Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510 setup, inable to get rules to work

Ok, so the setup is a simple internal, DMZ and External.

Now I have setup a dynamic Nat rul for both the DMZ and for the Internal networks.

If I am on a client and I do a ping www.google.com

I get a dns resolution but the pings do not go through, also if I try and browse to google's website via IE or whatever.

How do I setup a rule using the asdm5.2 to allow all outbound traffic to be allowed? I am not concerned with filtering or blocking any outbound traffic?

18 REPLIES
New Member

Re: ASA 5510 setup, inable to get rules to work

It should also be noted that the DNS server I am using sit outside of our network on the internet. That is why I had assumed my rules and NAT's were setup properly.

Silver

Re: ASA 5510 setup, inable to get rules to work

By default traffic traveling from a higher security interface to a lower security interface (inside-100, outside-0) is allowed.

As far as the pings you need to add the below to the acl applied to in on interface outside to allow pings to work.

access-list outside->in permit icmp any any echo-reply

access-list outside->in permit icmp any any time-exceeded

access-list outside->in permit icmp any any unreachable

Past your config.

Thanks,

Chad

New Member

Re: ASA 5510 setup, inable to get rules to work

ok I added the rules and can't ping?? I have attached a screenshot in case I am missing something.

New Member

Re: ASA 5510 setup, inable to get rules to work

Also the interfaces are set as the following,

Management 100

DMZ 80

Internal 90

External 0

New Member

Re: ASA 5510 setup, inable to get rules to work

Oh yah, the Getting started guide that came with the 5510 is for version 5.0 asdm and this thing came with 5.2 alot of the buttons are missing or completly different with version 5.2 doesn't anyone know a link where I can download the corrisponding setup guide to 5.2? The CD only contained the detailed documentation, I just wanted the getting started guide.

Silver

Re: ASA 5510 setup, inable to get rules to work

Login via telnet or ssh and type sh run. Copy and past the entire output into a text pad. Mask any data you don't want anyone to see (ie passwords and full external ip's).

What version is the ASA running? Not the asdm.

New Member

Re: ASA 5510 setup, inable to get rules to work

Asa is listed in the output below, version 7.2(1)

Also it should be noted that this firewall is sitting behind another firewall(a temporary setup), the external interface is sitting on an internal network that has full access to the internet(Other machines on the same network as the external interface can ping and go on the internet.

I have done this before to configure other firewall brands, I don't see that it would present a problem.

Result of the command: "sh run"

: Saved

:

ASA Version 7.2(1)

!

hostname ciscoasa

domain-name XXXXXXXXX.com

enable password XXXXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

nameif External

security-level 0

ip address 192.168.0.7 255.255.255.0

!

interface Ethernet0/1

nameif Internal

security-level 90

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.11.1 255.255.255.0

management-only

!

passwd XXXXXXXXXXXXXXXXXX encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name soilengineersltd.com

access-list Internal_access_out extended permit ip 192.168.1.0 255.255.255.0 any

access-list External_access_in extended permit icmp any interface Internal time-exceeded

access-list External_access_in extended permit icmp any interface Internal echo-reply

access-list External_access_in extended permit icmp any interface Internal unreachable

access-list External_access_in_1 extended permit icmp any any unreachable

access-list External_access_in_1 extended permit icmp any any time-exceeded

access-list External_access_in_1 extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu DMZ 1500

mtu management 1500

no failover

monitor-interface External

monitor-interface Internal

monitor-interface DMZ

monitor-interface management

asdm image disk0:/asdm-521.bin

no asdm history enable

arp timeout 14400

global (External) 1 interface

nat (Internal) 1 192.168.1.0 255.255.255.0

nat (management) 0 0.0.0.0 0.0.0.0

access-group External_access_in_1 in interface External

access-group Internal_access_out out interface Internal

route External 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.11.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.11.2-192.168.11.254 management

dhcpd dns 207.136.100.40 209.148.64.40 interface management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xx: end

Silver

Re: ASA 5510 setup, inable to get rules to work

Can you access the network that is between this firewall and the Internet? ping, connect to resources?

New Member

Re: ASA 5510 setup, inable to get rules to work

not ping, but yes on the conntect to resources, I couldn't at first, but I think what happened is I hard rebooted the firewall and now everything is working minus the pings, see my message with the error.

New Member

Re: ASA 5510 setup, inable to get rules to work

ok, not sure what happened but now I can get web access, but still no ping access, definatly making progress,

In the gui it shows the failure for the ping, if i use the gui to create a rule it still doesn't work and shows the same message. :)

Deny Message

4 Oct 25 2006 08:42:15 106023 72.14.205.104 192.168.0.7 Deny icmp src External:72.14.205.104 dst Internal:192.168.0.7 (type 0, code 0) by access-group "Internal_access_out" [0x0, 0x0]

Silver

Re: ASA 5510 setup, inable to get rules to work

Your access-list internal_access_out is denying the pings. That ACL is only allowing ip traffic. either remove the acl or create an ace in the acl to allow icmp traffic.

New Member

Re: ASA 5510 setup, inable to get rules to work

I put in a rule

incomming interal - any to any ICMP any permit

and it still doesn't work,

I also added

incomming External - any to any ICMP any permit

and still nothing

New Member

Re: ASA 5510 setup, inable to get rules to work

ahh ok I see now. :)

interal outbound, any to any icmp and allow

and now I can ping.

My only question is I thought that this behavior would have automatically be allowed due to implicit rules, Although now I see that the implicit rules only cover IP, I would why that is.

Silver

Re: ASA 5510 setup, inable to get rules to work

You applied an ACL to outbound traffic only with that one ace for IP. There is an implicit deny any any at the end of all ACL's. If you remove the ACL applied to outbound traffic on the inside interface you would not have had the problem because there is an implicit permit for traffic going from higher to lower interfaces.

New Member

Re: ASA 5510 setup, inable to get rules to work

Is it possible to remove the implicit rules?

Ok, I am starting to get my head around how the rule sets work,(Very different from the other fireweall products I have used,watchguard and checkpoint)

Now I made two rules in the External Incomming rules set

1 - Any - xxx.xxx.xxx.xxx ICMP Any permit

and

2 - Any - Internal ICMP Any Permit

where xxx.xxx.xxx.xxx is an IP address of a machine on the internal network

rule numebr1 works and rule number 2 doesn't why is that?

New Member

Re: ASA 5510 setup, inable to get rules to work

This is very confusing becasue if I change the internal to an any it also works, it seems that you can't specify an interface to have traffic allowed to, you can a destination IP address, Ip Address Range, Any but not an interface.

New Member

Re: ASA 5510 setup, inable to get rules to work

ahh my mistake, xxx.xxx.xxx.xxx was not an ip address of a machine on the internal interface it was the ip address of the external interface, that makes more sense. Just ignore me lack of coffee is not helping me learn. :)

Thanks for all your help I think I have it figured out now.

New Member

Re: ASA 5510 setup, inable to get rules to work

Add "inspect icmp" to your config and ICMP will be inspected and allowed via implicit rules.

507
Views
3
Helpful
18
Replies
CreatePlease to create content