04-28-2009 01:21 AM
Hello All,
Just procured a 5505 and I am trying in a test lab the following:
2 vlans 3 and 4 made on a switch
eth 0 of firewall in vl 3
eth 1 vlan 4
int vlan 3 ip add 172.16.1.1
int vl 4 i add 10.1.1.1
firewall mode router
int vl 4 inside
int vl 3 nameif test_conn
nat (inside) 1 10.1.1.0 255.255.255.0
global (test_connection) 1 interface
Seems that for some reason my firewall does not pass the traffic.
All routes are there , and ACL allowing all.
No idea how to work with this device.
Somebody any guid about it , on cisco its all confusing!
Thanks
Vlad
04-28-2009 04:27 AM
Check your license - an ip security base license has minmal features - see the below data sheet on model/license features:-
HTH>
04-28-2009 05:30 AM
Thing is I have a Sec plus License...
I had a PIX before this ASA , could that be that teh hosts know the MAC of the PIX for the Inside interface.
The PIX had teh same IP on teh Inside.
Thanks,
04-28-2009 05:36 AM
I find it hard to belive that your ARP/MAC tables of the devices in your lab have not timed out since the swap of the PIX/ASA!!!
Post the config of the ASA for review - remove sensitive config.
04-28-2009 05:44 AM
interface Vlan3
nameif Outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Vlan4
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
switchport access vlan 4
!
!
access-list acl_in extended permit icmp any any
access-list acl_in extended permit ip 10.1.1.0 255.255.255.0 any
access-group acl_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 172.16.1.254 1
global (Outside) 1 interface
nat (Inside) 1 10.1.1.0 255.255.255.0
This is the config , as i said its a lab so nothing too much there except some radius config .
Thanks,
04-28-2009 05:47 AM
You have no acl allowing:-
The icmp echo-replies on the outside interface.
You are limiting hosts on the "inside" is this what you really want to do?
I suggest the below config:-
access-list outside-in permit icmp any any echo-reply
access-group outside-in in interface outside
no access-group acl_in in interface inside
and see if this give the desired lab results.
04-28-2009 05:51 AM
So what you suggest is allowing ICMP on teh Outside int? how does that impact the tcp/udp traffic from the inside LAN.
I actually want host from 10.x.x.x to access hosts on 172.x.x.x
Thanks,
04-28-2009 05:59 AM
You have to allow icmp echo-reply back thru the outside interface to get the response - currently your outside interface has a security level of 0 = you need an acl to allow non-statefull traffic to be permited from outside to inside.
if you need that - then you do not need an acl on the inside interface, as the ASA will permit ALL traffic from a higher security interface to a lower interface by default.
I suggest you review your old pix config - the ASA/PIX only differ from versions 6.x to 7/8.x
HTH>
04-28-2009 06:17 AM
i dont want any ICMP traffic from the inside to outside . That can anyway be controlled globally as well.
What I want is that TCP/UDP traffic to pass from Inside to teh Outside ( higher to lower) that is all , and thats what does not work now
No host on teh Inside can access any host on teh outside so traffic between 10 and 172 does not happen
Thanks,
Vlad
04-28-2009 06:22 AM
OK so now I am confused - as a previous post had "access-list acl_in extended permit icmp any any" this DOES allow icmp from the inside to the outside.
OK - does the device 172.16.1.254 know that the network 10.1.1.0 255.255.255.0 is reachable via 172.16.1.1 ?
04-28-2009 06:26 AM
Sorry for confusing you, that was there just for fun .. ;)
yes, all routing is in place funny thing is that I replaced the ASA 5505 with a PIX 515 running 8.0 and everything works fine.
this is whats bothering me and i cant understand.
thanks,
04-28-2009 06:29 AM
OK - I presume that 172.16.1.254 is a router? enable tcp-small-servers on this device
Do you have nat-control configured?
From a host on the inside telnet to 172.16.1.254 19 and check to see what the xlate table on the ASA indicates.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: