ASA5510 configuration

Unanswered Question
Aug 19th, 2008
User Badges:

I bought a new ASA5510, as I worked with a pix years ago I tried to configure the ASA myself, as a didn't have luck, asked for help from a certified Cisco consultant, and he didn't had luck either, so I'm asking here, i was using adsm to configure the ASA and the consultant was working with CLI, the problem is really simple, two configuration tried, a simple one internal, one external, just HTTP from one public ip to one internal ip, then tried a more complicated configuration, one internal interface, one external, one DMZ, both configuration didn't work, the asa block the traffic to the server because of the implicit outside deny acl, instead of the permit acl configured, from 0.0.0.0 to public ip permit http, please any help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Wed, 08/20/2008 - 00:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Claudio


Can you post the configuration you have at the moment ?


Jon

claudio.lara Wed, 08/20/2008 - 06:18
User Badges:

I used the getting started guide and configured the same topology from the chapter 6 DMZ configuration, except the ip's, so I have an external ip public sec level 0, an internal 192.168.1.254 255.255.255.0 sec level 100, DMZ on 192.168.168.1 255.255.255.0 sec level 50, one server on DMZ 192.168.168.10 with webserver active on port 80, configured ip pools for NAT in DMZ from 192.168.168.2 to 192.168.168.254, configured PAT for external interface, dynamic NAT configured from internal to DMZ and static from public ip to server ip, and finally acl interface external, incoming, from 0.0.0.0 to public ip, any, http/www


traffic blocked by the outside incoming implicit deny rule.


tlessard1 Wed, 08/20/2008 - 13:38
User Badges:

Can you post your current config? Without this nobody is really going to be able to help you.

claudio.lara Wed, 08/20/2008 - 14:35
User Badges:

Do you want a file from the firewall with the current configuration?

claudio.lara Wed, 08/20/2008 - 14:46
User Badges:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address *PUBLIC IP* 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.168.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.10.10.1 255.255.255.0

management-only

!

passwd XXXXXXXXXXXXXXX encrypted

ftp mode passive

clock timezone CLST -4

clock summer-time CLDT recurring 2 Sun Oct 0:00 2 Sun Mar 0:00

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group service MYSERVICES tcp

access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host *PUBLIC IP* eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 200 interface

global (DMZ) 200 192.168.168.2-192.168.168.254 netmask 255.255.255.0

nat (inside) 200 192.168.1.0 255.255.255.0

static (DMZ,outside) *PUBLIC IP* 192.168.168.10 netmask 255.255.255.255

static (outside,DMZ) 192.168.168.10 *PUBLIC IP* netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 *PUBLIC GATEWAY* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.10.10.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.10.10.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 10.10.10.2-10.10.10.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

acomiskey Wed, 08/20/2008 - 16:57
User Badges:
  • Green, 3000 points or more

any = 0.0.0.0 0.0.0.0


access-list outside_access_in extended permit tcp any host *PUBLIC IP* eq www


Also, is *PUBLIC IP* the same ip throughout your config? If it is also the outside interface address, then your static needs the "interface" keyword.


static (DMZ,outside) interface 192.168.168.10 netmask 255.255.255.255


Also, get rid of this one...


no static (outside,DMZ) 192.168.168.10 *PUBLIC IP* netmask 255.255.255.255


claudio.lara Thu, 08/21/2008 - 04:15
User Badges:

YOU ARE THE MAN!!!!


thanks!!, now that I see the solution I can see the error

Actions

This Discussion