10-25-2006 06:00 AM - edited 02-21-2020 01:15 AM
Ok, so the setup is a simple internal, DMZ and External.
Now I have setup a dynamic Nat rul for both the DMZ and for the Internal networks.
If I am on a client and I do a ping www.google.com
I get a dns resolution but the pings do not go through, also if I try and browse to google's website via IE or whatever.
How do I setup a rule using the asdm5.2 to allow all outbound traffic to be allowed? I am not concerned with filtering or blocking any outbound traffic?
10-25-2006 06:03 AM
It should also be noted that the DNS server I am using sit outside of our network on the internet. That is why I had assumed my rules and NAT's were setup properly.
10-25-2006 06:13 AM
By default traffic traveling from a higher security interface to a lower security interface (inside-100, outside-0) is allowed.
As far as the pings you need to add the below to the acl applied to in on interface outside to allow pings to work.
access-list outside->in permit icmp any any echo-reply
access-list outside->in permit icmp any any time-exceeded
access-list outside->in permit icmp any any unreachable
Past your config.
Thanks,
Chad
10-25-2006 06:32 AM
10-25-2006 06:35 AM
Also the interfaces are set as the following,
Management 100
DMZ 80
Internal 90
External 0
10-25-2006 06:13 AM
Oh yah, the Getting started guide that came with the 5510 is for version 5.0 asdm and this thing came with 5.2 alot of the buttons are missing or completly different with version 5.2 doesn't anyone know a link where I can download the corrisponding setup guide to 5.2? The CD only contained the detailed documentation, I just wanted the getting started guide.
10-25-2006 07:02 AM
Login via telnet or ssh and type sh run. Copy and past the entire output into a text pad. Mask any data you don't want anyone to see (ie passwords and full external ip's).
What version is the ASA running? Not the asdm.
10-25-2006 07:36 AM
Asa is listed in the output below, version 7.2(1)
Also it should be noted that this firewall is sitting behind another firewall(a temporary setup), the external interface is sitting on an internal network that has full access to the internet(Other machines on the same network as the external interface can ping and go on the internet.
I have done this before to configure other firewall brands, I don't see that it would present a problem.
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name XXXXXXXXX.com
enable password XXXXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
nameif External
security-level 0
ip address 192.168.0.7 255.255.255.0
!
interface Ethernet0/1
nameif Internal
security-level 90
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 80
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.1 255.255.255.0
management-only
!
passwd XXXXXXXXXXXXXXXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name soilengineersltd.com
access-list Internal_access_out extended permit ip 192.168.1.0 255.255.255.0 any
access-list External_access_in extended permit icmp any interface Internal time-exceeded
access-list External_access_in extended permit icmp any interface Internal echo-reply
access-list External_access_in extended permit icmp any interface Internal unreachable
access-list External_access_in_1 extended permit icmp any any unreachable
access-list External_access_in_1 extended permit icmp any any time-exceeded
access-list External_access_in_1 extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu DMZ 1500
mtu management 1500
no failover
monitor-interface External
monitor-interface Internal
monitor-interface DMZ
monitor-interface management
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (External) 1 interface
nat (Internal) 1 192.168.1.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
access-group External_access_in_1 in interface External
access-group Internal_access_out out interface Internal
route External 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.11.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.11.2-192.168.11.254 management
dhcpd dns 207.136.100.40 209.148.64.40 interface management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xx: end
10-25-2006 07:44 AM
Can you access the network that is between this firewall and the Internet? ping, connect to resources?
10-25-2006 07:49 AM
not ping, but yes on the conntect to resources, I couldn't at first, but I think what happened is I hard rebooted the firewall and now everything is working minus the pings, see my message with the error.
10-25-2006 07:48 AM
ok, not sure what happened but now I can get web access, but still no ping access, definatly making progress,
In the gui it shows the failure for the ping, if i use the gui to create a rule it still doesn't work and shows the same message. :)
Deny Message
4 Oct 25 2006 08:42:15 106023 72.14.205.104 192.168.0.7 Deny icmp src External:72.14.205.104 dst Internal:192.168.0.7 (type 0, code 0) by access-group "Internal_access_out" [0x0, 0x0]
10-25-2006 07:53 AM
Your access-list internal_access_out is denying the pings. That ACL is only allowing ip traffic. either remove the acl or create an ace in the acl to allow icmp traffic.
10-25-2006 08:10 AM
I put in a rule
incomming interal - any to any ICMP any permit
and it still doesn't work,
I also added
incomming External - any to any ICMP any permit
and still nothing
10-25-2006 08:12 AM
ahh ok I see now. :)
interal outbound, any to any icmp and allow
and now I can ping.
My only question is I thought that this behavior would have automatically be allowed due to implicit rules, Although now I see that the implicit rules only cover IP, I would why that is.
10-25-2006 08:25 AM
You applied an ACL to outbound traffic only with that one ace for IP. There is an implicit deny any any at the end of all ACL's. If you remove the ACL applied to outbound traffic on the inside interface you would not have had the problem because there is an implicit permit for traffic going from higher to lower interfaces.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: