ASA 5505 Stop traffic LAN

Unanswered Question
Apr 17th, 2008
User Badges:

Hi,


When i connect to existing LAN the ASA 5505, Stop trafic servers.


Why , what is missconfigured.


ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.0.2 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.7.0.1 255.255.0.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 100

ip address 10.6.0.1 255.255.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) 10.1.0.0 10.7.0.0 netmask 255.255.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 04/17/2008 - 05:11
User Badges:
  • Green, 3000 points or more

Add a default route...


route outside 0.0.0.0 0.0.0.0

AdnanShahid Sat, 04/19/2008 - 02:43
User Badges:

Hi Acomiskey,


Hope fine.

I am having a problem in my Pix FW to block a particular network to go to the internet. Here is the scenerio.


My FW has 3 interfaces: Outside(Sce 0), Inside (Sec100) and DMZ(Sce50). Whole inside block (let say 10.x.x.x) is being NATed (Here using DynamicNAT/PAT) to the Outside Interface while going towards Internet. NAT 0 is using between Inside and DMZ Servers to communicate. Here is the configuration.


nat-control

global (Outside) 1 interface

nat (Inside) 1 access-list nat

access-list Nat_ACL extended permit ip 10.0.0.0 255.0.0.0 any log



Now what the problem is - I want to block a specific network 10.10.10.0/24 to go to the the Internet. I tried to change the Nat_ACL ACL here by denying the 10.10.10.0/24 to any and then allow/permit 10.x.x.x to any. But it didn't work.


Any suggestion or ideas or any other way how can I block this 10.10.10.0/24 to go to the Internet. Ur help would be highly appreciable.



Adnan






tyagi.v Thu, 04/17/2008 - 05:12
User Badges:

Hi,


I don't see any nat & acces list for DMZ traffic, also again check your static command.

husycisco Tue, 04/22/2008 - 02:41
User Badges:
  • Gold, 750 points or more

Hi Adnan,

All you have to do is assigning an ACL (Not NAT Acl) to inside interface as following


access-list inside_access_in deny tcp 10.10.10.0 255.255.255.0 0.0.0.0 0.0.0.0 eq www

access-list inside_access_in permit ip any any

access-group inside_access_in in interface inside


Regards


Actions

This Discussion