08-19-2008 06:40 PM - edited 03-11-2019 06:33 AM
I bought a new ASA5510, as I worked with a pix years ago I tried to configure the ASA myself, as a didn't have luck, asked for help from a certified Cisco consultant, and he didn't had luck either, so I'm asking here, i was using adsm to configure the ASA and the consultant was working with CLI, the problem is really simple, two configuration tried, a simple one internal, one external, just HTTP from one public ip to one internal ip, then tried a more complicated configuration, one internal interface, one external, one DMZ, both configuration didn't work, the asa block the traffic to the server because of the implicit outside deny acl, instead of the permit acl configured, from 0.0.0.0 to public ip permit http, please any help?
08-20-2008 12:10 AM
Claudio
Can you post the configuration you have at the moment ?
Jon
08-20-2008 06:18 AM
I used the getting started guide and configured the same topology from the chapter 6 DMZ configuration, except the ip's, so I have an external ip public sec level 0, an internal 192.168.1.254 255.255.255.0 sec level 100, DMZ on 192.168.168.1 255.255.255.0 sec level 50, one server on DMZ 192.168.168.10 with webserver active on port 80, configured ip pools for NAT in DMZ from 192.168.168.2 to 192.168.168.254, configured PAT for external interface, dynamic NAT configured from internal to DMZ and static from public ip to server ip, and finally acl interface external, incoming, from 0.0.0.0 to public ip, any, http/www
traffic blocked by the outside incoming implicit deny rule.
08-20-2008 01:25 PM
No body knows how this configuration should work?
08-20-2008 01:38 PM
Can you post your current config? Without this nobody is really going to be able to help you.
08-20-2008 02:35 PM
Do you want a file from the firewall with the current configuration?
08-20-2008 02:46 PM
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxx
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address *PUBLIC IP* 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.168.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
passwd XXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone CLST -4
clock summer-time CLDT recurring 2 Sun Oct 0:00 2 Sun Mar 0:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service MYSERVICES tcp
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host *PUBLIC IP* eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 192.168.168.2-192.168.168.254 netmask 255.255.255.0
nat (inside) 200 192.168.1.0 255.255.255.0
static (DMZ,outside) *PUBLIC IP* 192.168.168.10 netmask 255.255.255.255
static (outside,DMZ) 192.168.168.10 *PUBLIC IP* netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *PUBLIC GATEWAY* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.10.10.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcpd address 10.10.10.2-10.10.10.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
08-20-2008 04:57 PM
any = 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit tcp any host *PUBLIC IP* eq www
Also, is *PUBLIC IP* the same ip throughout your config? If it is also the outside interface address, then your static needs the "interface" keyword.
static (DMZ,outside) interface 192.168.168.10 netmask 255.255.255.255
Also, get rid of this one...
no static (outside,DMZ) 192.168.168.10 *PUBLIC IP* netmask 255.255.255.255
08-21-2008 04:15 AM
YOU ARE THE MAN!!!!
thanks!!, now that I see the solution I can see the error
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: