LAN Traffic Not Getting Out on ASA 5505

Answered Question
Apr 19th, 2012
User Badges:

For some reason my ASA is preventing my traffic from going out. I've added some crumby access-list and applied it to NAT for it to work. I don't like this. I know it is not right, but I am not sure what part is wrong. I will highlight the stuff I have added to make it work. I don't see what I am missing. If I were to remove these lines my ASA could ping in both directions (in and out), but my LAN cannot do anything but ping the ASA. No other traffic is going out unless I have added these unsafe lines of code.


Please help!



!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!            

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 75.75.75.75

name-server 75.75.76.76

access-list Split_Tunnel_ACL standard permit 10.0.1.0 255.255.255.0

access-list 1 extended permit ip any 10.0.0.0 255.255.255.0

access-list 1 extended permit icmp any any

access-list 1 extended permit tcp any 10.0.0.0 255.255.255.0

access-list 1 extended permit ip 10.0.0.0 255.255.255.0 any

access-list 1 extended permit icmp 10.0.0.0 255.255.255.0 any

access-list 1 extended permit tcp 10.0.0.0 255.255.255.0 any

access-list 1 extended permit udp 10.0.0.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool_fixed 10.0.1.2-10.0.1.11 mask 255.255.255.0

ip local pool vpnssl_fixed 10.0.1.12-10.0.1.14 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 access-list 1

nat (inside) 1 0.0.0.0 0.0.0.0 outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strong-des esp-3des esp-md5-hmac

crypto ipsec transform-set Mike_SET esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 30 set transform-set strong-des

crypto dynamic-map Mike 65535 set pfs group1

crypto dynamic-map Mike 65535 set transform-set Mike_SET

crypto map Mike 65535 ipsec-isakmp dynamic dynmap

crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic Mike

crypto map OUTSIDE_MAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

vpn-addr-assign local reuse-delay 1

vpn-sessiondb max-webvpn-session-limit 1

telnet 10.0.1.0 255.255.255.0 inside

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 30

ssh 10.0.1.0 255.255.255.0 inside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

management-access inside

dhcpd dns 10.0.0.1

dhcpd auto_config outside

!            

dhcpd address 10.0.0.2-10.0.0.33 inside

dhcpd enable inside

Correct Answer by John Blakley about 5 years 3 months ago

Michael,


Take this off:


nat (inside) 1 access-list 1

nat (inside) 1 0.0.0.0 0.0.0.0 outside


Add this:


nat (inside) 1 0.0.0.0 0.0.0.0


class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect http
  inspect icmp
service-policy global_policy global


Also, make sure that you are getting a default route from the provider. You can do a "show route" to see this.


HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
John Blakley Fri, 04/20/2012 - 04:23
User Badges:
  • Purple, 4500 points or more

Michael,


Take this off:


nat (inside) 1 access-list 1

nat (inside) 1 0.0.0.0 0.0.0.0 outside


Add this:


nat (inside) 1 0.0.0.0 0.0.0.0


class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect http
  inspect icmp
service-policy global_policy global


Also, make sure that you are getting a default route from the provider. You can do a "show route" to see this.


HTH,

John

Inmike0985 Mon, 04/23/2012 - 21:12
User Badges:

Thanks John!!


This is exactly what I needed to do. I was so tired of reading over and over my config that I completely didn't notice that I had tacked on the word "outside" on my nat (inside) 1 0 0 statement.


Thanks!

Actions

This Discussion