ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
loverzizo
New Member
Posts:
3
Joined:
Mon Apr 23, 2012 11:09 am
Certs:
ccna

please help

Mon Apr 23, 2012 11:13 am

hello for all

i bought cisco asa 5540
i have cisco router 2811 with static ip
84.219.22.96/30
and make nat to conected to internet pat nat
and have
84.219.22.80/29 for exchange server

i want to confiure asa behind router
i mean leave all configure on cisco router
when i make out side and inside lan all is ok
but all pc conected on inside interface of asa 5540 cannot access to internet
and also cannot ping from pc ip on interface outside i permet icmp in servise poilcy and incpection icmp
but i mean no conection not ping only
my senaro

lan------------------ asa -------------------- cisco router ----------internet


i will post configration for asa

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.193.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.191.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE extended permit ip any any
access-list inside_access_in extended permit icmp any interface outside
access-list cap extended permit icmp any host 4.2.2.2
access-list cap extended permit icmp host 4.2.2.2 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.193.2 1

timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password .Yb5gwK7xqjZkYI4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
: end

my router access to internet and all lan access to intenet without asa

so what is missing or wrong conigration to access to internet

best regards

User avatar
ristau5741
Post Whore
Posts:
10547
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: please help

Mon Apr 23, 2012 11:31 am

u r missing NAT configuration.
firewall NAT by default.
configure identity NAT on ASA
if router is performing NAT
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

auglan
Junior Member
Posts:
89
Joined:
Fri Jun 25, 2010 7:55 am
Certs:
CCNP

Re: please help

Mon Apr 23, 2012 12:38 pm

Nat hasnt been a requirement on the ASA for some time. no nat-control. I think since 8.3 the command is actually deprecated.


This could be a problem for you as well with the implicit deny at the end.

access-list inside_access_in extended permit icmp any interface outside

loverzizo
New Member
Posts:
3
Joined:
Mon Apr 23, 2012 11:09 am
Certs:
ccna

Re: please help

Mon Apr 23, 2012 2:04 pm

auglan wrote:Nat hasnt been a requirement on the ASA for some time. no nat-control. I think since 8.3 the command is actually deprecated.


This could be a problem for you as well with the implicit deny at the end.

access-list inside_access_in extended permit icmp any interface outside


can u correct my configration for acl u mean my acl in problem
iam waiting
best regaeds

auglan
Junior Member
Posts:
89
Joined:
Fri Jun 25, 2010 7:55 am
Certs:
CCNP

Re: please help

Tue Apr 24, 2012 9:47 am

For testing you can change to:


access-list inside_access_in extended permit ip any any



After you know everything is working, you can go ahead and tighten that acl. Do your configs in steps. Apply config, then test. Its much easier to troubleshoot this way instead of applying a full config and find out that something isn't working.

loverzizo
New Member
Posts:
3
Joined:
Mon Apr 23, 2012 11:09 am
Certs:
ccna

Re: please help

Tue Apr 24, 2012 2:40 pm

it same problem when i put access list
no ping from lan to yahoo
no ping from lan to 4.4.4.4
can u paste complete configuration to only access to internet and allow all
for testing
best regards

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 4 guests