12-20-2007 09:22 AM - edited 03-12-2019 05:53 PM
Hi,
Hope that someone can shed some light on the issue which I think is a problem. I am trying to configure the ASA firewall behind a 3800 router and the default route for the firewall is pointing to the router (via public IP).
After I had configured all the interfaces on the ASA and at in the "nat-control" and "static" statements, all the machines are able to go to the Internet without the need of access list. Is this the correct behaviour?
Here is the configuration I had done on the ASA.
========================================
ASA Version 7.2(3)
!
hostname Firewall
enable password xxx
names
name 1xx.xx.xx.xx A-EXT
name 192.168.10.2 A-INT
name 1xx.xx.xx.xx B-EXT
name 192.168.10.3 B-INT
name 192.168.10.4 C-INT
name 1xx.xx.xx.xx C-EXT
name 1xx.xx.xx.xx D-EXT
name 192.168.10.5 D-INT
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 116.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd xxx
no ftp mode passive
pager lines 24
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
static (Inside,Outside) A-EXT A-INT netmask 255.255.255.255
static (Inside,Outside) B-EXT B-INT netmask 255.255.255.25
5
static (Inside,Outside) C-EXT C-INT netmask 255.255.255.255
static (Inside,Outside) D-EXT D-INT netmask 255.255.255.255
route Outside 0.0.0.0 0.0.0.0 116.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
========================================
Solved! Go to Solution.
12-22-2007 09:29 AM
Tan,
Please post the complete syslog message
And try this
no access-group inside_access_in out interface inside
access-group inside_access_in in interface inside
12-20-2007 09:32 AM
since nat-control is enabled, only hosts with static statements should be able to get out.
for everyone to get out that doesn't have a static statement, you can add the following statements:
nat (inside) 1 0 0
global (outside) 1 interface
this will PAT all other inside IP's to the external interface of the ASA.
12-20-2007 09:53 AM
Hello Srue,
Thanks for the reply.
So the behaviour is actually normal and nothing to be alarmed of? Cos the last time I configured a PIX, I had to specifically add in access list before all the machines can access the Internet.
Thanks,
Tan
12-20-2007 10:03 PM
Hi,
Now I am getting more and more confused on using the access list on the ASA. I am still in the beginner stage of using the ASA and tried to configure it. First the NAT problem and now the access lists. Do provide some suggestions/info on whether I am doing the right thing on the device.
The config is as follows:
========================================
ASA Version 7.2(3)
!
hostname Firewall
enable password utCRxZC9Wy3lLvgs encrypted
names
name 1xx.xx.xx.xx A-EXT
name 192.168.10.2 A-INT
name 1xx.xx.xx.xx B-EXT
name 192.168.10.3 B-INT
name 192.168.10.4 C-INT
name 1xx.xx.xx.xx C-EXT
name 1xx.xx.xx.xx D-EXT
name 192.168.10.5 D-INT
name 203.xx.xx.xx Office-Public
name 63.xx.xx.xx A-Head-Office
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 116.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
no ftp mode passive
same-security-traffic permit inter-interface
access-list Outside_access_in extended permit tcp host Office-Public host A-EXT
access-list Inside_access_out extended permit tcp host A-INT host Office-Public eq https
access-list Inside_access_out extended permit tcp host A-INT host A-Head-Office eq 9012
access-list Inside_access_out extended permit udp host A-INT host A-Head-Office eq 9012
access-list Inside_access_out extended permit tcp host Office-Public host A-INT eq https
pager lines 24
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 192.168.10.0 255.255.255.0
static (Inside,Outside) A-EXT A-INT netmask 255.255.255.255
static (Inside,Outside) B-EXT B-INT netmask 255.255.255.25
5
static (Inside,Outside) C-EXT C-INT netmask 255.255.255.255
static (Inside,Outside) D-EXT D-INT netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 116.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:282a3f77769a7500573c447fafca0fda
========================================
I am trying to allow HTTPS access from Office-Public to A-INT and I am very confused on why the statement below must be there in order for traffic to flow.
"access-list Inside_access_out extended permit tcp host Office-Public host A-INT eq https"
Any help on this is greatly appreciated.
Merry Christmas,
Confused Tan
12-21-2007 08:17 PM
Hi Tan
Think about it, Does 203.xx.xx.xx client types https://192.168.10.2 for reaching A-INT which is at a remote office? No. They type the A-EXT.
203.xx.xx.xx is an outside address and 192.168.10.2 is an inside. So the traffic is from outside to inside. Can we defne this as Inside_access_out? No.
So the statement you mention musnt be there. What you have to do is
access-list outside_access_in permit tcp host Office-Public host A-EXT eq https
access-group outside_access_in in interface outside
Regards
12-22-2007 12:24 AM
Hello Husycisco,
Thanks for your feedback.
I did tried to use the statements that you had mentioned but still, the traffic does not go through from outside to inside. I will always an error message about "deny by inside_access_out". Until I put in the statement as if the traffic is from inside to outside, everything works fine. I knew that the statements should not be there but after some troubleshoot, still, I have no other options but to put in the statements to let it flow.
Do you have any ideas what could be the problem?
Thanks a lot.
12-22-2007 02:36 AM
Hi,
More information about the problem.
When I keyed in the followings, I continue to get the errors about "deny by inside_access_out" .
access-list inside_access_out permit tcp host A-INT host Office-Public eq https
access-list outside_access_in permit tcp host Office-Public host A-EXT eq https
access-group outside_access_in in interface outside
I believed the above statements should be enough for the traffic to flow through (the Static statement is already there) but somehow, it still does not work. I think somewhere on the configuration, there is an error which caused this problem but I just could not pinpoint it.
Any help on this is greatly appreciated.
Thanks,
Tan
12-22-2007 09:29 AM
Tan,
Please post the complete syslog message
And try this
no access-group inside_access_in out interface inside
access-group inside_access_in in interface inside
12-23-2007 10:38 PM
Hi Husycisco,
Thanks for your help.
I actually upgraded the ASA software to the latest version and everything works fine!! I do not know why this is so but the upgrade does the magic. Thanks for your help on the issue and greatly appreciated for your effort. Hope you have a wonderful Christmas and New Year.
Cheers,
Tan
12-24-2007 12:02 AM
Hi Tan
You are welcome. Would you please post your current running config if you have time, for determining possible reasons (For further users who may search and found your topic and this may help them)
Hope you have a marry christmas and a happy new year
Regards
12-25-2007 06:25 AM
Hello Husycisco,
Thanks for the feedback.
No problems at posting the latest running config on the ASA. The information is as attached in this posting.
I had created another post about creating GRE in this particular ASA. If you know anything about it, please do reply to the post. Thanks a lot in advance.
Thanks and Happy Holidays,
Tan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide