Solved: ASA 5505 Problem Getting Started

Patrick McHenry · ‎03-31-2012

Hi,

New to Firewalls:

I set the ASA to factory default using the config factory default. Then, I plugged my PC into port 7 and the Comcast modem into port 0 and got a 192.168.1.2 ip address for my PC. Also, configured the dhcp to give out the dns addresses. Changed the outside interface address to my assigned static address but still can't ping the outside interface or Google from PC. Oh, also, from the firewall I can ping the gateway-Comcast address but, no further.

Where should I start to get this thing working?

Thanks, Pat.

Jouni Forss · ‎04-05-2012

Hi,

To be honest I haven't tried.

I also have an ASA 5505 with Base License at home but I have no need for a DMZ in my network so I havent tried it.

You could always make an access-list for your INSIDE interface and handle the traffic with it. Its the more common way atleast.

You could basicly do following simple configurations

access-list INSIDE-IN remark Block INSIDE to DMZ traffic

access-list INSIDE-IN deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list INSIDE-IN remark Allow all other traffic

access-list INSIDE-IN permit ip 192.168.1.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

The above specifies the following things:

INSIDE-IN is the access-list name
The remark lines in the access-list just give a brief description of the rule below it
- You can insert these remarks (or permit/deny lines) to different spots using the "line " after the access-list name
- For example "access-list INSIDE-IN line 1 remark " would add a remark line at the top of the list.
- On the CLI the line numbers are visible when you issue the "show access-list". "show run access-list" wont show line numbers
The deny line states that all TCP/UDP traffic from INSIDE network range to DMZ network range is denied when entering the firewall interface inside
The permit line allows all the traffic from INSIDE network range to any other network. (Basically allows all the traffic towards OUTSIDE interface as all traffic to DMZ was just denied on the earlier line in the access-list.
The access-group line attaches the access-list named INSIDE-IN to the interface inside
- The in paremeter tells the direction the access-list is applied
- In this case its for traffic thats entering the inside interface

- Jouni

View solution in original post

cpratt · ‎03-31-2012

Ping is blocked by default on an asa. Make sure you are inspecting icmp

Chris

Sent from Cisco Technical Support iPad App

Patrick McHenry · ‎03-31-2012

But I am pinging the Comcast gateway from the ASA. Is that ping allowed? To be honest I didn't try to bring u a web page on the PC.

Thanks, Pat.

sean_evershed · ‎03-31-2012

Hi,

This document explains how to allow ping from the inside to the outside on a firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Marvin Rhoads · ‎03-31-2012

Can you give us the running-configuration on the ASA?

It sounds like you could have several things wrong, not the least of which is a missing default route. You should be able to ping beyond your Comcast modem from the ASA itself if there is a default route on the outside interface. Remedying that is step 1.

Did you follow the Quick Start Guide at all?

Manouchehr · ‎04-01-2012

Hi,

By default ping is blocked on ASA. Pleaes add the follwoing config in your ASA and let us know,

access-list 100 permit icmp any any

access-group 100 in interface outside

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Now try to ping and browse and let us know.

Patrick McHenry · ‎04-01-2012

I don't want to sound lazy and would like to fully understand firewalls but, I thought a default route was configured by default. I will add the config you mentioned.

Thanks

Patrick McHenry · ‎04-01-2012

SJHCOMCASTFW# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname SJHCOMCASTFW
domain-name sjhcomcast.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.79.xx.xx255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name sjhcomcast.com
same-security-traffic permit intra-interface
access-list 100 extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 50.79.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 4.4.4.4 8.8.8.8 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 3600 interface inside
dhcpd domain sjhcomcast.com interface inside
dhcpd enable inside
!

username PMcHenry password DFlVIADtck1VpZzU encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f0cc64bc93f62ba225dfa576c0755162
: end
SJHCOMCASTFW#

I can ping the comcast gateway from the FW but, not anything beyond. And I can't ping the FW outside interface from the PC.

Thanks, Pat

Manouchehr · ‎04-01-2012

Your configuration looks fine, make sure you have internet. can you ping 4.2.2.2 from the firewall itself?

You will never be able to ping outside interface of ASA from inside, That is how FW is architectured.

Patrick McHenry · ‎04-01-2012

Do you mean ping 4.4.4.4 the DNS server?

What is 4.2.2.2?

I will plug my laptop directly in again to see if there is Internet. I thought they fixed that as we were having that problem last week and they worked on it.

Patrick McHenry · ‎04-04-2012

Comcast is looking at the issue now. I can't ping out even with my laptop plugged directly into the modem and configured with the public address.

Patrick McHenry · ‎04-05-2012

I have three VLANs configured. One VLAN(inside), one VLAN(outside) and one VLAN(dmz).

Other than configuring the outside address, an extra VLAN(dmz) and DHCP for the inside VLAN and the dmz VLAN, everything else is at the default configuration.

I can get dhcp addresses and ping out from both the inside and dmz.

The inside is set to 100 security and the dmz is set to 50 security.

That being said, is my inside and dmz network being protected and/or should I be configuring more to protect it?

Thanks

Jouni Forss · ‎04-05-2012

Hi,

Regarding the ICMP

Usually when I configure a new ASA firewall I will add the ICMP inspection was told earlier in this thread.

In your latest running-config I dont see it configured yet.

There should be

policy-map global_policy
 class inspection_default
  inspect icmp

With this enabled and if ICMP is allowed from the LAN -> Internet the echo-reply messages to your ICMP echos will get through the firewall

You won't need to use the outside access-list to open ICMP for the ICMP you are sending from the LAN behind the firewall or even for the ICMP echos sent from the ASA itself. You only need to open ICMP on the outside ACL if you need to ping something on your local network from the Internet. That device must also have its own public IP address (with static NAT) for it to even work.

If you want to send ICMP echos from Internet to the ASAs outside interface you can use the following format

icmp permit

for example "icmp permit any outside" would permit ICMP echos to the ASAs outside interface from any source address on the Internet. Though necesarily no need to open it so wide.

- Jouni

Patrick McHenry · ‎04-05-2012

Thanks for the response.

Per my previous post - I've created a another VLAN with security 50. From earlier discussions - this doesn't mean the amount of security on that port, correct?

Nevertheless, can I make the additional vlan as secure as the inside vlan?

thanks, Pat.

Jouni Forss · ‎04-05-2012

Hi,

I've never relied purely on the "security-level" setting.

To my knowledge the security-levels numerical value is the simplest way to do access control on an ASA firewall. (But doesnt really give you any fexibility alone)

It basicly means that any host on a higher security-level interface can communicate to any of the lower security-level interfaces.

In your situation you have:

outside = 0
dmz = 50
inside = 100

If you didnt have any access-list the operation would basically be like this:

Hosts on inside can access anything behind the interfaces dmz and outside
Hosts on dmz can access anything behind the interface outside, but NOT inside
Hosts on outside CANT access anything behind the ASA

To my understanding as soon as you apply an access-list to an interface (with the access-group command) it affects the situation I mentioned above for the interface in question. So basically if you add an access-list to inside interface you have to deny or allow traffic on it and the security-level wont dedice anymore on allowing the traffic.

Heres also a explanation from Cisco material on the "security-level" command

The level controls the following behavior:

•Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.

For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

•Inspection engines—Some inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

–NetBIOS inspection engine—Applied only for outbound connections.

–OraServ inspection engine—If a control connection for the OraServ port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

•Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

•NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

•established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions

- Jouni