03-13-2006 06:43 PM
I'm after difficulty getting across the firewall i.e from the inside to outside or vice versa. My config is:
asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname XXXXXXXX
domain-name XXXXXX.com
enable password XXXXXXXXXX encrypted
names
!
interface GigabitEthernet0/0
description GIS Router Connection
nameif Outside
security-level 0
ip address 172.24.232.253 255.255.255.240
!
interface GigabitEthernet0/1
description PXXXXXXXX Connection
nameif Inside
security-level 100
ip address 172.24.232.238 255.255.255.240
!
interface GigabitEthernet0/2
description XXXXXXXX
nameif 229
security-level 100
ip address 172.24.229.253 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd XXXXXXXXXX encrypted
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu 229 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface 229
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 172.24.232.238 1
route Inside 172.24.232.0 255.255.255.128 172.24.232.237 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.24.230.150 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Cryptochecksum:xxxx
: end
03-13-2006 07:52 PM
the default route is pointing to 172.24.232.238, which is the GigabitEthernet0/1. apparently the security level of this interface is set to 100, that is, the highest.
pix/asa will allow traffic originated from higher security level to lower security level without an acl.
in fact, assuming the GigabitEthernet0/1 interface is connected to the internet, then you should really change the security level from 100 to 0.
further, there is no nat/pat configured on the asa, please verify the internet-connected router is performing this function.
03-14-2006 10:28 AM
I'm not using this firewall for internet access, it is being used to separate business systems from process control, thus it is an internal company firewall. Based on its use, I don't have plans to use NAT.The GB0/1 interface is on the inside side of the firewall. The GB0/0 is the outside. Appreciate any and all help!
03-14-2006 12:55 PM
there is no route pointing to the g0/0 interface, please verify whether the business unit on the outside is 172.24.232.240/28. assuming it's not then a static route or a default route needs to be configured.
the route statement is invalid in the first place i.e. "route Outside 0.0.0.0 0.0.0.0 172.24.232.238". .238 is the inside interface, yet the keyword being used is outside.
further, do the command "no nat-control" providing nat/pat is not preferred on asa.
03-14-2006 02:39 PM
the business unit on the outside is 172.24.232.240/28. I will remove the route Outside and the "no nat-control".
03-14-2006 02:47 PM
Once I removed the route Outside, I couldn't get to the firewall's outside interface anymore.
03-15-2006 05:25 AM
let's get back to the beginning.
you mentioned "the business unit on the outside is 172.24.232.240/28", and according to the config:
interface GigabitEthernet0/0
description GIS Router Connection
nameif Outside
security-level 0
ip address 172.24.232.253 255.255.255.240
!
interface GigabitEthernet0/1
description PXXXXXXXX Connection
nameif Inside
security-level 100
ip address 172.24.232.238 255.255.255.240
there is a conflict. the outside subnet 172.24.232.240/28, however, the g0/1 interface as the inside has an ip 172.24.232.238.
g0/0 as the outside should be connected to non-secure subnet; whereas g0/1 as the inside should be connected to the secure subnet.
pix/asa relies on the security level, which is directly related to the name inside and outside.
03-15-2006 07:54 AM
Hopefully, I'm following your concerns.... However, to get the outside and inside discussion down. The outside interface, for my purpose, is considered to be non-secured and the inside is the secured. For the subnet question...I'm using the 172.24.232 address space to obtain 5 subnets. They are:
172.24.232.1/25 (1-126) 255.255.255.128
172.24.232.129/26 (129-190) 255.255.255.192
172.24.232.193/27 (193-222) 255.255.255.224
172.24.232.225/28 (225-238) 255.255.255.240
172.24.232.241/28 (241-254) 255.255.255.240
Thanks for your continued help!!!!!
03-15-2006 03:20 PM
please excuse me for misunderstanding about the interfaces and subnets.
according to the posted config,
route Outside 0.0.0.0 0.0.0.0 172.24.232.238 1
route Inside 172.24.232.0 255.255.255.128 172.24.232.237 1
you mentioned the "route outside 0.0.0.0 0.0.0.0 172.24.232.238" has been removed. the subnet 172.24.232.240/28 is directly connected to the outside interface, so no extra route should be needed.
i was just wondering if you were attempting to ping or actual traffic flow such as accessing an application or sharing a file.
for ping, an acl needs to be configured.
e.g.
access-list test permit icmp any any
access-group test in interface outside
03-16-2006 03:55 PM
Listed below is my latest config. Also, I tried to telnet and ping from the inside interface subnet to the outside interface address. Here is the log file. Again, I appreciate any and all help! I'm new at this...
Log file -----------------------------------------
6|Mar 16 2006 17:47:41|609002: Teardown local-host Inside:172.24.232.5 duration 0:00:02
6|Mar 16 2006 17:47:41|302021: Teardown ICMP connection for faddr 172.24.232.5/512 gaddr 172.24.232.253/0 laddr 172.24.232.253/0
6|Mar 16 2006 17:47:39|302020: Built ICMP connection for faddr 172.24.232.5/512 gaddr 172.24.232.253/0 laddr 172.24.232.253/0
6|Mar 16 2006 17:47:39|609001: Built local-host Inside:172.24.232.5
3|Mar 16 2006 17:44:33|710003: TCP access denied by ACL from 172.24.232.5/4453 to Inside:172.24.232.253/23
3|Mar 16 2006 17:44:27|710003: TCP access denied by ACL from 172.24.232.5/4453 to Inside:172.24.232.253/23
3|Mar 16 2006 17:44:24|710003: TCP access denied by ACL from 172.24.232.5/4453 to Inside:172.24.232.253/23
ASA CONFIG -----------------------------------------
asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname XXXXXXXXXX
domain-name XXXXXXXXXX
enable password XXXXXXXX encrypted
names
!
interface GigabitEthernet0/0
description GIS Router Connection
nameif Outside
security-level 0
ip address 172.24.232.253 255.255.255.240
!
interface GigabitEthernet0/1
description PCNCRMS01 Connection
nameif Inside
security-level 10
ip address 172.24.232.238 255.255.255.240
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.24.229.253 255.255.255.0
management-only
!
passwd XXXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
access-list Inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 172.24.232.254 1
route Inside 172.24.232.0 255.255.255.128 172.24.232.237 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.24.230.150 255.255.255.255 Outside
http 172.24.229.0 255.255.255.0 management
http 172.24.230.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access
dhcpd lease 3600
dhcpd ping_timeout 50
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXX
: end
---------------------------------------------------
03-18-2006 02:17 AM
From inside zone you will not be able to ping outside interface of ASA/PIX - try to ping any other resources on outside interface.
Also, ICMP will not consider as statefull in ASA/PIX acl - you should allow ICMP access on both the interfaces
- Navnit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide