Advertisement

04.23.2008 at 03:54AM PDT, ID: 23345987
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.8

Routing through new ASA 5520 on inside interface

Asked by avhelpdesk in Cisco PIX Firewall

Tags: , , ,

Hello Experts,
I'm setting up an ASA 5520 with a basic config and am having connectivity problems on the inside interface. I can ping across the ASA but can't connect to network shares, RDC, etc etc.
Can some see what is going wrong? I've attached the config below,
Traffic to the internet and inbound traffic on the outside interface is fine.

For example if I try to remote desktop connect to 172.16.7.1 I get a teardown with reason TCP Reset-O and that just doesn't make any sense as I can ping 172.16.7.1!!


hostname XXXXXX
domain-name XXXXXX
enable password PaR8dr1tR5MSkogT encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.22.22 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.1.150 255.255.240.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.16.101.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.16.1.2
 name-server 172.16.1.3
 domain-name uk.itd
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Internet_Out tcp
 description List of services to route to CSC module
 port-object eq www
 port-object eq ftp
 port-object eq smtp
 port-object eq pop3
 port-object eq https
object-group network IPASS
 description List of IPASS network hosts
 network-object host x.x.x.x (multiple lines)
object-group network Feedstation
 description List of current Feedstation IP addresses for data transfer
 network-object host x.x.x.x (multiple lines)
object-group service ExchangeServices tcp
 description Services for Exchange Server / Email
 port-object eq https
 port-object eq www
 port-object eq smtp
 port-object eq imap4
 port-object eq pop3
object-group service Denied_TCP_Ports tcp
 description TCP Ports we wish to deny should go in here
 port-object eq 6667
object-group network Denied_IP_Addresses
 description Place all external IP addresses to block in here
 network-object host 24.121.49.24
 network-object host 59.125.5.70
 network-object host 207.238.8.160
object-group service Explicit_Allowed_Ports tcp
 description Placeholder for all specifically required ports
 port-object eq 1600
 port-object eq 6667
 port-object eq 3724
 port-object eq 6112
 port-object eq 6881
 port-object eq 6999
object-group icmp-type allowed-icmp
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
 icmp-object traceroute
 icmp-object redirect
 icmp-object timestamp-reply
 icmp-object timestamp-request
access-list Internet_Out extended permit tcp 172.16.0.0 255.255.0.0 any object-group Internet_Out
access-list Outside_Incoming extended permit tcp any host 172.16.100.4 object-group ExchangeServices
access-list Outside_Incoming extended permit tcp object-group IPASS host 172.16.100.5 eq 57
access-list Outside_Incoming extended permit tcp object-group Feedstation host 172.16.100.7 eq ssh
access-list Outside_Incoming extended permit tcp host 172.16.100.1 eq ftp host 213.218.233.241
access-list Outside_Incoming extended permit icmp any any object-group allowed-icmp
access-list Outside_Incoming extended permit tcp any object-group Explicit_Allowed_Ports any
access-list Outside_Incoming extended deny tcp object-group Denied_IP_Addresses any
access-list Outside_Incoming extended deny tcp any object-group Denied_TCP_Ports any
access-list exempt extended permit ip 172.16.0.0 255.255.254.0 172.16.0.0 255.255.240.0
access-list exempt extended permit ip 172.16.0.0 255.255.254.0 192.168.0.0 255.255.0.0  
pager lines 24
logging enable
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any time-exceeded inside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list exempt
nat (inside) 1 172.16.0.0 255.255.254.0
static (inside,outside) 172.16.100.5 172.16.1.24 netmask 255.255.255.255
static (inside,outside) 172.16.100.6 172.16.1.10 netmask 255.255.255.255
static (inside,outside) 172.16.100.4 172.16.1.78 netmask 255.255.255.255
static (inside,outside) 172.16.100.7 172.16.1.57 netmask 255.255.255.255
static (inside,outside) 172.16.100.1 172.16.1.77 netmask 255.255.255.255
access-group Outside_Incoming in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.22.254 1
route inside 192.168.0.0 255.255.0.0 172.16.1.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username stevie password D0Da44F7S5xLEm.k encrypted privilege 15
username helpdesk password 4fnXObWY9B7msuGR encrypted privilege 0
http server enable
http 172.16.0.0 255.255.254.0 inside
http 172.16.101.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
no snmp-server enable
telnet 172.16.0.0 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
class-map Internet_Out
 match access-list Internet_Out
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map Internet_Out
 class Internet_Out
  csc fail-close
!
service-policy global_policy global
service-policy Internet_Out interface inside
prompt hostname context
Cryptochecksum:ea94e787932b63ae82752a594086cfc7
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Many thanks for shedding any light on this.

Wullie
Start Free Trial
[+][-]04.23.2008 at 05:49AM PDT, ID: 21420033

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.23.2008 at 06:15AM PDT, ID: 21420273

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.23.2008 at 06:27AM PDT, ID: 21420404

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.23.2008 at 06:39AM PDT, ID: 21420509

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.23.2008 at 07:44AM PDT, ID: 21421236

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.23.2008 at 08:02AM PDT, ID: 21421442

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.24.2008 at 12:51AM PDT, ID: 21428475

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.24.2008 at 02:11AM PDT, ID: 21428838

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.24.2008 at 03:15AM PDT, ID: 21429199

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]05.20.2008 at 03:38AM PDT, ID: 21604815

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Cisco PIX Firewall
Tags: Cisco, ASA 5520, VPN Edition, with CSC SSM module
Sign Up Now!
Solution Provided By: avhelpdesk
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20081112-EE-VQP-42 / EE_QW_2_20070628