cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2133
Views
0
Helpful
10
Replies

What am I missing - ASA 5520 basic config?

torleif
Level 1
Level 1

I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.

The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193

What am I missing since I can not get trafic from inside to the internet?

Any help would be appreciated!

ASA Version 8.2(5)

!

hostname asatest

domain-name test.net

enable password xxx

passwd xxx

names

dns-guard

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 64.28.29.200 255.255.255.240

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.59.64.50 255.255.255.0

boot system disk0:/asa825-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name test.net

access-list outside_acl extended permit icmp any any

access-list inside_acl extended permit ip any any

global (Outside) 1 64.28.29.202

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_acl in interface Outside

access-group inside_acl in interface Inside

route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1

1 Accepted Solution

Accepted Solutions

Hi,

Remove your inside ACL it's not necessary. then look at this:

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 64.28.29.200 255.255.255.240

object network obj_any

nat (Inside,Outside) dynamic 64.28.29.202

Try the nat(Inside,Outside) dynamic interface I suggested, remove the inside ACL and then first try a ping to your gateway then to 8.8.8.8 and then do the same from an inside host.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

10 Replies 10

Richard Burts
Hall of Fame
Hall of Fame

The first issue that I notice is this

access-group outside_acl in interface Outside

access-list outside_acl extended permit icmp any any

so you are not allowing anything but ICMP inbound on the outside interface. that makes it very difficult for things like DNS to work, which then impacts many other things that depend on DNS.

HTH

Rick

HTH

Rick

I tried to add

access-list outside_acl extended permit ip any any

but this did not help..

Hi,

access-list outside_acl extended permit icmp any any

access-list inside_acl extended permit ip any any

global (Outside) 1 64.28.29.202

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_acl in interface Outside

access-group inside_acl in interface Inside

route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1

1) remove both ACLs and the access-groups commands

2) change global(outside) command to  global (Outside) 1 interface

3) enable icmp inspection:

policy-map global_policy

class inspection_default

inspect icmp

Regards.

Alain

Don't forget to rate helpful posts.

Thank you for your suggestions.

I got the following error messages while configuring:

asatest(config)# policy-map global_policy

asatest(config-pmap)# class inspection_default

ERROR: % class-map inspection_default not configured

asatest(config-pmap)# inspect icmp

                        ^

ERROR: % Invalid input detected at '^' marker.

asatest(config)# policy-map global_policy

asatest(config-pmap)# class inspection_default

ERROR: % class-map inspection_default not configured

asatest(config-pmap)# inspect icmp

                        ^

ERROR: % Invalid input detected at '^' marker.

The changes did not seem to solve my problem.

Regards,

Torleif

Hi,

post entire config.

can you ping your internet gateway from inside ?

Regards.

Alain

Don't forget to rate helpful posts.

Hi,

For basic config, as Rich and Alain mentioned, remove the ACLs.Once web access work, you can add addl security.

Also, if you see no issues in reaching the gateway, try using global (Outside) 1 interface. See if that works.

Thx

MS

From the inside network I am only able to ping the inside interface. I am not able to ping the outside interface nor the outside gateway from the inside.

Here comes the entire config.

Thx for your help.

Regards,

Torleif

ASA Version 8.4(2)

!

hostname asatest

domain-name test.net

enable password xxx encrypted

passwd xxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 64.28.29.200 255.255.255.240

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.59.64.50 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.3.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.59.60.50 255.255.255.0

management-only

!

boot system disk0:/asa842-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name test.net

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_acl extended permit icmp any any

access-list outside_acl extended permit ip any any

access-list inside_acl extended permit ip any any

pager lines 24

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

no failover

failover polltime unit 15 holdtime 45

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (Inside,Outside) dynamic 64.28.29.202

access-group outside_acl in interface Outside

access-group inside_acl in interface Inside

route Outside 0.0.0.0 0.0.0.0 64.28.29.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.59.64.0 255.255.255.0 Inside

http 10.59.60.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:434092a6461c0571570d49af38b17c46

: end

asatest#

Hi,

Remove your inside ACL it's not necessary. then look at this:

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 64.28.29.200 255.255.255.240

object network obj_any

nat (Inside,Outside) dynamic 64.28.29.202

Try the nat(Inside,Outside) dynamic interface I suggested, remove the inside ACL and then first try a ping to your gateway then to 8.8.8.8 and then do the same from an inside host.

Regards.

Alain

Don't forget to rate helpful posts.

Thank you all for your suggestions and your time!

Alains changes made this work!

Now I have a working config and can work on with my needs..

Torleif

Hi Alain / Rich,

Can you shed some light on why the ASA does not work when mapping static ip (global (Outside) 1 x.x.x.x) when compared to dynamic mapping with public ip subnet /28?  I had similar issue previously on 8.0 and when changed the config to global (Outside) 1 interface- it worked fine.

The static ip mapping config worked fine for me with public subnets /24 and /27.

Thanks

Ms

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: