Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
4
Replies

ASA5505 setup at home

miketta89
Level 1
Level 1

‎02-27-2008 11:07 PM - edited ‎03-11-2019 05:10 AM

I have the outside interface setup for DHCP that connects to comcast.

My inside interface is 192.168.69.1 and is setup to provide DHCP for my internal LAN.

I have never logged into a firewall before and as I quickly found out the commands are not like my routers and switches.

I finally gave in and have been using the ASDM. I just want to allow everything from the inside out. I didn't think it would be this difficult!

The access rules don't make sense to me. The outside in has an implicit deny rule for IP by default. I would assume this means that nothing can make a connection from the outside in? So why does it block my ping replies but it will allow me to surf the web??

I have a work laptop that won't connect to a VPN through the ASA, the logs say "regular translation creation failed for protocol 50"

I have enabled as much as I can and still can't figure this out. At this point I'm not even sure if I'm blocking anything... heh Well it must be blocking something cause my VPN still doesn't work.

ASA Version 7.2(3)

!

hostname viper

domain-name mydomain.net

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.69.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

shutdown

nameif dmz

security-level 50

ip address 192.168.70.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name mydomain.net

same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit esp any any

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit esp any any

access-list inside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 norandomseq

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.69.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.69.100-192.168.69.150 inside

dhcpd domain mydomain.net interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

!

!

prompt hostname context

Cryptochecksum:xxx

: end

Basically, is there an easy way to allow everything out and block anything on the inside from creating a connection inside?

Labels:
0 Helpful
4 Replies 4

alanajjar
Level 1
Level 1

‎02-28-2008 04:33 AM

Hi,

by default, the ASA will allow traffic from the interface with higher security level (i.e inside inteface with security level =100) and any other interface with lower security level (i.e outside interface with security level = 0). You dont need to define any access rule to allow traffic. by default all traffic from inside to outside interface is allowed. its better to remove the access lists you added, because they represent a high security threat.

for the laptop vpn problem, try to addd these commands:

crypto isakmp enable

crypto isakmp nat-traversal 30

regards

0 Helpful

miketta89
Level 1
Level 1
In response to alanajjar

‎02-28-2008 10:04 AM

Thanks I'll try that for the VPN.

If all traffic is allowed out why do my pings not resolve to yahoo.com with the default settings?

0 Helpful

1cmerchant
Level 1
Level 1
In response to miketta89

‎02-28-2008 10:52 AM

Because ICMP echo responses have to be specifically permitted as they return from the Outside to the Inside. Try building an ACL for the outside interface that includes the following, though this will allow both tracert and ping responses:

access-list acl_in remark PERMIT TRACEROUTE RETURN TRAFFIC

access-list acl_in permit icmp any any unreachable

access-list acl_in permit icmp any any time-exceeded

access-list acl_in permit icmp any any echo-reply

0 Helpful

ray_stone
Level 1
Level 1

‎02-29-2008 01:55 PM

Hey, I can solve your problem. You need to create an access rule and source will be 0.0.0.0 and destination will be your inside host network ID like (192.168.10.0) and allow from any to ipsec (50) in ports section which use for make ipsec connection and open echo reply as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card