Ok, so the setup is a simple internal, DMZ and External.
Now I have setup a dynamic Nat rul for both the DMZ and for the Internal networks.
If I am on a client and I do a ping www.google.com
I get a dns resolution but the pings do not go through, also if I try and browse to google's website via IE or whatever.
How do I setup a rule using the asdm5.2 to allow all outbound traffic to be allowed? I am not concerned with filtering or blocking any outbound traffic?
It should also be noted that the DNS server I am using sit outside of our network on the internet. That is why I had assumed my rules and NAT's were setup properly.
By default traffic traveling from a higher security interface to a lower security interface (inside-100, outside-0) is allowed.
As far as the pings you need to add the below to the acl applied to in on interface outside to allow pings to work.
access-list outside->in permit icmp any any echo-reply
access-list outside->in permit icmp any any time-exceeded
access-list outside->in permit icmp any any unreachable
Past your config.
Oh yah, the Getting started guide that came with the 5510 is for version 5.0 asdm and this thing came with 5.2 alot of the buttons are missing or completly different with version 5.2 doesn't anyone know a link where I can download the corrisponding setup guide to 5.2? The CD only contained the detailed documentation, I just wanted the getting started guide.
Login via telnet or ssh and type sh run. Copy and past the entire output into a text pad. Mask any data you don't want anyone to see (ie passwords and full external ip's).
What version is the ASA running? Not the asdm.
Asa is listed in the output below, version 7.2(1)
Also it should be noted that this firewall is sitting behind another firewall(a temporary setup), the external interface is sitting on an internal network that has full access to the internet(Other machines on the same network as the external interface can ping and go on the internet.
I have done this before to configure other firewall brands, I don't see that it would present a problem.
Result of the command: "sh run"
ASA Version 7.2(1)
enable password XXXXXXXXXXXXXX encrypted
ip address 192.168.0.7 255.255.255.0
ip address 192.168.1.1 255.255.255.0
ip address 192.168.2.1 255.255.255.0
no ip address
ip address 192.168.11.1 255.255.255.0
passwd XXXXXXXXXXXXXXXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
access-list Internal_access_out extended permit ip 192.168.1.0 255.255.255.0 any
access-list External_access_in extended permit icmp any interface Internal time-exceeded
access-list External_access_in extended permit icmp any interface Internal echo-reply
access-list External_access_in extended permit icmp any interface Internal unreachable
access-list External_access_in_1 extended permit icmp any any unreachable
access-list External_access_in_1 extended permit icmp any any time-exceeded
access-list External_access_in_1 extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu DMZ 1500
mtu management 1500
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (External) 1 interface
nat (Internal) 1 192.168.1.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
access-group External_access_in_1 in interface External
access-group Internal_access_out out interface Internal
route External 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.11.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.11.2-192.168.11.254 management
dhcpd dns 126.96.36.199 188.8.131.52 interface management
dhcpd enable management
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
not ping, but yes on the conntect to resources, I couldn't at first, but I think what happened is I hard rebooted the firewall and now everything is working minus the pings, see my message with the error.
ok, not sure what happened but now I can get web access, but still no ping access, definatly making progress,
In the gui it shows the failure for the ping, if i use the gui to create a rule it still doesn't work and shows the same message. :)
4 Oct 25 2006 08:42:15 106023 184.108.40.206 192.168.0.7 Deny icmp src External:220.127.116.11 dst Internal:192.168.0.7 (type 0, code 0) by access-group "Internal_access_out" [0x0, 0x0]
Your access-list internal_access_out is denying the pings. That ACL is only allowing ip traffic. either remove the acl or create an ace in the acl to allow icmp traffic.
I put in a rule
incomming interal - any to any ICMP any permit
and it still doesn't work,
I also added
incomming External - any to any ICMP any permit
and still nothing
ahh ok I see now. :)
interal outbound, any to any icmp and allow
and now I can ping.
My only question is I thought that this behavior would have automatically be allowed due to implicit rules, Although now I see that the implicit rules only cover IP, I would why that is.
You applied an ACL to outbound traffic only with that one ace for IP. There is an implicit deny any any at the end of all ACL's. If you remove the ACL applied to outbound traffic on the inside interface you would not have had the problem because there is an implicit permit for traffic going from higher to lower interfaces.
Is it possible to remove the implicit rules?
Ok, I am starting to get my head around how the rule sets work,(Very different from the other fireweall products I have used,watchguard and checkpoint)
Now I made two rules in the External Incomming rules set
1 - Any - xxx.xxx.xxx.xxx ICMP Any permit
2 - Any - Internal ICMP Any Permit
where xxx.xxx.xxx.xxx is an IP address of a machine on the internal network
rule numebr1 works and rule number 2 doesn't why is that?
This is very confusing becasue if I change the internal to an any it also works, it seems that you can't specify an interface to have traffic allowed to, you can a destination IP address, Ip Address Range, Any but not an interface.
ahh my mistake, xxx.xxx.xxx.xxx was not an ip address of a machine on the internal interface it was the ip address of the external interface, that makes more sense. Just ignore me lack of coffee is not helping me learn. :)
Thanks for all your help I think I have it figured out now.