Hall of Fame

1. keith_ala...41,675
2. deimark32,175
3. decoleur23,982
4. JFrederic...23,686
5. dpk_wal22,500
6. bignewf19,500
7. MikeKane19,246
8. lrmoore18,650
9. arnold17,215
10. ccomley15,260
11. rsivanandan14,294
12. Raj-GT13,500
13. uetian170711,244
14. giltjr10,550
15. sangamc8,500
16. grimkin8,150
17. PeteLong7,300
18. DaveHowe7,035
19. David-Ho...6,400
20. Cyclops3...6,300
20. Voltz-dk6,300
22. asavener6,000
23. ricks_v5,789
24. Qlemo5,600
25. pand0ra...5,568

1. lrmoore2,083,543
2. keith_ala...1,142,637
3. rsivanandan362,956
4. tim_holman340,612
5. calvinetter305,130
6. nodisco218,025
7. srikrishnak210,854
8. grblades201,484
9. carribeant...160,647
10. Voltz-dk154,414
11. batry_boy152,604
12. pruecons...104,029
13. harbor235101,676
14. stressedo...97,372
15. Cyclops3...94,275
16. JFrederic...91,686
17. dpk_wal88,797
18. PeteLong88,574
19. MikeKane86,248
20. jjoseph_x84,774
21. billwharton82,785
22. ccomley82,536
23. jabiii82,486
24. td_miles78,871
25. jasonpaine73,268

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

5.0

Configuring a Cisco ASA 5510

Asked by MKSKCS in Network Software Firewalls, Enterprise Firewalls

Tags: asa, cisco, 5510

I am completely frustrated with this setup. I've configured an ASA5510 (I've attached the running config below) to take the place of a Netscreen 25 that's currently in place. They are running consecutively now. When I unplug the Netscreen and change the outside and inside interface of the ASA to have the IP addresses that the Netscreen has, I lose all connectivity to the internet. I've tried flushing the DNS, powering the Cisco 1700 and Motorola off and powering everything back on. I'm also attaching the log of events that takes place after the switch is done. The log is from the ASA. Just to be clear, when the ASA is plugged in, I lose all connection to the internet and no computers on the LAN / WAN can communicate with the mail server. Help!

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxxxxxxxxxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 08_LAN
name 172.18.65.0 04_LAN
name 172.18.25.003_LAN
name 172.18.32.0 12_LAN
name 172.18.26.0 06_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 05_LAN
name 172.18.23.0 01_LAN
name 172.18.28.0 07_LAN
name 172.18.23.222 MAIL description Exchange 2003 Server
name 172.18.33.0 13_LAN
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 74.231.xxx.70 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 0
ip address 172.18.23.241 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
nameif Inside2
security-level 0
no ip address
ospf cost 10
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name corp.xxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
port-object range 2360 2363
object-group service 53 tcp
port-object range 1996 1996
object-group service TerminalServices tcp
port-object range 3388 3389
object-group network MB_WAN
network-object 01_LAN 255.255.255.0
network-object 02_LAN 255.255.255.0
network-object 03_LAN 255.255.255.0
network-object 06_LAN 255.255.255.0
network-object 05_LAN 255.255.255.0
network-object 07_LAN 255.255.255.0
network-object 08_LAN 255.255.255.0
network-object 11_LAN 255.255.255.0
network-object 12_LAN 255.255.255.0
network-object 04_LAN 255.255.255.0
network-object 13_LAN 255.255.255.0
network-object host MAIL
object-group network CHECK_LAN
network-object CHECK_1 255.255.255.0
network-object CHECK_2 255.255.255.240
object-group network FDLN
description FDLN - 4 Addresses
network-object host 12.129.xxx.103
network-object host 206.16.xxx.211
network-object host 63.240.xxx.101
network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FDLN
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53 any object-group 53
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAIL object-group TerminalServices log
access-list Outside_access_in extended permit udp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp object-group FDLN object-group MB_WAN log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log
access-list Outside_access_in extended permit tcp any eq https host MAIL eq https log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.77 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.77 object-group TerminalServices log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq www log
access-list ACL_IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Inside2 1500
mtu management 1500
icmp deny any Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
nat (management) 0 0.0.0.0 0.0.0.0
static (Outside,Inside) MAIL 74.231.xxx.77 netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside 03_LAN 255.255.255.0 172.18.23.240 1
route Inside 06_LAN 255.255.255.0 172.18.23.240 1
route Inside 05_LAN 255.255.255.0 172.18.23.240 1
route Inside 07_LAN 255.255.255.0 172.18.23.240 1
route Inside 08_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside 12_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
route Inside13_LAN 255.255.255.0 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 01_LAN 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:0c2ef9e0e604a02608a4433bf046eef2
: end

Here's PART of the log...it was lengthy so I'm just posting a few lines...

4|Nov 25 2006|17:36:26|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|302020|172.18.24.10|10.55.56.100|Built ICMP connection for faddr 172.18.24.10/59212 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:25|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK on interface Inside
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK on interface Inside
6|Nov 25 2006|17:36:24|302015|172.18.29.251|10.55.56.103|Built inbound UDP connection 12356 for Inside:172.18.29.251/4075 (172.18.29.251/4075) to Outside:10.55.56.103/53 (10.55.56.103/53)
6|Nov 25 2006|17:36:23|302021|172.18.24.4|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:23|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
4|Nov 25 2006|17:36:22|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:22|302016|172.18.23.200|193.0.14.129|Teardown UDP connection 12248 for Inside:172.18.23.200/1092 to Outside:193.0.14.129/53 duration 0:02:02 bytes 45
6|Nov 25 2006|17:36:21|302020|172.18.24.4|10.55.56.100|Built ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.24.3|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:19|302021|172.18.23.186|12.129.203.103|Teardown ICMP connection for faddr 172.18.23.186/7476 gaddr 12.129.203.103/0 laddr 12.129.203.103/0
6|Nov 25 2006|17:36:19|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK on interface Inside
6|Nov 25 2006|17:36:18|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK on interface Inside
6|Nov 25 2006|17:36:18|302020|172.18.24.3|10.55.56.100|Built ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:18|302020|172.18.23.200|74.231.xxx.77|Built ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:18|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512

Circuit--Cisco1700--Switch1--------------Switch2-------------------Switch3----------------Hub
| | | | | |
NS Untrust Outside ASA Inside ASA Exchange NS Trust Web Filter Machine

Get your answer NOW

	Title
1	Cisco ASA Not passing traffic (possi…
2	ASA initial configuration
3	Cisco ASA 5505 to 5510 Site-t…
4	Cisco ASA 5510 causing problems …
5	Problem with vpn between Cisco ASA …
6	Access a Remote VPN from a Cisco R…

Configuring a Cisco ASA 5510

Asked by MKSKCS in Network Software Firewalls, Enterprise Firewalls

Tags: asa, cisco, 5510

About this solution