09-27-2007 11:24 AM - edited 03-11-2019 04:18 AM
Hi...
I?ve configured my Cisco ASA 5510 Firewall with four subnets. Each one for different purposes, described as following:
100.130.101.0/24 network. Named UnTrust network is use it for all user inside the office.
100.131.101.0/24 network. Named Trust network is dedicated to be the network of my application servers (ERP, Accounting, Sales, etc.).
100.130.100.0/24 network. Named WAN network is dedicated to receive all frame relay link?s. This links composed my Private Wide Area Network, interconnecting all my brunches.
100.100.100.0/24 network. Name DMZ network is use for all external links and routers, like Internet and Providers.
When I make a ping from UnTrust network to any other interface of my Firewall, I can?t receive the echo-reply. Although, I?ve configured ICMP for all interfaces and I have Policies any to any for incoming and outgoing packages in all interfaces. Somebody knows what is it probably my problem? I think I?m missing some parameter. But I can?t find any resource in Internet about this matter. Thank a lot
P.D. My Configuration File is:
hostname Firewall
domain-name anything.com
enable password verysecret encrypted
names
!
interface GigabitEthernet0/0
nameif trust
security-level 100
ip address 100.131.101.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif untrust
security-level 50
ip address 100.130.101.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif wan
security-level 25
ip address 100.130.100.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz
security-level 0
ip address 100.100.100.254 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd verysecret encrypted
banner exec ****************
banner exec Firewall
banner exec ****************
banner exec Welcome...
banner login ***************
banner login Firewall
banner login ***************
banner login Welcome...
banner motd ****************
banner motd Firewall
banner motd ****************
09-27-2007 11:25 AM
...
More
banner motd Welcome...
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun May 2:00 last Sun Sep 2:00
dns server-group DefaultDNS
domain-name anything.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 100 extended permit tcp any any
access-list 100 extended permit udp any any
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu trust 1500
mtu untrust 1500
mtu wan 1500
mtu dmz 1500
ip verify reverse-path interface trust
ip verify reverse-path interface untrust
ip verify reverse-path interface wan
ip verify reverse-path interface dmz
no failover
monitor-interface trust
monitor-interface untrust
monitor-interface wan
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any trust
icmp permit any untrust
icmp permit any wan
icmp permit any dmz
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
access-group 100 in interface trust
access-group 100 out interface trust
access-group 100 in interface untrust
access-group 100 out interface untrust
access-group 100 in interface wan
access-group 100 out interface wan
access-group 100 in interface dmz
access-group 100 out interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username administrator password verysecret encrypted privilege 15
http server enable
http 100.130.101.14 255.255.255.255 untrust
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 100.130.101.14 255.255.255.255 untrust
ssh timeout 5
console timeout 5
management-access untrust
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
...
asdm image disk0:/asdm-522.bin
no asdm history enable
09-27-2007 11:57 AM
static (trust,untrust) 100.131.101.0 100.131.101.0 netmask 255.255.255.0
That should allow you to access untrust from trust and vice versa.
10-10-2007 03:47 PM
I tried configuring tha NAT rule described in your comment. But, My ASA still continue blocking all traffic. The NAT rules used area:
1) A single NAT rule from Trust to UnTrust
static (Trust,UnTrust) 100.130.101.0 100.131.101.0 netmask 255.255.255.0
2) A single NAT rule from UnTrust to Trust
static (UnTrust,Trust) 100.131.101.0 100.130.101.0 netmask 255.255.255.0
3) This last two NAT rules combined
static (UnTrust,Trust) 100.131.101.0 100.130.101.0 netmask 255.255.255.0
static (Trust,UnTrust) 100.130.101.0 100.131.101.0 netmask 255.255.255.0
10-10-2007 04:20 PM
You didn't exactly configure the static that Adam had asked you to use. Look at the global/real address (both set to 10.131.101.0) in the static configuration below. You are technically doing no NAT here with this configuration. Try this static.
static (trust,untrust) 100.131.101.0 100.131.101.0 netmask 255.255.255.0
HTH
Sundar
10-11-2007 10:16 AM
Thank for your response. I try it But it did not work. All traffic is still dropping it. First I will send it my entire configuration file. This file has the real addresses use it in my network. Please understand me, Innitialy I changed my real addresses for protect my information, but I think I should make a mistake in that process. Also, I just configure the NAT with the following command:
static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0
Tthe NAT with The entire configuration with NAT is:
: Saved
:
ASA Version 7.2(2)
!
hostname FwCorporativo
domain-name tecnoval.com.mx
enable password 8da6gU90DFywg4rN encrypted
names
!
interface GigabitEthernet0/0
nameif trust
security-level 100
ip address 10.31.1.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif untrust
security-level 50
ip address 10.30.1.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif wan
security-level 25
ip address 10.30.10.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz
security-level 0
ip address 10.10.10.254 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 8da6gU90DFywg4rN encrypted
banner exec ****************
banner exec Firewall
banner exec Welcome...
banner exec ****************
banner login ***************
banner login Firewall
banner login Welcome...
banner login ***************
banner motd ****************
banner motd Firewall
banner motd Welcome...
banner motd ****************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun May 2:00 last Sun Sep 2:00
dns domain-lookup trust
dns domain-lookup untrust
dns domain-lookup wan
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 201.147.189.82
name-server 200.33.146.193
name-server 200.23.242.193
domain-name tecnoval.com.mx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 100 extended permit tcp any any
access-list 100 extended permit udp any any
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
pager lines 24
logging asdm informational
mtu trust 1500
mtu untrust 1500
mtu wan 1500
mtu dmz 1500
ip verify reverse-path interface trust
ip verify reverse-path interface untrust
ip verify reverse-path interface wan
ip verify reverse-path interface dmz
no failover
no monitor-interface trust
no monitor-interface untrust
no monitor-interface wan
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any trust
icmp permit any untrust
icmp permit any wan
icmp permit any dmz
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0
static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0
access-group 100 in interface trust
access-group 100 out interface trust
access-group 100 in interface untrust
access-group 100 out interface untrust
access-group 100 in interface wan
access-group 100 out interface wan
access-group 100 in interface dmz
access-group 100 out interface dmz
route untrust 0.0.0.0 0.0.0.0 10.30.1.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password 0732hiKtM/dsJXqn encrypted privilege 15
http server enable
http 10.30.1.14 255.255.255.255 untrust
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.30.1.14 255.255.255.255 untrust
ssh timeout 5
console timeout 5
management-access untrust
10-11-2007 10:21 AM
no static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0
10-11-2007 10:48 AM
I did it but it still do not work. From console I get the following output:
FwCorporativo(config)# no static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0
FwCorporativo(config)#
FwCorporativo# ping
Interface: trust
Target IP address: 10.30.1.14
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]: y
Verbose? [no]:
Validate reply data? [no]:
Data pattern [0xabcd]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.1.14, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
FwCorporativo# ping
Interface: untrust
Target IP address: 10.30.1.14
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]: y
Verbose? [no]:
Validate reply data? [no]:
Data pattern [0xabcd]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.1.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
10-11-2007 10:18 AM
Thank for your response. I try it But it did not work. All traffic is still dropping it. First I will send it my entire configuration file. This file has the real addresses use it in my network. Please understand me, Innitialy I changed my real addresses for protect my information, but I think I should make a mistake in that process. Also, I just configure the NAT with the following command:
static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0
Tthe NAT with The entire configuration with NAT is:
: Saved
:
ASA Version 7.2(2)
!
hostname FwCorporativo
domain-name tecnoval.com.mx
enable password xxx
names
!
interface GigabitEthernet0/0
nameif trust
security-level 100
ip address 10.31.1.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif untrust
security-level 50
ip address 10.30.1.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif wan
security-level 25
ip address 10.30.10.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz
security-level 0
ip address 10.10.10.254 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd xxx
banner exec ****************
banner exec Firewall
banner exec Welcome...
banner exec ****************
banner login ***************
banner login Firewall
banner login Welcome...
banner login ***************
banner motd ****************
banner motd Firewall
banner motd Welcome...
banner motd ****************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun May 2:00 last Sun Sep 2:00
dns domain-lookup trust
dns domain-lookup untrust
dns domain-lookup wan
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 201.147.189.82
name-server 200.33.146.193
name-server 200.23.242.193
domain-name tecnoval.com.mx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 100 extended permit tcp any any
access-list 100 extended permit udp any any
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
pager lines 24
logging asdm informational
mtu trust 1500
mtu untrust 1500
mtu wan 1500
mtu dmz 1500
ip verify reverse-path interface trust
ip verify reverse-path interface untrust
ip verify reverse-path interface wan
ip verify reverse-path interface dmz
no failover
no monitor-interface trust
no monitor-interface untrust
no monitor-interface wan
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any trust
icmp permit any untrust
icmp permit any wan
icmp permit any dmz
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
static (untrust,trust) 10.30.1.0 10.30.1.0 netmask 255.255.255.0
static (trust,untrust) 10.31.1.0 10.31.1.0 netmask 255.255.255.0
access-group 100 in interface trust
access-group 100 out interface trust
access-group 100 in interface untrust
access-group 100 out interface untrust
access-group 100 in interface wan
access-group 100 out interface wan
access-group 100 in interface dmz
access-group 100 out interface dmz
route untrust 0.0.0.0 0.0.0.0 10.30.1.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password 0732hiKtM/dsJXqn encrypted privilege 15
http server enable
http 10.30.1.14 255.255.255.255 untrust
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.30.1.14 255.255.255.255 untrust
ssh timeout 5
console timeout 5
management-access untrust
10-11-2007 11:01 AM
Try pinging from a host on the trust network, not from the firewall trust interface like you did above.
edit: You could also ping from a machine in the untrust network to a machine in the trust network, not from the untrust interface in the firewall.
10-11-2007 11:29 AM
Thak you, everything is working fine...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide