02-14-2008 02:22 PM - edited 03-11-2019 05:03 AM
Hi, We're configuring this ASA and we're having trouble getting our server on the inside access to the world. I thought it was maybe a NAT issue as is usually my case, but I just can't see anything wrong with it.... We're not able to pass IP traffic out of the firewall. Can anyone help me out?
ASA Version 7.2(2)
!
hostname ASA5505
domain-name
enable password
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.16.58.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.x.x.x 255.255.255.0
!
interface Ethernet0/0
description outside
switchport access vlan 2
!
interface Ethernet0/1
description inside
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
description pippin
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name indianafiber.net
access-list inside_outbound_nat0_acl extended permit ip 10.16.58.0 255.255.255.0 10.27.11.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 172.21.11.0 255.255.255.0 10.27.11.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.16.58.0 255.255.255.0 10.27.11.0 255.255.255.0
access-list outside_access_in extended permit ip 10.27.11.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging trap emergencies
logging debug-trace
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.16.58.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 HQ_2611 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 64.x.x.x 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strongest esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_20
crypto map outside_map 10 set peer 12.x.x.x
crypto map outside_map 10 set transform-set strongest
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 20
tunnel-group 12.x.x.x type ipsec-l2l
tunnel-group 12.x.x.x ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 10.16.58.0 255.255.255.0 inside
ssh 64.x.x.x 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access outside
!
class-map inspection_default
match default-inspection-traffic
Solved! Go to Solution.
02-15-2008 06:30 AM
Andrew,
Issue the following commands for getting ping to work first.
policy-map global_policy
class-map inspection_default
inspect icmp
Then issue the following
clear arp
clear xlate
If possible, clear the arp table also.
In windows server, issue arp -d in command line for 4-5 times simultaneously
Then try again
Regards
02-14-2008 06:37 PM
Hi Andrew
Two settings look suspicious.
1)You have a description of "description outside " for interface e0/0, and it is a member of vlan 2 but you configured an interface called vlan2 as outside. Might uplink be coming from a switch via trunk?
2)HQ_2611 is not specified. Are you sure it is the default gateway?
One last thing. Make sure you dont set ASA's interface IP as preferred DNS for your server. Set 4.2.2.2 as pref DNS in a server inside temporarily for troubleshooting purposes
Regards
02-14-2008 06:39 PM
configuration looks good..
If this is a new setup did you cleared arp-cache on upstream router ?
can you ping 4.2.2.2 from the firewall ?
02-15-2008 05:17 AM
I can ping 4.2.2.2 from the firewall.
When I do a "ping in 4.2.2.2" however, I can not. For some reason, ingress traffic on the inside interface, isn't getting to the outside interface.
HQ_2611 should be ok. I deleted the named hosts from my config before I posted it on the netpro site. It does have a valid public ip.
Thanks
02-15-2008 05:20 AM
from internal host try to ping 4.2.2.2 and turn on logs at debug level
also if possible paste an output here for sh xlate det | inc
02-15-2008 05:48 AM
clear configure access-list inside_access_in
(that ACL is useless)
you just negated your firewall with:
access-list outside_access_in extended permit ip any any
also, if you want to be able to ping from the inside to outside,
you need to explicitly allow echo-replies:
access-list outside_access_in permit icmp any any echo-reply
It wouldn't hurt to turn on nat-control.
02-15-2008 06:30 AM
Andrew,
Issue the following commands for getting ping to work first.
policy-map global_policy
class-map inspection_default
inspect icmp
Then issue the following
clear arp
clear xlate
If possible, clear the arp table also.
In windows server, issue arp -d in command line for 4-5 times simultaneously
Then try again
Regards
02-15-2008 07:21 AM
Thank You everyone, it is working now. I believe that NAT/PAT was the underlying issue. When I cleared xlate and arp it started working this morning. Wiped the config and rewrote it, then I started removing lines until it stopped working.
I guess it's a good learning experience.
I did remove that any any statement from my outside_in acl btw...
Thanks Again.
02-15-2008 10:35 AM
Nice to see it works now.
You are welcome.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: