Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505

Dears,

I have 5505 ASA , and I tray to use it just to filter the traffic for two application servers which use port http and https, so after I made the static nat and the access-List the servers didn't work, I'm not sure about the Problem, so look in the following configurations and tell me if there is any thing wrong, notice that we even can't reach Internet from the two servers.

((The System consists of two server must Nated with two real IPs to Internet))

ciscoasa#

ciscoasa# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

enable password XXXXX encrypted

passwd XXXX encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address YY.YY.YY.01 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XX.XX.XX.01 255.255.255.240

!

interface Vlan400

no nameif

no security-level

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

access-list 101 extended permit tcp any host XX.XX.XX.02 eq https

access-list 101 extended permit tcp any host XX.XX.XX.02 eq www

access-list 101 extended permit tcp any host XX.XX.XX.03 eq www

access-list 101 extended permit tcp any host XX.XX.XX.03 eq https

access-list 102 extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) XX.XX.XX.02 YY.YY.YY.02 netmask 255.255.255.255

static (inside,outside) XX.XX.XX.03 YY.YY.YY.03 netmask 255.255.255.255

access-group 102 in interface inside

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.00 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http YY.YY.YY.00 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9420982285b0080690b6db693b60d44f

: end

ciscoasa#

ciscoasa#

Thank you for your help,

Ahmed,

2 REPLIES

Re: ASA 5505

Hi Ahmed,

At a quick glance, your config looks okay to me.

Can you trying pinging from the ASA itself? Try the 'ping 4.2.2.2' command and see if you get any replies.

If you see no replies, make sure the configuration of your outside interface is correct (i.e. do you have the correct IP address and subnet mask configured based on what was given to you by your ISP?).

Hope that helps.

-Mike

Community Member

Re: ASA 5505

Try to remote "access-group 102 in interface inside "

from high security level to low security level do not require acl that is stateful.

If add acl, it require permit http and https in inside interface.

123
Views
0
Helpful
2
Replies
CreatePlease to create content