cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4331
Views
58
Helpful
32
Replies

Having trouble matching Old PIX and new ASA configs

KingPrawns
Level 1
Level 1

Hi, I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail.

First problem I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config.

Secondly, the server I have on there ("Sar") can't connect out to the internet.

I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on.

Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.

Cheers,

1 Accepted Solution

Accepted Solutions

Great!!!! , yes it is an access-list issue.

we need to have  the following access-list:

access-list outside_access_in extended permit tcp any object Sar eq 3389

we would need to use the real ip of the server and not public ip, in version 8.3 or above.

This shoudl definitely resolve the issue for you.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

32 Replies 32

varrao
Level 10
Level 10

Hi Wez,

Just reload the upstream and downstream devices, connected to the ASA, to clear out their arp cache tables. That should help, if still issue persists, kindly post

Thanks,

Varun

Thanks,
Varun Rao

Adam Makovecz
Level 1
Level 1

hi,

if you replaced the firewall, the MAC address has been change. You need to clear the arp entries for the other devices to learn the new MAC address.

Also you can confirm by the packet capture that the packet reaches the ASA or not.

Packet capturing an firewalls: https://supportforums.cisco.com/docs/DOC-17345

kind regards

Adam

What do you mean by reload the devices? Would power cycling them work? The firewall connects to a managed modem provided by my ISP, I don't have access to it's configuration directly.

I've managed to get the server to ping the firewall now (wrong subnet) but still can't connect out to the internet.

Yes, a power cycle would work fine.

Thanks,

Varun

Thanks,
Varun Rao

Power cycled the router that the ASA connects into with no luck. Haven't restarted my server though, but I don't think that'd be the problem.

Out of interest, If I wanted to check that the firewall has connectivity, could I ping a server outside my network like google.com?

Following the capture instructions now, got a question about it though.

It says to set up access list for 10.10.10.1 as the client IP. Is that an external server like 4.2.2.2 or the ip of the router/firewall?

KingPrawns
Level 1
Level 1

bt# sho run

: Saved

:

ASA Version 8.4(1)

!

hostname bt

domain-name mcserv.co.uk

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.20.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.9.130 255.255.255.192

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name mcserv.co.uk

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Sar

host 10.20.3.151

object network Sar_Outside

host xxx.xxx.9.151

object-group network WebServers

network-object object Sar_Outside

object-group service WebsiteTraffic

description Website required services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

access-list outside_access_in extended permit tcp any object Sar_Outside eq 3389

access-list outside_access_in extended permit object-group WebsiteTraffic any object-group WebServers

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

object network Sar

nat (inside,outside) static Sar_Outside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.20.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map global-class

match default-inspection-traffic

!

!

policy-map type inspect dns dns-map

parameters

  message-length maximum client 512

  message-length maximum 512

policy-map global-policy

class global-class

  inspect dns dns-map

  inspect ftp

  inspect icmp

  inspect icmp error

  inspect http

  inspect rtsp

  inspect rsh

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect tftp

!

service-policy global-policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2b24cf92dd709b0721cd29819d300c39

: end


Here is the current running config for those who don't want to have to dl the attachment

yes, but you have to allow the icmp  on the outside interface's ACL

Please take captures on the firewall as suggested by Adam, try pinging 4.2.2.2, from the server machine, check in the captures whether the packets are reaching the firewall and being forwarded to the router.

Varun

Thanks,
Varun Rao

Hi Wez,

access-list cap permit ip host 10.20.3.151 host 4.2.2.2

access-list cap permit ip host 4.2.2.2 host 10.20.3.151

access-list cap permit ip host  host 4.2.2.2 host xxx.xxx.9.151

access-list cap permit ip host host xxx.xxx.9.151 host 4.2.2.2

capture capin access-list cap interface inside

capture capo access-list cap interface outside

Try pinging from the servers to 4.2.2.2, and then do show cap capin and show cap capo.

Make sure you permit the ping return traffic by adding an acl on the outside interafce as mentioned by Adam.

Varun

Thanks,
Varun Rao

bt# show cap capin

2 packets captured

   1: 07:41:13.446510 802.1Q vlan#1 P0 10.20.3.151 > 4.2.2.2: icmp: echo request

   2: 07:41:16.518772 802.1Q vlan#1 P0 10.20.3.151 > 4.2.2.2: icmp: echo request

2 packets shown

bt# show cap capo

0 packet captured

0 packet shown

So the packets aren't getting through the outside interface? I've added "icmp permit any outside" so I don't think I'm rejecting anything.

Hi Wez,

You are missing a route in here:

the route should be added like this:

route outside 0.0.0.0 0.0.0.0 1

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

route outside 0.0.0.0 0.0.0.0 1

That would make sense, but how do I work out the next hop? All the firewall is doing is swapping inside traffic for outside.

Unless you mean the router connected to the outside interface (xxx.xxx.9.129), in which case is it something like:

route outside 0.0.0.0 0.0.0.0 xxx.xxx.9.129 1

Hi Wez,

Absolutely, thats wat I meant,:

route outside 0.0.0.0 0.0.0.0 xxx.xxx.9.129 1

Go ahead and let me know if this works out for us.

Thanks,

Varun

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: