I have the outside interface setup for DHCP that connects to comcast.
My inside interface is 192.168.69.1 and is setup to provide DHCP for my internal LAN.
I have never logged into a firewall before and as I quickly found out the commands are not like my routers and switches.
I finally gave in and have been using the ASDM. I just want to allow everything from the inside out. I didn't think it would be this difficult!
The access rules don't make sense to me. The outside in has an implicit deny rule for IP by default. I would assume this means that nothing can make a connection from the outside in? So why does it block my ping replies but it will allow me to surf the web??
I have a work laptop that won't connect to a VPN through the ASA, the logs say "regular translation creation failed for protocol 50"
I have enabled as much as I can and still can't figure this out. At this point I'm not even sure if I'm blocking anything... heh Well it must be blocking something cause my VPN still doesn't work.
ASA Version 7.2(3)
enable password xxx
ip address 192.168.69.1 255.255.255.0
ip address dhcp setroute
ip address 192.168.70.1 255.255.255.0
switchport access vlan 2
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit esp any any
access-list inside_access_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 norandomseq
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
by default, the ASA will allow traffic from the interface with higher security level (i.e inside inteface with security level =100) and any other interface with lower security level (i.e outside interface with security level = 0). You dont need to define any access rule to allow traffic. by default all traffic from inside to outside interface is allowed. its better to remove the access lists you added, because they represent a high security threat.
for the laptop vpn problem, try to addd these commands:
Because ICMP echo responses have to be specifically permitted as they return from the Outside to the Inside. Try building an ACL for the outside interface that includes the following, though this will allow both tracert and ping responses:
Hey, I can solve your problem. You need to create an access rule and source will be 0.0.0.0 and destination will be your inside host network ID like (192.168.10.0) and allow from any to ipsec (50) in ports section which use for make ipsec connection and open echo reply as well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...