with an interface to the internet on a /28 public network and an interface to a /24 public network - I will connect other interfaces to other networks in time, but I just want to get the thing working for now.
Anyway, I have set it up from the ASDM using the wizard and some extra config my self. I don't want NAT - i.e I want hosts on the /24 network to be reachable to their original IP from the internet. I can ping anything from the firewall. I can ping the local interface from my test pc (on the /24 network) but I cannot ping, web, telnet etc anything on the internet. However the syslog shows the packets going through the firewall and I have opened the rules up completely for testing.
Can anyone see why the test box cannot reach the internet and vice versa?
Is it NAT?
Config is below (* = omitted text.
Thanks,
Niall.
: Saved
:
ASA Version 7.0(6)
!
hostname cr01-sh
domain-name *.net
enable password B6R1dZUX1mTgE6pC encrypted
names
name 213.*.*.2 Aurix01-s01
dns-guard
!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 217.*.*.34 255.255.255.240
!
interface GigabitEthernet0/1
nameif Customer
security-level 10
ip address 213.*.*.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Customer_access_in extended permit ip any any log
access-list Customer_access_in extended permit icmp any any log
access-list Customer_access_in extended permit udp any any log
access-list Customer_access_in extended permit tcp any any log
access-list WAN_access_out extended permit tcp any any log
access-list WAN_access_out extended permit udp any any log
access-list WAN_access_out extended permit icmp any any log
access-list WAN_access_out extended permit ip any any log
access-list WAN_access_in extended permit ip any host Aurix01-s01
access-list WAN_access_in extended permit icmp any host Aurix01-s01
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu Customer 1500
mtu management 1500
no failover
monitor-interface WAN
monitor-interface Customer
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group Customer_access_in in interface Customer
route WAN 0.0.0.0 0.0.0.0 217.*.*.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 WAN
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:74609abf4a90bd20175922f0ae6b0e52
: end
08-03-2007 09:16 AM
try...
static (Customer,WAN) 213.x.x.0 213.x.x.0 netmask 255.255.255.0
or
access-list nat0 extended permit ip 213.x.x.0 255.255.255.0 any
nat (Customer) 0 access-list nat0
or
nat (Customer) 0 213.x.x.0 255.255.255.0
08-03-2007 09:43 AM
since you haven't enabled nat-control, nothing is nat'ed by default. you dont need to do anything except add the appropriate acl's.
for icmp traffic, you have to explicitly allow echo-reply's back in
permit icmp any any echo-reply
or
enable icmp inspection.
08-03-2007 12:57 PM
Thanks for the reply.
I couldn't get DNS or web either - permit icmp any any echo-reply not withstanding, do I not have the correct acl's in place for web browsing?
Thanks again,
Niall.
08-03-2007 01:36 PM
Your acls customer_access_in and wan_access_out are allowing everything and are not needed. I would remove them and you will have the same effect.
You are allowing icmp from any into the wan interface but only to Aurix01-s01. Is that where you're pinging from?
08-03-2007 01:45 PM
Yes Aurix01-s1 is my test box and is what I am trying to ping, web browse etc from.
I opened it wide open for testing to try to see if the problem was acl related.
To re-cap, I can ping anywhere from the ASA and I can see the ICMP or dns build and tear down in the syslog when pinging from the test box. I don't see any dropped packets in the syslog.
Thanks again for your help on this.
Niall.
08-03-2007 06:07 PM
try removing the following two:
access-group WAN_access_out out interface WAN
access-group Customer_access_in in interface Customer
Once you add those acl's you have to start explicitly allowing a lot of other things , like icmp echo requests (permit icmp any any echo).
08-04-2007 10:05 AM
Thanks for the help again.
OK - I have re-run the setup wizard, tested, played around with changing the security levels so the wan was lower then the customer interface and still nothing. removed and readded acls etc. still nothing.
I have a theory:
I wonder if my isp have loaded in the routes to the customer network?
I ran a tracert from my home to the wan router (gateway for the ASA) and it resolved in 10 hops. I then ran a tracert to the aurix-s01 IP (on the customer network) and it partially resolved to 5 hops and then timed out - it timed out once it made it to my ISP's core router! would this be because they have not loaded the route for the customer network we have ordered?
Would this be why I cannot get internet access through the ASA because the default gateway doesn't know of the network it is coming from and it is not coming from the interface for its default route?
Also would this be why the ASA shows the ping build and tear down in the syslog and no dropped packets but nothing gets out?
Thanks again for your help.
Niall.
08-06-2007 06:55 AM
Just a quick update - It seems the whole problem was my ISP - they had not loaded the routes for the network on the inside interface (customer) - I can now ping etc.
However, I have remove all the rules from the ASDM so that there is just the defualt ruls and now I can ping and resolve DNS, but cannot browse the web. I have checked it is not the test box by substituting with another.
Any ideas?
PS - Sorry for the wild goose chase.
Thanks,
Niall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide