Re: Initial install of ASA5520

palmhhpcn · ‎03-13-2006

I'm after difficulty getting across the firewall i.e from the inside to outside or vice versa. My config is:

asdm image disk0:/asdm504.bin

no asdm history enable

: Saved

:

ASA Version 7.0(4)

!

hostname XXXXXXXX

domain-name XXXXXX.com

enable password XXXXXXXXXX encrypted

names

!

interface GigabitEthernet0/0

description GIS Router Connection

nameif Outside

security-level 0

ip address 172.24.232.253 255.255.255.240

!

interface GigabitEthernet0/1

description PXXXXXXXX Connection

nameif Inside

security-level 100

ip address 172.24.232.238 255.255.255.240

!

interface GigabitEthernet0/2

description XXXXXXXX

nameif 229

security-level 100

ip address 172.24.229.253 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd XXXXXXXXXX encrypted

ftp mode passive

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu 229 1500

mtu management 1500

no failover

monitor-interface Outside

monitor-interface Inside

monitor-interface 229

monitor-interface management

asdm image disk0:/asdm504.bin

no asdm history enable

arp timeout 14400

route Outside 0.0.0.0 0.0.0.0 172.24.232.238 1

route Inside 172.24.232.0 255.255.255.128 172.24.232.237 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 172.24.230.150 255.255.255.255 Outside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

Cryptochecksum:xxxx

: end

jackko · ‎03-13-2006

the default route is pointing to 172.24.232.238, which is the GigabitEthernet0/1. apparently the security level of this interface is set to 100, that is, the highest.

pix/asa will allow traffic originated from higher security level to lower security level without an acl.

in fact, assuming the GigabitEthernet0/1 interface is connected to the internet, then you should really change the security level from 100 to 0.

further, there is no nat/pat configured on the asa, please verify the internet-connected router is performing this function.

palmhhpcn · ‎03-14-2006

I'm not using this firewall for internet access, it is being used to separate business systems from process control, thus it is an internal company firewall. Based on its use, I don't have plans to use NAT.The GB0/1 interface is on the inside side of the firewall. The GB0/0 is the outside. Appreciate any and all help!

jackko · ‎03-14-2006

there is no route pointing to the g0/0 interface, please verify whether the business unit on the outside is 172.24.232.240/28. assuming it's not then a static route or a default route needs to be configured.

the route statement is invalid in the first place i.e. "route Outside 0.0.0.0 0.0.0.0 172.24.232.238". .238 is the inside interface, yet the keyword being used is outside.

further, do the command "no nat-control" providing nat/pat is not preferred on asa.

palmhhpcn · ‎03-14-2006

the business unit on the outside is 172.24.232.240/28. I will remove the route Outside and the "no nat-control".

palmhhpcn · ‎03-14-2006

Once I removed the route Outside, I couldn't get to the firewall's outside interface anymore.

jackko · ‎03-15-2006

let's get back to the beginning.

you mentioned "the business unit on the outside is 172.24.232.240/28", and according to the config:

interface GigabitEthernet0/0

description GIS Router Connection

nameif Outside

security-level 0

ip address 172.24.232.253 255.255.255.240

!

interface GigabitEthernet0/1

description PXXXXXXXX Connection

nameif Inside

security-level 100

ip address 172.24.232.238 255.255.255.240

there is a conflict. the outside subnet 172.24.232.240/28, however, the g0/1 interface as the inside has an ip 172.24.232.238.

g0/0 as the outside should be connected to non-secure subnet; whereas g0/1 as the inside should be connected to the secure subnet.

pix/asa relies on the security level, which is directly related to the name inside and outside.

palmhhpcn · ‎03-15-2006

Hopefully, I'm following your concerns.... However, to get the outside and inside discussion down. The outside interface, for my purpose, is considered to be non-secured and the inside is the secured. For the subnet question...I'm using the 172.24.232 address space to obtain 5 subnets. They are:

172.24.232.1/25 (1-126) 255.255.255.128

172.24.232.129/26 (129-190) 255.255.255.192

172.24.232.193/27 (193-222) 255.255.255.224

172.24.232.225/28 (225-238) 255.255.255.240

172.24.232.241/28 (241-254) 255.255.255.240

Thanks for your continued help!!!!!

jackko · ‎03-15-2006

please excuse me for misunderstanding about the interfaces and subnets.

according to the posted config,

route Outside 0.0.0.0 0.0.0.0 172.24.232.238 1

route Inside 172.24.232.0 255.255.255.128 172.24.232.237 1

you mentioned the "route outside 0.0.0.0 0.0.0.0 172.24.232.238" has been removed. the subnet 172.24.232.240/28 is directly connected to the outside interface, so no extra route should be needed.

i was just wondering if you were attempting to ping or actual traffic flow such as accessing an application or sharing a file.

for ping, an acl needs to be configured.

e.g.

access-list test permit icmp any any

access-group test in interface outside

palmhhpcn · ‎03-16-2006

Listed below is my latest config. Also, I tried to telnet and ping from the inside interface subnet to the outside interface address. Here is the log file. Again, I appreciate any and all help! I'm new at this...

Log file -----------------------------------------

6|Mar 16 2006 17:47:41|609002: Teardown local-host Inside:172.24.232.5 duration 0:00:02

6|Mar 16 2006 17:47:41|302021: Teardown ICMP connection for faddr 172.24.232.5/512 gaddr 172.24.232.253/0 laddr 172.24.232.253/0

6|Mar 16 2006 17:47:39|302020: Built ICMP connection for faddr 172.24.232.5/512 gaddr 172.24.232.253/0 laddr 172.24.232.253/0

6|Mar 16 2006 17:47:39|609001: Built local-host Inside:172.24.232.5

3|Mar 16 2006 17:44:33|710003: TCP access denied by ACL from 172.24.232.5/4453 to Inside:172.24.232.253/23

3|Mar 16 2006 17:44:27|710003: TCP access denied by ACL from 172.24.232.5/4453 to Inside:172.24.232.253/23

3|Mar 16 2006 17:44:24|710003: TCP access denied by ACL from 172.24.232.5/4453 to Inside:172.24.232.253/23

ASA CONFIG -----------------------------------------

asdm image disk0:/asdm504.bin

no asdm history enable

: Saved

:

ASA Version 7.0(4)

!

hostname XXXXXXXXXX

domain-name XXXXXXXXXX

enable password XXXXXXXX encrypted

names

!

interface GigabitEthernet0/0

description GIS Router Connection

nameif Outside

security-level 0

ip address 172.24.232.253 255.255.255.240

!

interface GigabitEthernet0/1

description PCNCRMS01 Connection

nameif Inside

security-level 10

ip address 172.24.232.238 255.255.255.240

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.24.229.253 255.255.255.0

management-only

!

passwd XXXXXXXXXXX encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

access-list Inside_access_out extended permit tcp any any

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

no failover

monitor-interface Outside

monitor-interface Inside

monitor-interface management

asdm image disk0:/asdm504.bin

no asdm history enable

arp timeout 14400

access-group Inside_access_out out interface Inside

route Outside 0.0.0.0 0.0.0.0 172.24.232.254 1

route Inside 172.24.232.0 255.255.255.128 172.24.232.237 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 172.24.230.150 255.255.255.255 Outside

http 172.24.229.0 255.255.255.0 management

http 172.24.230.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

management-access

dhcpd lease 3600

dhcpd ping_timeout 50

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXX

: end

---------------------------------------------------

navnit · ‎03-18-2006

From inside zone you will not be able to ping outside interface of ASA/PIX - try to ping any other resources on outside interface.

Also, ICMP will not consider as statefull in ASA/PIX acl - you should allow ICMP access on both the interfaces

- Navnit