I'm new to Cisco firewalls and so apologise if this is a stupid question....
I have set up a firewall following the "Securing networks with ASA" cisco press book, but I can get no traffic to traverse my firewall. It is an ASA 5510, and I just want to be able to ping across the device (atleast this would be a great start!).
Here's my config:
ASA Version 8.0(5)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
ip address 192.168.1.1 255.255.255.0
ip address 10.18.1.1 255.255.0.0
no ip address
no ip address
no ip address
ftp mode passive
access-list acl_outside extended permit ip any any
access-list acl_inside extended permit ip any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group acl_outside in interface outside
access-group acl_inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
I have a laptop in the correct network directly connected to each configured interface, I can see them if i do a "sh arp". They can both ping their local gateway, and I have disabled local firewalls on those hosts. The firewall builds the ICMP connection (I see this in the logs) but I get no replies.
I've also tried adding the following for my inside host:
static (inside,outside) 10.18.1.2 10.18.1.2 netmask 255.255.255.255
global (outside) 1 interface
nat (inside) 1 0 0
If i enable debug icmp trace I can see the echo-request packets hitting the firewall, but no replies. I can also see the output counter incrementing on the egress interface.
The ip any any's are there just for testing too.
In some ways I hope this is a very simple issue, because it is driving me crazy and I just want to get it working.
Many thanks in advance, and please let me know if you would like any further info or output.