08-06-2013 06:57 AM - edited 03-11-2019 07:22 PM
Hi,
I have a new Cisco ASA 5510 firewall, and I am fairly new to the firewall world. I have put a basic configuration on the firewall, but I am not able to access the internet (Trying from the 192.168.1.0 network). The network setup is:
192.168.1.x = Inside network
192.168.2.x = Connects to router that has internet connection (interface IP on the rotuer: 192.168.2.1)
192.168.3.x = Management Network
Internet Connection (Ethernet0/0) is not plugged in and is for future use.
I do not see any errors in the firewall or router. Router has static routes configured towards the firewall.
************ Current Config ************
: Saved
:
ASA Version 8.2(5)
!
hostname [Name]fw
domain-name [Name].local
enable password 8XNTGLJdYV5pjs2C encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Internet
security-level 0
ip address [ISP_Gateway] 255.255.255.240
!
interface Ethernet0/1
nameif [Name]
security-level 100
ip address 192.168.1.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif [Name]_Internet
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.3.11 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name [Name].local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list [Name]_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list [Name]_access_in_1 extended permit ip 192.168.1.0 255.255.255.0 any
access-list [Name]_Internet_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu [Name] 1500
mtu [Name]_Internet 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any [Name]
icmp permit any [Name]_Internet
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
global ([Name]_Internet) 1 interface
nat ([Name]) 1 0.0.0.0 0.0.0.0
access-group [Name]_access_in_1 in interface [Name] control-plane
access-group [Name]_access_in in interface [Name]
access-group [Name]_Internet_access_in in interface [Name]_Internet
route [Name]_Internet 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 management
http 192.168.1.0 255.255.255.255 [Name]
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access [Name]
dhcpd address 192.168.3.12-192.168.3.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7bb58eec1eea620faab6d7eba493e842
: end
Any obvious faults in the config?
Thanks for any help.
James
Solved! Go to Solution.
08-06-2013 08:46 AM
Hi,
So seems you have some Internet router in front of the ASA doing the actual NAT to the public network.
With what are you testing? Some TCP connection or PING/ICMP?
Have you confirmed that your hosts networks settings (GW,Mask, DNS) are correct?
For ICMP you can add these to the ASA
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
- Jouni
08-06-2013 01:54 PM
Hello James,
Again add the following commands on the ASA:
fixup protocol icmp
fixup protocol icmp error
Then test the following from the ASA side
ping 192.168.2.1 (from the ASA)
ping 4.2.2.2 (From the ASA)
If this 2 pings fail then there is a communication problem between the router and the ASA....
If this works let's now do the following on the ASA
capture capin interface inside match icmp any host 4.2.2.2
cap capout interface outside match icmp any host 4.2.2.2
Then ping 4.2.2.2 from the local PC and share the following outputs from the ASA (After the ping)
show cap capin
show cap capout
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-06-2013 08:44 AM
Hi,
Can you access internet from the router? What happens when you connect laptop directly to router interface and try to access internet? Can you post router config as well?
Thx
MS
08-06-2013 08:46 AM
Hi,
So seems you have some Internet router in front of the ASA doing the actual NAT to the public network.
With what are you testing? Some TCP connection or PING/ICMP?
Have you confirmed that your hosts networks settings (GW,Mask, DNS) are correct?
For ICMP you can add these to the ASA
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
- Jouni
08-06-2013 10:22 AM
Router is temporary connection for testing before putting the firewall in place. Testing using Internet explorer and ping. Host settings look good. When I connect directly to the router it works fine (Both IE and Ping)
08-06-2013 01:54 PM
Hello James,
Again add the following commands on the ASA:
fixup protocol icmp
fixup protocol icmp error
Then test the following from the ASA side
ping 192.168.2.1 (from the ASA)
ping 4.2.2.2 (From the ASA)
If this 2 pings fail then there is a communication problem between the router and the ASA....
If this works let's now do the following on the ASA
capture capin interface inside match icmp any host 4.2.2.2
cap capout interface outside match icmp any host 4.2.2.2
Then ping 4.2.2.2 from the local PC and share the following outputs from the ASA (After the ping)
show cap capin
show cap capout
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-07-2013 05:33 AM
Thanks for the replies. I added the ICMP lines and then pinged through and can get out now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: