Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 not reaching a particular IP

I hope you can help me do bear with me as I'm still starting with Cisco products,

We have a Cisco ASA 5510 Base License with 7.08 our provider assigned us x.x.199.41 as gateway while the ASA is on x.x.199.42 in the 255.255.255.248 subnet... I tried mapping our servers with x.x.199.43 on server1 and x.x.199.44 on server2... server2 can be reached from outside while server1 is unreacheable and our provider is insisting the issue is with our firewall configuration below is our running config.. hope anyone can point me in the right direction... thanks!

ASA Version 7.0(8)

!

names

dns-guard

!

interface Ethernet0/0

nameif Public

security-level 0

ip address x.x.199.42 255.255.255.248

!

interface Ethernet0/1

nameif Private

security-level 5

ip address 192.168.10.250 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address x.x.0.1 255.255.255.0

management-only

!

ftp mode passive

object-group network inside-network

access-list Private_access_in extended permit ip any any

access-list Private_access_in extended permit icmp any any

access-list Private_access_out extended permit ip any any

access-list Private_access_out extended permit icmp any any

access-list Public_access_in extended permit ip any any

access-list Public_access_in extended permit icmp any any

access-list Public_access_out extended permit ip interface Public any

access-list Public_access_out extended permit icmp interface Public any

access-list MYLIST1 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0

255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0

255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0

255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.7.0

255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0

255.255.255.0

access-list MYLIST2 extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0

255.255.255.0

access-list MYLIST3 extended permit ip 192.168.10.0 255.255.255.0 192.168.7.0

255.255.255.0

access-list MYLIST3 extended permit ip 192.168.10.0 255.255.255.0

192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu Public 1500

mtu Private 1500

mtu management 1500

no asdm history enable

arp timeout 14400

global (Public) 1 interface

nat (Private) 0 access-list NONAT

nat (Private) 1 0.0.0.0 0.0.0.0

static (Private,Public) x.x.199.44 192.168.10.252 netmask 255.255.255.255

static (Private,Public) x.x.199.43 192.168.10.251 netmask 255.255.255.255

access-group Private_access_in in interface Public

access-group Private_access_in out interface Public

access-group Private_access_in in interface Private

access-group Private_access_in out interface Private

route Public 0.0.0.0 0.0.0.0 x.x.199.41 1

route Public 192.168.1.0 255.255.255.0 x.x.6.160 1

route Public 192.168.6.0 255.255.255.0 x.x.135.113 1

route Public 192.168.7.0 255.255.255.0 x.x.197.68 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map MYMAP 10 match address MYLIST1

crypto map MYMAP 10 set peer x.x.6.27

crypto map MYMAP 10 set transform-set MYSET

crypto map MYMAP 10 set security-association lifetime seconds 3600

crypto map MYMAP 10 set security-association lifetime kilobytes 4608000

crypto map MYMAP 20 match address MYLIST2

crypto map MYMAP 20 set peer x.x.135.113

crypto map MYMAP 20 set transform-set MYSET

crypto map MYMAP 20 set security-association lifetime seconds 3600

crypto map MYMAP 20 set security-association lifetime kilobytes 4608000

crypto map MYMAP 30 match address MYLIST3

crypto map MYMAP 30 set peer x.x.197.68

crypto map MYMAP 30 set transform-set MYSET

crypto map MYMAP 30 set security-association lifetime seconds 3600

crypto map MYMAP 30 set security-association lifetime kilobytes 4608000

crypto map MYMAP interface Public

isakmp identity address

isakmp enable Public

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal  20

tunnel-group x.x.6.27 type ipsec-l2l

tunnel-group x.x.6.27 ipsec-attributes

pre-shared-key *

tunnel-group x.x.135.113 type ipsec-l2l

tunnel-group x.x.135.113 ipsec-attributes

pre-shared-key *

tunnel-group x.x.197.68 type ipsec-l2l

tunnel-group x.x.197.68 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

Cryptochecksum:dc521e98e6fa2918e524835d45dbd0e0

: end

Everyone's tags (6)
1 REPLY
Super Bronze

Re: ASA5510 not reaching a particular IP

Hi,

The "static" statement seems to be normal atleast. (Though we can't see the whole statement. But I assume you've made sure the public IP is entered correctly)

Your ACL setup seems strange though.

You are using the same access-list for both interfaces for both directions.

This is just my personal opinion but you will be fine with using a separate access-list for both interfaces and only apply them to "in" direction.

My basic access-list that I do is INSIDE-IN and OUTSIDE-IN and have the interface names as "inside" and "outside". Configuration stays really simple.

Also your security-level configurations seem abit unsual (although I guess it doesnt really cause any problems in this case) Again, the very basic setup would be to have "inside" as "100" and "outside" as "0"

Personally I would first have someone try connection to the service that you are running on the server thats not working. At the same time I would open the ASAs ASDM and see from the monitoring what is happening to the connection. Is it showing up on the firewall and if it is, what is happening to the connection.

I'm not sure if the "packet-tracer" command was included in the 7.0 software (didn't find it in the command reference for 7.0 atleast) but if it does exist in your software, try to command out and see whats happening to the connections from outside.

Also doing a traffic capture would be one option.

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/c.html#wp1950270

Also does the problem server have its default gateway set correctly? As you are using an address ending with .250 as the ASA interface IP address. Though this question is due to my personal preference again since I usually use the first address after the network address as the interface address.

- Jouni

398
Views
0
Helpful
1
Replies